Public Sector

All McKinsey Center for Government

Research topic | McKinsey Center for Government

Regulation and public protection

Research and insights from the McKinsey Center for Government (MCG) helps agencies fulfill their mission of protecting the public in an era of dynamic threats and heightened expectations of government. We collaborate with government leaders and experts globally to develop actionable perspectives on regulation and enforcement.

Protecting the public is the core task of many government bodies—in particular, regulatory and law-enforcement agencies. Today, these agencies are coming under increasing scrutiny, and the public’s expectations of them are higher than ever: are they doing enough to anticipate threats? What are the costs to taxpayers of the protection these agencies offer? Are there unintended consequences in terms of lost sector output, slower rates of innovation, or invasion of privacy?

Structural changes in the global economic and political environment have made threats more dynamic and uncertain, which in turn has made answering these critical questions more difficult. As part of our work on regulation and public protection, MCG has identified important trends—such as an increased focus on “tail” risk events and greater budget pressures—that agencies must adapt to. MCG’s research can inform how agencies respond to these trends.

Our expertise

We believe one element of agencies’ response should be to retool core management functions—including strategic planning, risk management, performance management, and recruiting and hiring—to drive better decisions and improve cost-effectiveness.

Strategic planning and risk management

In the past few years, high-profile failures in risk management have had shocking and widespread ripple effects and have led to costly government interventions. These failures served as a call to action, spurring public-sector institutions to strengthen their planning and risk-management practices: where do the most significant new threats lie, what tail risks is the public exposed to, and what monitoring and prevention strategies would be most effective? Agencies must then translate ideas from strategic planning and risk management into operations and effective action. Building on McKinsey’s extensive experience in strategic planning, risk management, and public-sector operations, MCG is developing perspectives on the challenges that government agencies face in adapting to change and managing risk, as well as how to overcome these challenges. We are also identifying best practices and success factors in how a government agency should allocate limited resources across a broad range of risk exposures.

Performance management and tracking

Protection agencies must track whether their regulations or protective actions are having unintended consequences. For regulators, unintended consequences could include distorting industry behaviors that reduce output and innovation or that substitute one form of risky behavior for another. Whether agencies choose to do the monitoring and measurement themselves or have these tasks done by an independent party, our research and insights—into industry dynamics and behavior as well as performance management—provide a useful knowledge base.

Recruiting and hiring

In a world of dynamic threats, compliance and enforcement agencies need more sophisticated risk analytics and forecasting capabilities. They must hire people who can spot patterns and anomalies, make connections, and instinctively probe and challenge. They may also need to hire people with deep-sector or product expertise. We are developing perspectives on how agencies can rebalance their mix of talent within budget constraints.

Research and collaboration

We regularly convene round tables and knowledge-sharing sessions on regulation and public protection. In addition, we collaborate with respected thinkers worldwide to generate unique insights into these complex topics. Our current research efforts include in-depth studies of two areas critical to protecting the public: cybersecurity and food and drug regulation.


Governments now recognize that securing cyberspace is of paramount importance—yet they have a poor understanding of the scale of the challenge. McKinsey research shows that attacks on government data and systems, critical national infrastructure, and private enterprises’ intellectual property carry the most value at risk. McKinsey’s cybersecurity experts have identified the elements of a next-generation cyberdefense, and are conducting ongoing research on the primary cyberthreats that governments face as well as the various levers (such as tax strategy or civil litigation) they can use to counter these threats.

Food and drug regulation

Project Regulatory Excellence, or “Project RegEx,” is a global benchmarking and knowledge-development effort covering topics important to food and medical-products regulators, such as inspection programs, the root causes of product recalls, and approaches to managing drug shortages. Within medical-products regulation, MCG research will focus on a number of specific issues, including enhancing human-subject protection in clinical trials and improving the security of the supply chain. MCG's advisory board on regulatory issues consists of leading experts and academics with decades of regulatory experience.

For more information or to discuss potential collaboration and participation in our research, please contact us.

Featured insights

Risk-based resource allocation

Risk-based resource allocation

February 2013–Government is increasingly called on to protect the public from harm and to shield society and the economy from volatility, but to do so as efficiently as possible. Adopting good practices in risk-based resource allocation is a powerful way for regulators and enforcement agencies to meet their missions efficiently and effectively.

The public sector's cybersecurity imperative

The public sector’s cybersecurity imperative

Recent cyberattacks on several government agencies have made it clear that the United States must make comprehensive, permanent improvements to its cybersecurity systems. This US-focused white paper discusses the nature and severity of “Advanced Persistent Threats” (APTs), lays out the six most crucial elements of a next-generation system of cyberdefense, and outlines the benefits of testing and assessing agencies’ ability to respond to future attacks.

Can you hack it?
article | McKinsey on Government

Can you hack it? Managing the cybersecurity challenge

To secure cyberspace, technology alone is not enough. Strong management plays an equally important role.more


Meet our people

Nav Singh

Navjot Singh

Aamer Baig

Aamer Baig

James Kaplan

James Kaplan



report | McKinsey Working Papers on Risk, No. 28risk management

Strengthening risk management in the US public sector

As it seeks to protect the public, government takes on many of the biggest risks around. But the challenges of managing risk from the public sector are substantial. Government agencies can take five steps to improve their risk management practices.