About Provenance Risk Advisory

Operational experience meets governance discipline.

Provenance Risk Advisory LLC was founded by Trevor Kavanaugh, a 14-year veteran of regulated financial services who spent his career building risk programs from the inside out. This is not a firm that learned risk management from a textbook. It is a firm built by someone who has operated under regulatory scrutiny, managed vendor relationships at scale, and understands the difference between a control that looks good on paper and one that actually reduces risk.

Our governance-first philosophy means we design the framework before recommending tools. We build programs that identify their own issues before auditors do. At First Foundation Bank, the TPRM program Trevor built maintained an 80%+ self-identified finding rate, meaning the substantial majority of control gaps were found internally before examiners discovered them. That ratio is the clearest indicator of program maturity, and it is the standard we bring to every engagement.

We work with federal agencies navigating C-SCRM mandates and regulated institutions building or maturing third-party risk programs. Our approach is practical, operationally grounded, and built to survive the scrutiny that matters: not just the audit, but the incident.

Principal

Trevor Kavanaugh

Principal Consultant

VP, Third-Party Risk Management

First Foundation Bank (now Sunflower Bank) — a $10B FDIC-regulated institution. Built and managed the enterprise TPRM program covering 600+ vendor relationships with a team of two. Oversaw vendor tiering, due diligence, ongoing monitoring, and board-level reporting.

GARP Financial Risk Symposium Panelist

March 2026 — Joined senior risk leaders from HarbourVest Partners and CLS Bank, moderated by Barclays, to discuss third-party resilience, concentration risk, and evolving TPRM frameworks.

Published Researcher

Published through The Collective Fragility Institute on software dependency concentration risk and SOC 2 attestation gaps. Research that challenges conventional vendor oversight models and maps directly to federal C-SCRM requirements.

14-Year Regulatory Career

Career spanning compliance, BSA/AML, internal audit, fraud investigation, and third-party risk management across FDIC, OCC, and DFPI regulatory environments.

Research

Our Principal's Research

Original research on the systemic risks conventional frameworks miss.

The Collective Fragility Paradox

How entity-focused TPRM frameworks miss dependency-level risk propagation in software supply chains. The case for SBOMs, technical expertise in TPRM, and rethinking how we assess software supply chain risk.

Published

The Attestation Gap

Analysis of gaps in SOC 2 attestation for software supply chain risks. How current attestation standards fail to capture the risks that matter most in modern technology environments.

In Progress

Read Trevor's insights on TPRM → trevorkavanaugh.com

Expertise

Frameworks & Standards

Deep working knowledge across federal cybersecurity and financial regulatory frameworks.

NIST SP 800-161r1
NIST SP 800-171
NIST CSF 2.0
CMMC 2.0
FFIEC IT Handbook
OCC 2013-29
SOC 2 Type II
ISO 27001 / 27036
FAR/DFARS

Work With Us

Interested in discussing your C-SCRM or TPRM requirements? We would welcome the conversation.

Schedule a Consultation