Industry Briefing
Published 2026 · Inaugural edition
An executive briefing on the seven major technology incidents from 2020-2024 that caused an estimated $30 billion to $200 billion in combined economic damage. None were traditional vendor failures - every one propagated through technical dependencies that existing TPRM frameworks were not designed to detect.
Identifies three emerging risk dimensions (supply chain, software delivery, infrastructure concentration), documents five systematic gaps in current TPRM frameworks, and traces the 18-36 month regulatory lag pattern that follows every major dependency-level incident.
Working Paper No. 1
Published 2026
The dominant approach to third-party risk management inventories the vendors a firm contracts with. But critical systems fail through the dependencies those vendors rely on - layers invisible to entity-based frameworks.
The Collective Fragility Paradox traces how individually rational decisions at the firm level compound into collective fragility at the ecosystem level, and reframes third-party risk around three categories - supply chain, software delivery, and cloud concentration - that propagate through technical dependencies rather than the legal entities existing frameworks stop at.
Declaration of Interest
This paper was originally authored and published by Trevor Kavanaugh in January 2026. It is republished by Provenance Risk Research Inc., a Delaware 501(c)(3) nonprofit research foundation, as Working Paper No. 1. The author serves as the foundation's founder and principal researcher.
The author also operates a separate for-profit entity under shared leadership. The research documented in this paper was conducted independently of any consulting engagement associated with that entity, and no client of that entity influenced the subject matter, findings, or conclusions.
All research published by Provenance Risk Research is made freely available to the public. No client confidentiality or commercial arrangement constrains the conclusions expressed in this work.
Working Paper No. 2
Forthcoming · In submission preparation
The Unmanaged Attack Surface: Why Vendor-Level Attestation Misses Software Supply Chain Risk
Uses a diagnostic-question methodology to reveal gaps in SOC 2 and similar attestation frameworks for the software supply chain conditions that cause correlated failures across institutions sharing upstream dependencies. Includes a ten-jurisdiction regulatory survey and introduces the Concentration Risk Index (CRI) as a measurable indicator of systemic exposure.
Targeting Journal of Operational Risk, 2026