Skip to content
padlock over system diagram

What KPMG's Scandal Tells Us About the Consultant's Dilemma

Ranelle Cliff

The news out of KPMG Australia this week is uncomfortable reading — not just for the Big Four, but for anyone who works as an independent consultant. Including me.

Confidential board papers from one client, allegedly used to win work with others. An internal whistleblower dismissed. A CEO and head of audit resigned within days. ASIC launched a formal investigation. It follows PwC's 2023 scandal by three years, and the root cause is the same: information obtained in one client relationship, used in another.

That tension is not unique to the Big Four. It's structural to consulting itself.

The value proposition and the trap

Clients don't hire me just for my academic credentials. They hire me because I've been somewhere they haven't — seen a technology rollout fail in the way they're about to repeat, navigated a restructure that looked like theirs. That pattern recognition, built across engagements and sectors, is genuinely part of the value I offer.

But that's also where the trap opens.

The projects I’ve managed are are inseparable from the specific situations that generated them. The go-to-market strategy that worked brilliantly for one client worked in *that* client's context: their culture, their competitive position, their team's appetite for change. Strip away that context and the strategy isn't just less effective — it can be actively dangerous. A disciplined waterfall schedule that suited an occupier client can prove fatal in a compressed procurement engagement.

The experience I carry is not a transferable answer. It's a set of questions I know to ask.

That distinction matters because it's easy to collapse — to reach for the familiar model without interrogating whether this situation actually resembles the last one. That's not misconduct. It's pattern-matching on autopilot. But the consequences for a client who needed a tailored response and got a recycled one can be significant.

The intersection problem

As an independent consultant PM, I occupy an unusual position. I'm likely working across multiple clients — or moving between them closely enough that the boundaries blur. I leverage the same experience, bring the same tools and the same brain.

That intersection is where the value sits. Cross-industry perspective, no organisational politics in the way. Clients engage me precisely because I've been outside their walls.

But that intersection is also where the risk lives — and where I've had to be deliberate about building my own controls.

It doesn't require malicious intent for confidential information to move between contexts. The HBR research describes this as compliance debt: the quiet accumulation of habits that haven't caused a problem yet, but represent risk building silently in the background. The Medibank breach started with a contractor syncing browser credentials across devices. The KPMG allegations involve board papers in a locker. Neither required a sophisticated attack. Both required a habit.

So here's what I actually do. For longer engagements I work inside the client's environment — their systems, their AI tools — routing only agreed reporting back to my own domain. I might iterate on templates in my own environment, but without client data; describing a problem without client-specific terms often forces a clearer articulation of the real issue anyway. Carrying two laptops — a minor inconvenience — ensures information simply doesn't pass through the same channel. It's a practical expression of what good privacy looks like: not just avoiding harm, but actively building conditions that make it harder for harm to occur.

What clients are actually hiring me for

There's a version of the consultant pitch that emphasises domain knowledge: I've done this before, I have the answer. But the more defensible version is different. Clients hire me not because I have a silver bullet, but because I can implement process, controls, and governance in contexts I haven't seen before. I bring rigour to ambiguity. I help establish the conditions under which good decisions get made and risk gets surfaced rather than buried.

That's harder to sell. But it's the thing that actually transfers cleanly between engagements — and it's the thing that doesn't require me to carry one client's secrets into another client's boardroom to demonstrate my value.

It also happens to be what privacy, done well, looks like in practice. Not an NDA at kick-off. But a consistent habit of keeping information where it belongs, being deliberate about what I retain and why, and treating client data as something lent to me for a purpose — not accumulated as professional capital. That's the thing that actually travels well between engagements. And increasingly, it's what clients are starting to notice.

 
Ranelle Cliff

Ranelle Cliff

Ranelle Cliff is an experienced Project and Program Manager operating in the Built Environment in Australia. She has worked across Australia, New Zealand and Asia. She has been recognised for both excellence and in delivery and innovation.