KPMG 2026 TPRM survey: outsourcing, AI, managed services top workforce, governance concerns

KPMG’s 2026 global Third‑Party Risk Management Survey, hosted on the KPMG in India page and published March 2, 2026, reports that 48 percent of 851 organizations named cyber risk or information security as the top driver of TPRM strategy and 45 percent pointed to regulatory and compliance risk. The survey, titled "2026 global third-party risk management survey — Achieving resilience in third-party risk management," frames third‑party oversight as central to enterprise resilience rather than a purely back‑office task.

A LinkedIn commentary on the release amplified one sharp tension in the data, saying "AI is everywhere however not yet effective" and noting that, according to the post, 50–58 percent of organizations claim to be using AI in TPRM while only 22 percent describe it as "very effective." That LinkedIn claim is presented as an interpretation of the survey and is not mapped in the fragment of KPMG material provided here; it underscores the gap between adoption and operational effectiveness that TPRM teams face.

KPMG’s published materials place the survey in an advisory posture: the asset highlights governance and program integration, tech and data enablement, and service delivery as areas to address so organizations can move beyond reactive approaches. The report names Roy Waligora, Partner and Global Lead, TPRM, KPMG UK, on its executive messaging and positions TPRM as a strategic program for firms that rely on vendors, suppliers, service providers and technology partners to support critical operations.

The KPMG asset includes a dense chart fragment of percentages and labels; the document fragment supplied here preserves that block verbatim but does not include the chart key needed to map percentages to revenue bands and industries. The fragment reads exactly as follows: "48% 45% 25% 20% 19% 18% 62% 46% 39% 43% 43% 45% 42% 50% 30% 26% 21% 25% 21% 20% 21% 19% 23% 16% 22% 16% 13% 24% 18% 19% 55% 33% 35% 40% 38% 46% 48% 38% 26% 22% 19% 23% 28% 23% 18% 22% 29% 26% 16% 23% 17% 9% 29% 17% 52% 40% 35% 23% 15% 15% 67% 58% 27% 13% 16% 16% Cyber risk/information security Regulatory and compliance risk Technology innovation Reputational/brand risk Business continuity risk Legal risk <US$5 bn US$5.1–10 bn US$10.1-20 bn >US$20 bn C&R ENRC HCLS IM TMT FS

That unmapped sequence appears to show cross‑tabulated responses by risk type, revenue band and industry but the provided asset does not include the legend, so the precise cell pairings cannot be reported from the fragment alone.

For KPMG clients and in‑house TPRM practitioners, the headline numbers present clear operational priorities: shore up cyber controls and compliance oversight while fixing fractured data foundations before layering AI into workflows. KPMG’s summary language urges "future‑ready approaches for governance and program integration, tech and data enablement, and service delivery," and the survey positions managed services and outsourcing oversight as governance issues that intersect with workforce and operational risk. Firms that treat AI as a plug‑in rather than as part of an integrated TPRM architecture risk high adoption with limited effectiveness, regulatory exposure and continuity gaps.