K.C. Turan is Senior Vice President, Chief Risk, Compliance & Ethics Officer at UPMC Insurance Services. In this role, he oversees and leads the cross-organizational corporate compliance; ethics; enterprise risk management (ERM); privacy; fraud, waste, abuse and recoveries; quality assurance and operational integrity; data governance; and various business unit and partner company compliance programs for UPMC Insurance Services. Ethisphere’s Aarti Maharaj recently spoke with K.C. (pictured right) about information governance as a prelude to his panel, which features leaders from Dun & Bradstreet and Parsons Corporation at this year’s 9th Annual Global Ethics Summit.
How is information governance part of your role at UPMC? How does information governance synchronize with what you’re doing from a compliance and risk management standpoint?
KC: As the Chief Risk & Compliance Officer for UPMC Insurance Services, information/data governance is an increasingly significant part of my functional role and responsibilities. Beyond the inherent overlap and touch points between data governance and privacy/cybersecurity, we have myriad regulatory compliance and reporting requirements that implicitly have a data governance element within their core. Data governance may not necessarily be the primary driver of all such regulatory compliance and reporting requirements, but it’s increasingly and intrinsically associated with them. Having an effective and robust data governance program facilitates the development of stronger, more effective compliance, ethics and risk management programs.
Against that backdrop, how do you view the role of information governance and keep up with the various data-related trends and requirements at UPMC?
KC: It depends on how one defines “data governance,” as you’d likely elicit ten different definitions from ten different people. For our organizational purposes, we define data governance as the set of processes and methodologies that support and enable more holistic and effective information management from cradle to grave. It encompasses our various protocols for data gathering, availability, accessibility, reliability, accuracy, security, management, sharing, transfer and deletion (and everything in between). We tend to view data governance as a second line-of-defense function, much like compliance and enterprise risk management (ERM), which means that our Data Governance Office doesn’t “own” the data or the responsibility to better manage and secure it. This falls to the relevant first line-of-defense business and functional owners. Our Data Governance Office owns developing and providing the tools, methodologies and processes for supporting and facilitating the business/functional owners’ data governance responsibilities.
Can you talk more about your compliance and ethics program at UPMC?
KC: At UPMC Insurance Services, we’ve structured our various governance, risk management and compliance (GRC) programs to be a fully integrated set of functions that can leverage the natural synergies and efficiencies that exist across the holistic GRC framework. This includes the implicit synergies involving risk assessments, strategic and goal planning, capital planning and budgeting, cross-organizational investigations, and all-important communication and information flows, among others. By housing our various GRC programs (which include Corporate Compliance & Ethics; Privacy; Government Programs Compliance (e.g. Medicare and Medicaid Compliance); ERM; Fraud, Waste & Abuse; Quality Assurance & Operational Integrity; and Data Governance) within one holistic and integrated GRC department, we’re able to better leverage these synergies and ultimately be more effective in deploying our resources, carrying out our responsibilities and, most importantly, supporting the business.
I recently spoke with one of your fellow panel members, who said that information governance is all about coordination and collaboration. What are your thoughts on this?
KC: Given how we define and have begun to develop our maturing and evolving data governance program, as described above, I agree that the coordination and collaboration elements are foundational for effective information governance. We’re designing and developing our Data Governance Program to be consultative, facilitative and heavily operationally oriented. There are some organizational data governance programs that are a bit more ethereal and academic in nature, but our program needs to be operationally tangible within the relevant business and functional areas’ routine activities and decisions. This implicitly requires a high degree of cross-organizational structure, coordination and collaboration.
With respect to the Global Ethics Summit, we have a lot of topics and thought leaders attending. What do you think the benefits of such a gathering are and what do you hope to gain from the Summit as a speaker/attendee?
KC: I’m a firm believer in continuous assessment and improvement, regardless of where a particular program may presently be within its program maturity lifecycle. In this vein, the biggest benefits of any such conference are the compelling opportunities to network and share best practices with our colleagues. As GRC practitioners, we’re all on a fairly similar journey within our respective organizations, and we’re collectively much stronger when we’re learning from each other.
More about Ethisphere’s 9th Annual Global Ethics Summit 2017—Register here