In late 2001,as Enron shares plummeted, my editor and publisher called to congratulate me on my performance as senior writer for this magazine. They were thrilled that I had not penned a gushing profile of Enron CFO Andy Fastow or highlighted WorldCom CFO Scott Sullivan's M&A prowess — which our primary competitor had done.

I quickly changed the subject. Had a few more PR departments returned my calls, my editor would have been answering the same embarrassing grilling from USA Today (“Why on Earth did you recognize Fastow as a top CFO!”) that her counterpart at CFO had endured.

Today, I feel more — but not completely — confident in my ability to separate the wheat from the chaff when uncovering governance, risk management, and compliance (GRC) processes that genuinely push the needle. Although my technique is not failsafe, I look for the following characteristics as signs that GRC capabilities are worth profiling:

• GRC geeks: Almost every GRC case study I've written features an individual at the heart of the effort who gets his ya-yas from delving into the intricacies of risk management. These folks are often finance-IT polymaths who cut their hybrid teeth on sprawling ERP implementation projects. John Verburgt, now the director of compliance at the Chicago Mercantile Exchange, was delighted by the challenges that Sarbanes-Oxley compliance posed. “It's a big task,” he gushed, sounding like a physics professor (or an advanced Dungeon Master). “How do you get the CEO and CFO in front of all the employees so that they can ask for the current status of their controls?” One way that Verburgt devised was an innovative evaluation of “interpretation risk,” which seeks to answer a crucial question: How do I know that the business people documenting their process are doing so accurately?

• Connectors: When subjects identify “executive buy-in” as a key to their GRC success, I roll my eyes. Tone at the top, by now, is a given. What's more important is the so-called “mushy middle”: How do you get the people in the trenches — those sandwiched by the often-opposing need to generate growth and manage risks — to behave in accordance with high-level GRC principles? Companies that succeed seem to possess what Tipping Point author Malcolm Gladwell describes as “connectors” — individuals such as Petco Vice President, Internal Audit, Ethics, and Compliance and Asset Protection, Jim Brigham. Upon joining the company, Brigham met with its top 50 executives to (first) listen to their needs and (second) identify how GRC supported their needs. By developing an enterprise network, GRC connectors influence trench behavior.

• Cross-functional friction: GRC pretenders tend to talk in broad terms about the importance of cross-functional collaboration. GRC leaders tend to focus on the cross-functional battles that inevitably flare up during their efforts — and the hard-earned compromises that ultimately furthered the effort. Jason Lish, who manages application and data security for Honeywell International, admits that revoking the system access of employees frequently elicits cries of “No!” Rather than dictate the change, Lish works with his IT and business colleagues to redesign their processes so that stronger security does not limit their effectiveness.

• Past suffering: A scared-straight dynamic can elevate run-of-the-mill GRC capabilities into best practices. SunTrust was one of the first companies to create an operational risk forum, and the bank's financial reporting risk management group is dedicated to ensuring that the bank's financial reporting processes are airtight. This risk overhaul began in earnest with an accounting error, which required SunTrust to restate earnings and led to the firing of two finance executives.

Again, these indicators are not foolproof. Last summer, I received a difficult call from my new editor, who questioned my mentioning a particular company's GRC approach in a cover feature. There were hints that the company's value was heading for a drop. Yet, the company appeared to possess all of the tangible elements of success.

However, I ultimately made the wrong call. It turns out that the company, Countrywide, was sorely lacking in the intangibles I've since learned to use to better manage the risks of selecting GRC case study subjects.