The 2026 KPMG Global Third-Party Risk Management Survey

Third party risk management in New Zealand: Navigating complexity in a volatile world

TThe landscape of third‑party risk is evolving rapidly, with regulatory expectations and cyber risk now key drivers shaping third‑party risk management (TPRM) strategies globally. For New Zealand organisations, this shift is particularly relevant as growing reliance on third parties (across technology, cloud services, critical suppliers and offshore delivery models) continues to outpace the maturity of many TPRM programmes.

As organisations face an unprecedented pace of change and increasingly interconnected risk environments, the 2026 KPMG Global Third‑Party Risk Management Survey explores how leaders are responding – and where critical gaps remain. While progress is being made, many organisations continue to rely on fragmented, compliance‑driven approaches that limit resilience. For New Zealand leaders, the findings highlight a clear opportunity to adopt more targeted, risk‑based models that focus effort where it matters most and build greater confidence across the third‑party ecosystem.

Three priorities for New  Zealand organisations

This research highlights three priority areas for organisations looking to strengthen their approach to third‑party risk management.

Many organisations continue to apply the same level of scrutiny across all third parties. Adopting a risk‑based approach enables organisations to concentrate effort on critical and higher‑risk relationships, improving resilience while making better use of limited resources.

TPRM is often treated as a standalone or operational process. Stronger integration with enterprise risk management can provide a clearer, organisation‑wide view of third‑party exposure and support more informed strategic decision‑making.

Reliable data underpins effective third‑party risk decisions. Improving data quality and system integration is a foundational step for organisations seeking to strengthen oversight, enable technology and automation, and realise value from emerging AI capabilities.

Navigate the new realities of third-party risk

Discover how leading organisations are reshaping TPRM – explore the 2026 KPMG Global Third-Party Risk Management Survey now to see how organisations are tackling regulatory compliance and cyber threats amid increasingly complex third‑party ecosystems, and explore how leaders are using AI and managed services to strengthen resilience.

Download the survey

Findings from our research

Compliance and cyber security: Twin pillars of TPRM strategy

Regulatory compliance and cyber threats are the most pressing priorities today, but they also highlight a gap: programmes need capabilities that anticipate emerging risks so they can act before the next wave hits.

Integration challenges: TPRM and ERM still speak different languages

With only 53 percent of TPRM programmes "mostly integrated" with enterprise risk management (ERM) – and just 18 percent "fully integrated"- there is a significant opportunity to create an enterprise-wide view of risk.

Managed services and outsourcing: Scaling TPRM with external support

Truly scalable, strategic TPRM operating models are an emerging trend: Many organisations are outsourcing discrete, high-volume tasks, creating a path toward end-to-end managed services, which are in place in just 5 percent of organisations.

Technology and AI: Unlocking TPRM maturity and creating value

More than half of organisations are exploring artificial intelligence (Al), and with 22 percent finding it "very effective," there is a clear opportunity to better translate technology investments into tangible value.

Data quality and confidence: The foundation of trustworthy TPRM

As only 15 percent of leaders express high confidence in the data that underpins their program, improving data quality presents a foundational opportunity to enhance TPRM effectiveness from the ground up.

Reliable data underpins effective third-party risk decisions. Improving data quality and system integration is a foundational step for organisations seeking to strengthen oversight, enable technology and automation, and realise value from emerging AI capabilities.

Philip Whitmore

Partner, KPMG Cyber

KPMG New Zealand

Strategic recommendations for future-proofing your TPRM program

By following these actions, organisations can reposition TPRM from a cost center to a strategic enabler that drives efficiency, effectiveness, and competitive advantage.

Focus your firepower

Pivot from broad, low value screening to a targeted, risk based approach — focus time and investment on the small subset of third parties that present material threats.
Break down the silos

Align TPRM with enterprise risk management (ERM) to establish a unified, organisation‑wide risk view that informs strategic choices beyond compliance obligations.
Treat data as a strategic asset

Implement robust data governance to build a single source of truth that powers effective AI, reliable reporting, and confident decision‑making.
Move past “AI theater”

Embed automation and intelligent workflows across the full TPRM lifecycle to speed execution and surface hidden risks.
Look beyond your own backyard

Expand visibility into Nth‑party relationships to identify deeper supply chain exposures and manage concentration risk.
Outsource outcomes, not ownership

Use managed services to scale capabilities and improve efficiency, while keeping strong ownership of governance and strategic direction.