By Jonathan Justus | jonnynow.com | 30 May 2026
Only 18% of corporate third-party risk management programmes are fully integrated with enterprise risk management, according to the 2026 KPMG Global Third-Party Risk Management Survey published in March. The finding exposes a structural weakness in how organisations govern operational risk: most still treat it as a parallel discipline rather than an embedded operating function.
The KPMG study, drawing on responses from risk leaders across multiple industries and geographies, found a further 53% describe their programmes as "mostly integrated" — meaning more than four in five organisations operate without unified visibility across vendor, financial, cyber and reputational exposures. PwC's 2026 Global Risk Survey reinforced the diagnosis, reporting that executive leaders now expect risk functions to deliver data-driven, quantitative insight to inform strategic decisions — a brief that demands integration, not isolation.
The Cost of Operational Silos
When governance, compliance and operations run on separate tracks, the seams become the failure points. The Thomson Reuters Institute, in its 10 Global Compliance Concerns for 2026 report, argued that organisations will need stronger governance, smarter technology and better-trained people to keep pace with overlapping regulatory regimes such as the EU's Corporate Sustainability Reporting Directive (CSRD) and the Corporate Sustainability Due Diligence Directive (CSDDD).
For consultants and operations leaders, the implication is direct. A risk register that lives only inside the compliance team adds bureaucracy without adding control. Embedded governance — where risk owners sit inside operating units and report through one cadence — converts oversight into early warning.
Data Quality Is the Hidden Constraint
The same KPMG survey delivered a quieter but equally consequential finding: only 17% of respondents reported having completely reliable, valid, consistent and integrated data within their third-party risk programmes. Without trustworthy data, automation collapses, dashboards mislead and senior leaders act on lagging signals.
That gap explains why so many transformation programmes stall at the reporting layer. Standardised data definitions, accountable data stewards and continuous validation are no longer technical chores; they are governance prerequisites.
Key Statistic: Only 17% of risk leaders report having reliable, consistent, integrated data in their third-party risk programmes — making automation and AI oversight structurally fragile.
Source: KPMG 2026 Global Third-Party Risk Management Survey
AI Adoption Outpaces Governance Maturity
Between 50% and 58% of companies now use AI within their third-party risk processes — for reporting, data visualisation, risk assessment and supplier evaluation, KPMG found. Yet only 22% rate that AI use as "very effective", with a further 40% calling it "somewhat effective". The gap, analysts note, is not a model problem; it is a governance problem. Algorithms inherit the weaknesses of the data and processes around them.
The Harvard Law School Forum on Corporate Governance, in its March 2026 review of global trends, observed that boards are deploying AI faster than they are building the policies and expertise to oversee it. Operations leaders who close that gap — through clear AI usage policies, model inventories and human-in-the-loop checkpoints — convert a liability into a control.
Embedding Governance into Operations
The path forward is structural, not cosmetic. Risk and operations should share a single taxonomy, a single cadence and a single executive sponsor. Process owners, not auditors, should own first-line controls. Compliance evidence should be a byproduct of the work, not a separate project. Above all, integration must be measured: if leaders cannot name the percentage of operational decisions that pass through a risk lens, the programme is decorative.
That discipline also explains why governance silence — the absence of escalation from the front line — is a leading indicator of failure. As Harvard Business School's Amy Edmondson has long argued, frameworks only work when people feel safe enough to surface what they see. Watch: Amy Edmondson on building a psychologically safe workplace →
Build Governance That Strengthens Delivery
The Elevana Operations & Governance programme is designed around exactly this discipline — helping consultants and operations leaders design governance that strengthens delivery rather than slowing it. PRO Consultant graduates apply the same frameworks across regulated and high-growth environments.
Governance that lives outside operations governs nothing. The 18% who have integrated risk into the operating model are not safer by chance — they have stopped treating compliance as a separate company.