A different approach to third-party risk.
Provenance Risk Research is an independent 501(c)(3) research foundation producing the peer-reviewed evidence base for risk frameworks that see dependencies, not just vendors.
What we do, and why.
Our work focuses on financial services and other regulated industries, where entity-based risk frameworks have left gaps that existing attestation standards do not surface. We publish academic research, industry briefings, and diagnostic frameworks for the practitioners, auditors, and policymakers who set those standards.
All research is made freely available. No client confidentiality constrains our conclusions.
Research, industry briefings, and diagnostic frameworks.
Provenance Risk Research organizes its work into three programs. A research program producing peer-reviewable papers that document where current TPRM and attestation frameworks miss the dependency-level exposure they purport to cover. An industry briefings program producing executive-friendly publications - including an annual State of Third-Party Technology Risk - on the systemic dependencies shaping financial services TPRM. And a diagnostic frameworks program publishing applied question methodologies and analytical tools that practitioners can use directly.
The through-line is measurement. Third-party risk has become a compliance artifact in too many institutions because the things that actually cause failure are not measured. Our job is to make them measurable - in ways that hold up to academic peer review, regulatory scrutiny, and practitioner use.
Founder and principal researcher.
Trevor Kavanaugh
Trevor Kavanaugh is the founder and principal researcher of Provenance Risk Research. Previously, he served as Vice President of Third-Party Risk Management at First Foundation Bank, a $10 billion FDIC-regulated institution, where he managed more than 600 vendor relationships across 14 years in financial services. He has spoken at the Global Association of Risk Professionals (GARP) Financial Risk Symposium alongside chief risk officers from Visa, Morgan Stanley, TIAA, and Schwab. His research focuses on dependency-level risk propagation in software supply chains and the gaps in entity-based risk attestation frameworks.
Legal & tax status.
Provenance Risk Research Inc. is a Delaware nonprofit corporation, organized April 20, 2026. The foundation operates as a 501(c)(3) research and educational organization; federal tax-exempt determination from the Internal Revenue Service is pending.
The Certificate of Incorporation, bylaws, and conflict-of-interest policy are available on request to research inquiries.