Skip to main content

The 2026 KPMG Global Third-Party Risk Management Survey

Key findings to power AI-optimized third-party risk management strategies

Third-party risk management: Navigating complexity in a volatile world

The landscape of third-party risk is evolving rapidly, with regulatory compliance and cyber risk now the primary drivers shaping TPRM strategies across the globe. As organizations face an unprecedented pace of change and increasing threats, the 2026 KPMG Global Third-Party Risk Management (TPRM) Survey explores how leaders are responding to these challenges—and where critical gaps remain.

This is not the time for incremental improvements or fragmented approaches. Our latest survey of 851 organizations reveals that while many are making progress, true integration and effectiveness in TPRM remain elusive for most. The findings highlight both the advances and the persistent hurdles organizations face as they strive for resilience and confidence in their third-party ecosystems.

Explore the survey to learn:

  • Why regulatory compliance and cyber risk are at the forefront of TPRM strategy, reflecting a global urgency to address immediate threats.
  • How roughly half of organizations report their TPRM programs as “mostly integrated” with ERM, but only one in five have achieved full integration.
  • The growing reliance on managed services and outsourcing for core TPRM activities—yet only 5% have adopted end-to-end managed service models.
  • The promise and limitations of AI in TPRM, with more than half exploring AI but only a quarter finding it “very effective,” and most organizations relying on a patchwork of disconnected tools.
  • The impact of data quality, with just one in five organizations reporting the highest level of data quality—yet those with high-quality data are significantly more confident in their TPRM decisions.

Access the 2026 KPMG Global TPRM Survey

Gain exclusive insights from the 2026 KPMG Global Third-Party Risk Management (TPRM) Survey. Learn how organizations worldwide are addressing regulatory compliance, cyber risk, and the growing complexity of third-party ecosystems—while leveraging AI and managed services to build resilience.

Download PDF

Compliance and cybersecurity: Twin pillars of TPRM strategy

  • Regulatory compliance (48%) and cyber risk (37%) are the top drivers of TPRM strategies, reflecting a defensive focus because of the potential for third-party vulnerabilities to cause enterprise-wide issues.
  • Spending is concentrated on risk assessment/due diligence (52%), TPRM technology/tools (51%), cybersecurity/data protection (49%), and regulatory audits (45%).
  • Smaller organizations rely heavily on cyber functions as their main defense, while larger organizations have the resources to invest in broader risk management.
  • Sector differences exist: Financial services are driven by regulation, life sciences by complex compliance, and manufacturers by ESG and sustainability.
  • 83% of executives plan to expand partner networks in the next 1–3 years, but 48% see room for better collaboration on risk management.
  • The growing complexity of third-party ecosystems makes tailored, risk-based approaches more urgent.

Integration challenges: TPRM and ERM

  • Only 53% of organizations report their TPRM programs are “mostly integrated” with enterprise risk management (ERM), and just 18% have achieved full integration.
  • TPRM and ERM often operate in silos: TPRM focuses on day-to-day vendor data, while ERM addresses high-level strategic threats, leading to fragmented risk management.
  • Structural and philosophical differences—such as separate teams, priorities, and approaches—make it difficult to create a unified view of risk.
  • 71% of organizations plan further integration of TPRM and ERM over the next three years, but only 17% rate their TPRM data as fully reliable, highlighting a significant data quality gap.
  • Bridging this gap requires shared goals, cross-functional governance, investment in data quality, and thoughtful use of technology.
  • The lack of integration limits organizations’ ability to manage risk strategically and build resilience.

When it comes to third‑party risk, companies are chasing effectiveness, efficiency, and experience all at once. The challenge is making sure you’re not just ticking boxes for compliance, but building a process that’s resilient, scalable, and delivers real value for both your business and your vendors and partners.

Joey Gyengo

US Third‑Party Risk Management Leader, KPMG LLP

Managed services and outsourcing: Scaling TPRM

  • Over 80% of organizations use managed services, outsourcing, or both for core TPRM activities, but only 5% have adopted end-to-end managed service models.
  • Most organizations outsource discrete, high-volume tasks (e.g., risk assessments, due- diligence questionnaires) rather than the entire TPRM lifecycle.
  • Concerns about losing control and sharing proprietary data are significant barriers to wider adoption of outsourcing and managed services.
  • The maturation of AI is driving a shift toward partner-based service delivery models, but many organizations still operate with a fragmented “patchwork” of tools.
  • Leading managed service offerings are increasingly tech-enabled, using AI for high-volume screening and chatbots to accelerate low-risk query resolution.
  • Effective oversight, strong governance frameworks, and alignment with internal risk appetites are essential for successful managed service adoption.
  • End-to-end managed services are expected to grow as organizations seek scalable, cost-effective solutions and trustworthy partners.

