K.C. Turan has a holistic perspective through which he views compliance. And given his position in the challenging field of healthcare compliance, perspective is the coin of the realm.

Tell us a little about UPMC Insurance Services and Health Plan.

UPMC Insurance Services and Health Plan are part of the larger UPMC organization, which is an integrated healthcare delivery and finance system (i.e., both provider and payer). UPMC Insurance Services is an integration of a number of partner companies that collectively offer a full range of group health insurance, Medicare, Medicaid, Duals, FEHB, behavioral health, special needs, CHIP, employee assistance, and workers’ compensation products and services to roughly three million members, generating roughly $7 billion in annual revenue. Our recent organizational growth is extremely compelling, and we’re expecting continued impressive scale and geographic expansion in the coming years.

Tell me about your role and responsibilities for the organization.

About K.C. Turan


Title: Senior Vice President, Chief Risk, Compliance & Ethics Officer, UPMC Insurance Services & Health Plan


Years of experience: 20+


Areas of expertise: Corporate governance, corporate compliance, enterprise risk management, corporate ethics, data privacy and cyber-security, corporate investigations, anti-corruption and anti-bribery, fraud, government programs contracting, insurance risk management, business continuity and disaster recovery


Quote: “Healthcare companies, and particularly health insurance companies, need to adjust to the new healthcare paradigm and need to be much more agile and nimble relative to the past. As the organizational GRC function, we need to likewise adapt and support the business through all of this.”

I oversee and lead our cross-organizational corporate compliance; ethics; enterprise risk management (ERM); privacy; fraud, waste and abuse; and quality assurance and operational integrity programs. Through a combination of direct and indirect oversight, I also oversee our various business unit and partner company compliance programs within the divisional lines of business.

How are you working to build and enhance the organization’s compliance program?

Having somewhat recently joined the company, I’m in the process of taking stock of our solid foundation of various corporate governance, risk management and compliance (GRC) programs. The envisioned enhancements will likely occur on a few different levels.

First, we’ll work to more seamlessly integrate the various GRC functions, so that they operate in a more synchronized manner—essentially building out our current programs and processes to exhibit greater structure and coordination in their cross-organizational initiatives. This will allow us to better leverage the implicit synergies and efficiencies that exist between and across the various GRC functions as it relates to risk assessments, strategic planning, cross-departmental investigations, project management, and communication and information flows.

Second, we’ll revisit our structure, positioning, and processes in terms of being able to effectively and efficiently partner with the business and operational areas, whom we ultimately support. This will allow us to be more anticipatory in partnering with the business and effectively meeting their needs.

Lastly, we’ll revisit our board- and senior management-level reporting to make sure that our reports, updates, metrics, dashboards, and stakeholder interaction is optimally effective and streamlined. This last element is related to our larger corporate governance framework and our important role within it, including how we enhance and structure our relatively new enterprise risk management (ERM) program to be optimally additive within our corporate governance infrastructure.

What are some of the more challenging aspects of your job?

We’re presently operating in a highly scrutinized regulatory environment, seemingly much more so than in prior years. This environment basically applies to just about every industry, but there’s no doubt that the regulated verticals, such as healthcare, are operating in a regulatory environment that’s that much more magnified in terms of scrutiny.

More specific to our industry, and as a direct byproduct of healthcare reform, the healthcare space is more dynamic, innovative, and fast-paced than it’s been in decades, possibly ever. This is extremely exciting and compelling, but it also presents its own set of challenging variables with which to engage. Healthcare is experiencing both vertical and horizontal integration; disintermediation (e.g., the advent of both public and private exchanges); a continuing shift to a more value-based, capitated model; increasing consumerism and the growth of the individual and family plan health insurance market; a great deal of consolidation and M&A activity; and, of course, myriad new regulatory requirements, among other variables.

Healthcare companies, and particularly health insurance companies, need to adjust to the new healthcare paradigm and need to be much more agile and nimble relative to the past. As the organizational GRC function, we need to likewise adapt and support the business through all of this.

Lastly, and as a natural extension of the new healthcare dynamic within which we operate, we need to keep up with the high speed of business and our compelling growth and expansion. While we’re clearly a governance function, we’re also here to partner with, facilitate, and support the business in its continual efforts to grow and scale. It’s our business teams’ jobs to be as innovative, dynamic, and entrepreneurial as possible in better serving our members, and it’s our job to be as anticipatory as possible in keeping up with and supporting them at every step, while of course ensuring that we do things the right way.

What are the more rewarding aspects of being a compliance officer?

At a high level, that which makes it challenging is what also makes it so rewarding. There’s literally nothing typical about any given day, and I get to touch and interact with every corner and moving part of our organization, learning a great deal in the process. The business relies on us in myriad ways, and this is both humbling and extremely fulfilling. We have to be knowledgeable, agile, nimble, precise, customer service-oriented, and business-minded, and we get to work in an extremely innovative, dynamic, and entrepreneurial environment. In short, the highly compelling and challenging nature of our work is what makes it so professionally gratifying. We also truly live by our mission of providing quality, choice, access, service, and value to our members, and this is likewise highly personally rewarding.

