Last week, McKinsey & Company resolved civil and criminal matters with the Department of Justice (DOJ). This settlement represents a seismic shift in corporate accountability. For the first time, a management consulting firm has been held criminally liable for advice that contributed to a client’s commission of a crime. This $650 million resolution with the DOJ offers profound lessons for industry compliance professionals. This should be coupled with the previous Foreign Corrupt Practices Act (FCPA) resolution for $122 million with the DOJ over the company’s bribery and corruption in South Africa. From failures in risk management to the imperative of ethical decision-making, McKinsey’s cases are a masterclass in how compliance missteps can lead to devastating consequences.

A Timeline of Ethical Erosion  

Between 2004 and 2019, McKinsey worked on 75 engagements with Purdue Pharma, a key player in the opioid epidemic. In 2013, McKinsey spearheaded a project to “turbocharge” OxyContin sales despite growing awareness of the drug’s role in the crisis. This “Evolve to Excellence” initiative targeted high-prescribing physicians, some already under scrutiny for unsafe practices. Despite Purdue’s 2007 guilty plea for misbranding OxyContin, McKinsey continued advising the company, prioritizing profits over public health.

The fallout included a criminal charge for obstruction of justice against a former senior partner, allegations of advising on fraudulent claims to federal healthcare programs, and revelations of conflicts of interest in dealings with the FDA. The penalties include a $231 million fine, $93 million in forfeitures, and $323 million under the False Claims Act. McKinsey also agreed to a Deferred Prosecution Agreement (DPA), mandating significant compliance reforms.

Key Compliance Takeaways  

1. Risk Assessment and Client Selection: The First Line of Defense

McKinsey’s failure to assess its work’s reputational and legal risks with Purdue underscores the importance of robust risk evaluation processes. Like any organization, consulting firms must consider client histories and engagement scopes. Purdue’s 2007 plea and ongoing controversies should have triggered heightened scrutiny, yet McKinsey continued its relationship unabated. One key lesson is to establish a formalized client diligence framework. Identify high-risk clients and engagements, factoring in legal histories, industry regulations, and reputational implications.

2. The Ethical Perils of Aggressive Strategy

The directive to “turbocharge” OxyContin sales illustrates the ethical blind spots that arise when profit-driven goals overshadow public welfare. McKinsey’s PowerPoint presentations and marketing strategies directly influenced Purdue’s ability to sustain OxyContin sales, exacerbating the opioid crisis. Every organization must build ethics into strategic decision-making. Compliance officers should collaborate with business units to ensure strategies align with ethical standards and regulatory requirements.

3. Document Retention and the Dangers of Obstruction

The case against former senior partner Martin Elling reveals how internal actions can escalate legal risks. Elling’s directive to “eliminate all our documents and emails” and his subsequent obstruction charge illustrates the severe consequences of tampering with evidence during investigations. Every company must develop and enforce strict document retention policies. Provide training to employees on legal holds and the dangers of obstructing investigations.

4. Conflict of Interest Management

McKinsey’s simultaneous work with Purdue and the FDA highlights a blatant disregard for conflict-of-interest policies. Misleading the FDA undermined trust and compounded McKinsey’s liability. Your organization must institute robust conflict-of-interest protocols. Regularly audit engagements to identify overlapping or competing interests and disclose conflicts proactively.

5. Deferred Prosecution Agreements: A Path to Reform

As part of the DPA, McKinsey committed to implementing significant compliance reforms, including a risk evaluation process, quality review programs, and new document retention procedures. These measures are designed to prevent a repeat of past mistakes. Indeed, no company wants to be under a DPA, but the conduct of McKinsey, both in this case and in its FCPA matter in South Africa, were both so egregious that the company should view its DPA as an opportunity for transformation. Compliance leaders should use such agreements to rebuild trust, enhance internal controls, and foster a culture of accountability.

Culture as a Compliance Imperative  

The most striking lesson from the McKinsey case is the absence of a culture of accountability. McKinsey’s actions were not the result of one rogue employee; they reflected systemic failings within the organization. From top executives to client teams, the firm consistently prioritized financial gain over ethical responsibility.

Building an ethical culture requires multiple steps. It all begins with Tone from the Top—a commitment from top leadership to demonstrate an unwavering commitment to compliance and ethics. A company must empower its corporate compliance functions with the authority and resources to challenge decisions that pose ethical risks. Through training, communication, and employee awareness, there must be awareness throughout the organization of this commitment to business ethically and in compliance. Organizations must regularly train employees on ethical decision-making, risk identification, and reporting mechanisms.

Looking Ahead: The Compliance Professional’s Role  

The McKinsey settlements are a wake-up call for compliance professionals. They challenge us to rethink our roles as rule enforcers and stewards of ethical integrity. This case underscores the importance of proactive measures to identify risks, implement controls, and foster a culture where doing the right thing is non-negotiable.

The DOJ’s message is clear: no entity is above the law. Consulting firms, financial advisors, and other service providers must now grapple with the reality that their advice carries legal and ethical implications. For compliance officers, this means doubling down on preventive measures, promoting transparency, and ensuring accountability at every level.