Third-party risk ranks as the #2 near-term risk in the 2026 Executive Perspectives on Top Risks Report, authored by NC State’s ERM Initiative in partnership with Protiviti, reflecting growing concern over external dependencies—including suppliers, SaaS platforms, cloud providers, consultants, and outsourcing partners.

This risk category increasingly includes what many refer to as supply chain risk: exposure to operational, reputational, and strategic disruptions caused by global, multi-tiered vendor and supplier relationships. In today’s interconnected environment, a breakdown in one node of the supply chain can have cascading impacts across the enterprise.

Why Third-Party and Supply Chain Risk Is Rising in 2026

Executives and board members identified a range of contributing factors:

• Heavy reliance on external technologies, such as AI-enabled platforms and cloud-based tools
• Cybersecurity threats originating from third-party access points
• Limited visibility into multi-tier supplier networks, particularly with overseas vendors
• Geopolitical instability, trade policy shifts, and extreme weather affecting supply chain continuity
• Heightened regulatory expectations, including ESG disclosures, AI risk governance, and cyber laws

Third-party and supply chain risk now extends far beyond procurement. It touches strategic initiatives, digital transformation, regulatory compliance, and brand trust.

Risk Management Considerations

To respond to rising third-party and supply chain risk, organizations should:

• Develop a centralized third-party risk management framework that defines ownership and escalation
• Incorporate third-party and supply chain risks into enterprise-level dashboards, heat maps, and scenario planning
• Collaborate across functions (ERM, procurement, IT, legal, compliance) to identify and monitor risk exposures
• Segment vendors and suppliers by criticality, ensuring deeper review for high-risk partnerships
• Regularly test response plans for key supplier or vendor failures, including supply chain interruptions

Organizations that proactively map their third-party ecosystem, including global supply chains, are better equipped to anticipate and mitigate risk before it becomes a crisis.

5 Questions to Guide a Leadership Conversation on Third-Party and Supply Chain Risk

Use these questions to engage your leadership team or board in evaluating your current approach:

1. Which vendors, suppliers, and third parties are critical to our operations—and how do we assess and monitor their risk over time?
2. Do we have an enterprise-wide framework to evaluate third-party and supply chain risk across all departments?
3. How are these risks integrated into our broader ERM process and reflected in board-level reporting?
4. What response plans are in place for disruptions involving critical third parties or supply chain failures? When were these last tested?
5. How are we preparing for emerging third-party risk themes—such as embedded AI in vendor systems, ESG-related compliance, or geopolitical volatility?

These questions reflect recurring themes raised by global executives in the 2026 Top Risks Survey and in interviews conducted by the NC State ERM Initiative.

About the Experts Behind the Report

This article is based on insights from the 2026 Executive Perspectives on Top Risks Report, authored by:

• Mark S. Beasley, PhD – Director, ERM Initiative; Alan T. Dickson Distinguished Professor of Accounting
• Bruce C. Branson, PhD – Associate Director, ERM Initiative; Professor of Accounting
• Donald P. Pagach, PhD – Director of Research, ERM Initiative; Professor of Accounting

The report was developed by the ERM Initiative at NC State University’s Poole College of Management, in collaboration with global consulting firm Protiviti.

The NC State ERM Initiative is a leading source of applied research and executive guidance on risk management, strategy, and resilience.