What do you think tomorrow’s greatest challenges and opportunities will be for ethics and compliance professionals?

Some of the more compelling challenges are the increasingly demanding nature of regulatory and public scrutiny, which I don’t believe will diminish; the dynamic and singular force of new technology and the various issues this presents (e.g., ongoing balance between convenience and privacy and security); and the changing constitution of the workforce, particularly as more Millennials enter the professional ranks.

While we discuss these elements as challenges, it’s important to note that none of these are bad or negative developments. They’re simply reality and developing facts, and our GRC programs need to effectively and efficiently adapt to the new paradigm. In this vein, I personally view the challenges and the opportunities to be the one and the same. These developments will simply require GRC programs to be even more creative, responsive, customized, and mobile in design, development, implementation, and execution. What’s considered to be robust and effective now likely won’t be in the near future.

On that note, how do you think compliance will evolve as a new generation enters the workforce?

While it’s a little dangerous to paint an entire generation with a broad brush, there are clearly certain differences from one generation to the next. If we’re talking about the Millennials, there appear to be certain unique variables at play relative to Baby Boomers and Generation Xers. Generally speaking, Millennials are highly digital and technology-savvy; have access to great amounts of information; prefer working in teams; enjoy immediate processing and results; seek out more relaxed and flexible working environments; and are perhaps driven by a desire for a more personal and emotional connection to their work, company, and company’s values. As a result, GRC and HR departments need to closely partner to make sure that we’re successfully accommodating these social drivers in order to have truly robust, effective, and sustainable GRC programs that resonate and stick. For example, we’ll need to develop more mobile, virtual, interactive, and engaging Codes of Conduct, policy delivery mechanisms, training programs, and communications initiatives.

Given that you’ve personally built and led several world-class and award-winning GRC programs, what specific characteristics make for a world-class GRC program from your perspective?

The “how” (how we do things) is just as important as the “what” (what we do). It’s important for one to be a subject-matter expert in their given area, but building the necessary partnerships, working relationships, consensus, and coalitions with the business and other stakeholders is equally important, and sometimes perhaps even more so. You’re not going to add much value, and you’re not going to be very effective, if you narrowly view your role to just be an internal cop. Compliance clearly has a “governance” role to play, but you have to execute it by way of adding value and being business-centric. Things are rarely binary and, like most things in life, our work is fairly nuanced. We need to strike the optimal balance between making sure that we’re satisfying the applicable legal and regulatory requirements on the one hand, and also running a healthy, viable business on the other hand. In this vein, I always try to impress upon my teams the foundational value and importance of building the necessary partnerships and relationships with the business and our various stakeholders.

You also want to make sure that your GRC programs are appropriately right-sized and fit-for-purpose and that they’re strategically and optimally customized to your company, industry, business model, strategic priorities, and organizational culture. There is no prescriptive, one-size-fits-all set of GRC programs that you pull off the shelf, blow the dust off of, and plug into any given company. Every organization is unique and has its own way of doing things, and business models and strategic priorities can dynamically shift and change, thereby possibly causing the GRC functions’ frameworks and models to likewise adjust and change. You need to be mindfully plugged into the rhythm of the business to ensure that you’re truly and effectively supporting, facilitating, and adding value.

I’d additionally recommend getting exposure to a number of different industries, circumstances, and professional opportunities permitting. While I commend and respect those who have worked in the same industry for the better part of their GRC-related careers, I personally feel fortunate to have worked in a number of different industries, which I feel has provided me with an invaluable cross-vertical and holistic lens through which to view things.

While certain specific regulatory requirements are obviously different from vertical to vertical, the fundamental principles and tenets of what makes for robust and effective GRC programs are largely the same and freely transferable from industry to industry. I’ve had the great opportunity to build and lead a number of highly successful GRC programs in a wide range of some of the most dynamic and heavily regulated industries, including banking and financial services, healthcare, insurance, and technology, and there are definitely certain things that each vertical can learn from the others as it relates to building and sustaining robust and effective GRC programs. I can only speak from personal experience, and it may not necessarily be viable for some GRC professionals to gain experience in different verticals, but I’ve found the cross-industry, holistic perspective to be invaluable, and this experience has lent itself to truly seamless transitions from one dynamic industry to another.

Lastly, and perhaps most importantly, we need to continually and vigilantly foster an organizational culture of “performance with integrity” as the cornerstone value. As many knowledgeable GRC experts will likewise note, the CEO and senior-most executives need to be singularly dedicated to creating, leading, and sustaining a uniform “performance with integrity” culture throughout the organization.

Any final words or tips you’d like to impart?

We’ve likely touched on most of these, but it’s critically important to be business-minded, as the business is one of our primary stakeholders and this ultimately better serves our members and customers. It’s important to be a flexible and nimble all-around athlete, as you’ll literally touch upon any given issue or area of the organization in any given day. It’s important to keep your head on a swivel and remain vigilant, always being mindful of what’s around the corner. Lastly, and perhaps most importantly, it’s important to maintain a balanced perspective and keep your sense of humor.