We’re seeing a lot of organizations say they use managed services for TPRM, but only a handful are doing it end-to-end. Most are just outsourcing pieces here and there. The real opportunity is bridging that gap—by defining and streamlining your processes and getting the fundamentals right before you scale, you can benefit from faster, more efficient risk assessments.

Roy Waligora

Global Third‑Party Risk Management Leader, KPMG Global

Technology and AI: Unlocking TPRM maturity and creating value

  • Technology, especially AI and automation, is reshaping TPRM, offering potential for streamlining risk assessments, due diligence, and risk ratings.
  • Most organizations use only 1–5 systems to support TPRM, and integration with other platforms is the top pain point; this often results in a patchwork of disconnected systems.
  • AI adoption is growing: 50–58% of respondents claim to use AI, but only 22% find it “very effective,” while 40% say it’s only “somewhat effective.”
  • The most effective AI applications connect disparate processes and have clear ownership over the end-to-end workflow; siloed, single-step agents are less effective.
  • 39–47% of organizations expect moderate AI use in core TPRM tasks over the next three years.
  • Realizing AI’s potential requires intentional investment, cross-functional collaboration, and a clear roadmap for scaling from pilots to enterprise-wide solutions.
  • Prioritizing system integration, data quality, and embedding AI across the full TPRM lifecycle are key to unlocking value and building resilience. 

Data quality and confidence: The foundation of trustworthy TPRM

  • Confidence in TPRM decisions depends on reliable data; leaders with high-quality data are significantly more confident in their risk management.
  • Only 17% of organizations report having the highest level of data quality, while 59% say their data is mostly complete, accurate, and consistent.
  • Among respondents with high-quality data, 52% are “very confident” in their TPRM decisions; 40% of those with poor data quality are “not confident.”
  • Poor data quality is a major barrier to effective AI and managed services adoption, and it undermines strategic investments.
  • Fragmented systems and inconsistent data practices limit visibility and make it difficult to assess third-party risk across geographies.
  • Improving data quality requires investment in data governance, standardized reporting, and continuous validation, starting with the most critical third parties.

Recommendation roundup: Building a resilient, future-ready TPRM program

1

Shift from broad, inefficient screening to a focused, risk-based model—concentrate resources on the small fraction of vendors that pose genuine threats.

2

Integrate TPRM and ERM functions to create a unified, enterprise-wide view of risk that informs strategic decisions, not just compliance reports.

3

Treat data as a strategic asset—invest in data governance to create a single source of truth and enable effective AI, credible reporting, and confident decision-making.

4

Move beyond “AI theater”—embed automation and intelligent workflows across the entire TPRM lifecycle to accelerate processes and uncover hidden risks.

5

Develop “Nth-party” visibility to understand risks deeper in the supply chain and manage concentration risk.

6

Leverage managed services to scale capabilities and drive efficiency while retaining firm control over governance and strategy.

7

By taking these steps, organizations can transform TPRM from a cost center into a strategic enabler that delivers efficiency, effectiveness, and competitive advantage.
The bottom line
 
The 2026 Global TPRM survey highlights a clear path forward: Focus on risk-based screening, break down organizational silos, invest in data quality, deploy AI and automation purposefully, and leverage managed services with robust governance. By embracing these strategies, organizations can transform TPRM from a compliance-driven necessity into a proactive engine for resilience and competitive advantage.

How KPMG can help

  • KPMG offers a comprehensive playbook for transforming TPRM from a defensive necessity into a strategic advantage, providing expertise, technology, and global scale to support execution.
  • The global TPRM team delivers end-to-end support, combining subject-matter expertise, advanced technology, and a robust managed services model.
  • Our approach is multidisciplinary, integrating risk, procurement, compliance, technology, cyber, and ESG experts to design, implement, and continuously improve TPRM programs.
  • KPMG managed services unite automation, AI, and specialized expertise, offering modular, subscription-based solutions that cover the full TPRM lifecycle—from onboarding and due diligence to continuous monitoring and offboarding.
  • Key benefits include efficiency gains (reduced administrative overhead, faster onboarding), risk reduction (proactive identification and mitigation), strategic insights (advanced analytics and reporting), and operational resilience (integrated TPRM and ERM, global resources).

