Over the last few years, UPMC Insurance Services has integrated most of its GRC functions during a historic period of dynamism and regulation in the healthcare industry. UPMC’s K.C. Turan spoke with Ethisphere about the opportunities and challenges presented by this initiative.

Ethisphere Magazine: You’ve recently integrated your GRC functions. Tell us about the rationale, process, and results.

K.C. Turan: We’ve integrated our governance, risk, and compliance (GRC) functions into a more holistic framework. This includes our Corporate Compliance, Ethics, Enterprise Risk Management, Privacy, Fraud, Quality Assurance, Data Governance, and various product-specific compliance functions (e.g., Medicare, Medicaid, Exchange, workers’ comp, etc.), each of which has its own compliance team.

The rationale was to facilitate greater coordination and synchronization across the various GRC functions. The more effective and efficient we can be, the better positioned we are to support and facilitate the growth and success of the business. The more anticipatory we can be in partnering with the business, the more effectively we can meet their unique and growing needs.

As for the process, there were certain functions that were already centralized, to which we transitioned additional programs that initially sat elsewhere and added certain newly developed functions. Our Board and senior management were highly supportive, as they recognized the value in having these important functions be optimally positioned to better support our highly diversified, regulated, and growing business.

The results have been highly successful. Through our integrated GRC framework, we’re able to leverage the inherent synergy and efficiencies that exist across the GRC functions to be much more effective and synchronized in supporting the business. Our GRC cross-departmental strategic planning, risk assessments, communications, information sharing, budget planning, investigations, project management, metrics capture, and reporting are all more robust because of our integrated structure. This, in turn, positions us to more effectively support the business and its tremendous growth.

EM: What are the more challenging aspects of healthcare, compliance, and risk management? How do you balance healthcare’s rapid innovation with the need to meet so many requirements and ensure ethical conduct?

KCT: We’re operating in a highly scrutinized regulatory environment, seemingly much more so than prior years. This environment basically applies to every industry, but there’s no doubt that the regulated verticals, such as healthcare, are operating in a regulatory environment that’s even more magnified.

As a direct by-product of ongoing healthcare reform, the healthcare space is more dynamic and innovative than it’s ever been. This is extremely exciting and compelling, but it also presents its own set of challenging variables. In addition to a significant amount of uncertainty, healthcare is experiencing both vertical and horizontal integration, disintermediation, a continuing shift to a value-based model focused on population health management, increasing consumerism, the disruption of the individual and family plan market, a great deal of consolidation and M&A activity, myriad prospective and new regulatory requirements, and tremendous technological innovation, among other developments. Healthcare companies need to adjust to the new paradigm and be much more agile and nimble. As the organizational GRC function, we need to likewise adapt and support the business through this change.

We don’t view healthcare’s rapid change and innovation as impediments to meeting our regulatory requirements or ensuring we do right by our various stakeholders. Our North Star has always been our organizational values and principles, which collectively serve as the foundation of our Mission-based integrity capital. Healthcare’s macro industry dynamics, regulations, and technology may evolve, but our principles-based corporate ethics and cornerstone of “doing the right thing” remain unequivocally anchored to our core values. In fact, the need to adhere to and live our values becomes even more prominent in times of great change and uncertainty, as they provide a manifest clarity and continuity.

Lastly, our GRC functions need to keep up with the high speed of business and our compelling growth. While we’re clearly a governance function, we’re also here to partner with, facilitate, and support the business in its continual efforts to scale. It’s our business teams’ jobs to be as innovative and entrepreneurial as possible in better serving our members, and it’s our job to effectively anticipate and support them at every step, while ensuring we do things the right way.

EM: How do you think GRC will evolve as a new generation enters the workforce?

KCT: The constitution of the workforce is clearly changing as Millennials now comprise the plurality of professionals and as Gen Z’ers increasingly enter the arena. While it’s a little dangerous to paint an entire generation with a broad brush, there are clearly certain differences from one generation to the next. Generally speaking, and relative to prior generations, Millennials and Gen Z are highly digital and technology savvy, have access to great amounts of information, prefer working in teams, enjoy immediate processing and results, seek out more open and flexible working environments, and appear to be motivated by a more personal and emotional connection to their work, their company, and the company’s values. As a result, GRC functions need to make sure we’re successfully accommodating these social drivers to have truly effective and sustainable GRC programs that resonate and “stick.” For example, we’ll need to develop more mobile, interactive, and engaging codes of conduct, policy delivery mechanisms, training programs, and communications initiatives. What’s considered to be “robust” and “effective” now likely won’t be in the near future.

EM: What are lessons you’ve learned over the course of your career that you’d like to share with fellow GRC professionals?

KCT: The “how” (i.e., how we do things) is just as important as the “what” (i.e., what we do). It’s important for one to be a subject matter expert in their given area, but building the necessary partnerships, consensus, and coalitions with the business and other stakeholders is equally important, and sometimes even more so. One isn’t going to be very effective if they narrowly view their role as an internal cop. Risk and Compliance clearly have a “governance” role to play, but you need to execute it by way of adding value and being strategy- and business-centric. We need to strike the optimal balance between making sure we’re satisfying applicable legal and regulatory requirements on the one hand, and running a healthy, viable business on the other. In this vein, I always emphasize the importance of building the necessary partnerships and relationships with the business and our stakeholders.

You also want to make sure your GRC programs are right-sized, fit-for-purpose, and optimally customized to your company, industry, business model, strategic priorities, and culture. There is no prescriptive, one-size-fits-all set of GRC programs that you pull off the shelf and plug into any given company. Every organization is unique, and business models and strategic priorities may shift and change, causing the GRC functional framework and priorities to likewise adjust. You need to be mindfully plugged into the “rhythm of the business” to ensure you’re adding value.

Lastly, we need to vigilantly foster a culture of “performance with integrity” as the cornerstone value. The CEO and executive leadership need to be singularly dedicated to creating and sustaining a uniform “performance with integrity” culture throughout the organization. Organizations should alchemize the fusion of high performance with high integrity and sound risk management, wherein the integrity capital and values-based ideals are woven into the fabric of the company and its daily operations. The “tone at the top” is clearly important, but the “tone in the middle” is equally significant. Truly effective and sustainable GRC programs need to foster and be mindful of both.

EM: Any final words or tips you’d like to impart?

KCT: We don’t know what we don’t know, and this is particularly true of healthcare, which is undergoing tremendous disruption. This obviously has potentially significant GRC implications, but the substantive challenges are also what make for the compelling opportunities, which we’ll hopefully have the chance to contemporaneously define. It’s critically important to be business-minded, as the business is one of our primary stakeholders and this ultimately better serves our customers. It’s important to be a nimble all-around athlete, as you could touch upon any given issue or area of the organization in any given day. It’s important to remain vigilant, always being mindful of what’s around the corner. Lastly, and perhaps most importantly, it’s important to maintain a balanced and nuanced perspective.

About the Expert:

K.C. Turan is the SVP and Chief Risk, Compliance, and Ethics Officer of UPMC Insurance Services, where he leads the organization’s corporate compliance, ethics, ERM, privacy, fraud, quality assurance, third party compliance oversight, data governance, and various product-specific compliance programs across the enterprise. UPMC Insurance Services is part of the larger UPMC organization, which is an integrated healthcare delivery and finance system. UPMC Insurance Services is an integration of numerous partner companies that collectively offer a full range of health insurance products and services to roughly four million members, generating approximately $10 billion in annual revenue.