The requirements for third-party risk management (TPRM), i.e. the systematic management of risks posed by third parties, are evolving significantly. This is because the involvement of third parties in the processes and procedures of one's own organisation is indispensable today, but also entails risks – for example, through dependencies, disruptions along the supply chain, increased vulnerabilities or failures of critical services.

Our English-language Global Third-Party Risk Management Survey 2026 examines how international organisations view these developments and what measures they have already taken.

Current developments in third-party risk management

The survey of 851 study participants shows that many companies are continuing to develop their TPRM structures.

Around half of those surveyed stated that their third-party risk management programme is largely integrated into their existing enterprise risk management (ERM) system. However, only around one in five respondents reported that TPRM is fully integrated into their company-wide risk management system in terms of structure, processes and governance.

In practice, more than 80 per cent of the companies surveyed already use managed services or outsourcing models, i.e. the outsourcing of certain tasks to external service providers. However, this is often done selectively, for example in the case of risk analyses or standardised audit steps. Only around five per cent of organisations have implemented a comprehensive end-to-end model that covers all steps of TPRM.

Use of technology and integration of AI

The digitisation of TPRM is progressing: 50 to 58 per cent of companies say they use AI in their TPRM processes. Typical areas of application are reporting, data visualisation, risk assessment and the evaluation of supplier information. However, only 22 per cent of respondents rate the use of AI as "very effective", while 40 per cent rate it as "somewhat effective". Eight per cent of the companies surveyed attest to an advanced level of automation with fully integrated, end-to-end automated systems. The majority (over 50 per cent) are at a moderate level of automation.

Just under half of those surveyed expect these technologies to be further expanded in the coming years. It will be crucial to understand AI not as a standalone application, but as part of fully integrated processes.

Interested in our services? Contact us

contact_phone

Insight into global developments in third-party risk management – from regulatory requirements to the role of AI and data quality.

Download now

Importance of data quality

Data quality remains a key factor for reliable decisions: only 17 percent of respondents say they have completely reliable, valid, consistent and integrated data in TPRM. Weaknesses in data quality particularly hinder the automation of individual TPRM process steps – for example, in automated risk analysis, the determination of due diligence requirements, the evaluation of supplier questionnaires, risk scoring logic or continuous monitoring. Measures such as clearly defined responsibilities for data maintenance, standardised reporting formats and continuous validation are therefore becoming increasingly important. Our study also confirms this: companies with high data quality report that they can assess risks more soundly and optimise the time required for comprehensive third-party implementation.

Implications for the further development of TPRM programmes

The results of our survey suggest that companies should focus their resources more strongly on risk-relevant third parties. Closer integration of TPRM and overarching risk management structures helps to create a consistent, company-wide view of risks.

Transparency along the entire supply chain – including indirect or more distant business partners – will become increasingly important in order to identify and efficiently manage potential dependencies.

Interested in our services? Contact us

What the global TPRM study offers you

The latest KPMG Global Third-Party Risk Management Survey provides a comprehensive overview of how organisations worldwide classify regulatory requirements, cyber risks and the increasing complexity of their third-party landscapes. The results provide insight into the current state of the art in the use of technologies such as artificial intelligence and managed services models, including their role in the further development of processes and structures in TPRM.

On request, we can tailor the results to you and your company's industry. Please feel free to make an appointment for a personal discussion about the opportunities and areas for action in the field of third-party risk management.