Meet our team

Image of Joseph P Gyengo
Joseph P Gyengo
Principal, Advisory, Risk Services, KPMG US
Read bio
Image of Roy Waligora
Roy Waligora
Partner, ERS Foren I&C Sect, KPMG UK
Read bio
Image of Roy Waligora

Roy Waligora

Partner, ERS Foren I&C Sect, KPMG UK

Roy serves as the Global Leader for KPMG International's Third Party Risk Management services group. He is a Chartered Accountant and Head of Investigations and Corporate Forensics at KPMG in the UK. He has been conducting forensic investigations and disputes in many countries for 21 years. Roy has acted on behalf of several regulators and many multinational clients to conduct regulatory driven financial investigations of fraud, financial statement misstatements, misconduct and money laundering – often together with leading law firms in cross border work. Roy has testified in several forums and believes that the effective investigation of fraud requires a multi-disciplinary approach of financial skills, regulatory context, technology-driven efficiency and analysis. By working with our leading team of specialists in the UK and our member firms across the globe we bring a consistent and robust approach to multi-jurisdictional fraud and misconduct investigations, supporting our clients to respond to regulatory inquiry and crisis incidents.
Image of Joseph P Gyengo
Joseph P Gyengo
Principal, Advisory, Risk Services, KPMG US
Read bio
Image of Roy Waligora
Roy Waligora
Partner, ERS Foren I&C Sect, KPMG UK
Read bio
Image of Roy Waligora

Roy Waligora

Partner, ERS Foren I&C Sect, KPMG UK

Roy serves as the Global Leader for KPMG International's Third Party Risk Management services group. He is a Chartered Accountant and Head of Investigations and Corporate Forensics at KPMG in the UK. He has been conducting forensic investigations and disputes in many countries for 21 years. Roy has acted on behalf of several regulators and many multinational clients to conduct regulatory driven financial investigations of fraud, financial statement misstatements, misconduct and money laundering – often together with leading law firms in cross border work. Roy has testified in several forums and believes that the effective investigation of fraud requires a multi-disciplinary approach of financial skills, regulatory context, technology-driven efficiency and analysis. By working with our leading team of specialists in the UK and our member firms across the globe we bring a consistent and robust approach to multi-jurisdictional fraud and misconduct investigations, supporting our clients to respond to regulatory inquiry and crisis incidents.

Thank you

Your registration is complete.

We appreciate your interest in the 2026 KPMG Global Third-Party Risk Management Survey.

Click below to download your copy and gain insights into how leading organizations are leveraging AI, improving data quality, and integrating TPRM with ERM to build resilience and competitive advantage.

Download PDF

Access the 2026 KPMG Global Third-Party Risk Management Survey

Gain exclusive insights from the 2026 KPMG Global Third-Party Risk Management (TPRM) Survey. Learn how organizations worldwide are addressing regulatory compliance, cyber risk, and the growing complexity of third-party ecosystems—while leveraging AI and managed services to build resilience.

What You’ll Learn

  • Key trends shaping TPRM strategies and spending priorities
  • Integration challenges between TPRM and ERM—and how to overcome them
  • The role of AI and automation in scaling TPRM maturity
  • Why data quality is critical for confident risk decisions

All fields with an asterisk (*) are required.

By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's . Privacy Statement

An error occurred. Please contact customer support.

KPMG. Make the Difference.


Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates or related entities.

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation. KPMG LLP does not provide legal services.

The information contained herein is not intended to be “written advice concerning one or more Federal tax matters” subject to the requirements of section 10.37(a)(2) of Treasury Department Circular 230.

© 2026 KPMG LLP, a Delaware limited liability partnership, and its subsidiaries are part of the KPMG global organization of independent member firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved.

For more detail about the structure of the KPMG global organization please visit https://home.kpmg/governance.

Thank you!

Thank you for contacting KPMG. We will respond to you as soon as possible.

Contact KPMG

Use this form to submit general inquiries to KPMG. We will respond to you as soon as possible.
All fields with an asterisk (*) are required.

By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's . Privacy Statement

An error occurred. Please contact customer support.

Job seekers

Visit our careers section or search our jobs database.

Search now!

Submit RFP

Use the RFP submission form to detail the services KPMG can help assist you with.

Submit

Office locations

View locations

International hotline

You can confidentially report concerns to the KPMG International hotline

Learn more

Press contacts

Do you need to speak with our Press Office? Here's how to get in touch.

Contact

Headline