Provenance Risk Advisory LLC

Governance-first third-party risk advisory for regulated institutions and federal agencies

We help organizations design and implement third-party risk management programs that survive scrutiny — because they were built by someone who has operated one at scale in regulated financial services and understands the frameworks federal agencies require.

Schedule a Consultation View Services
Why This Matters Now

Third-party risk governance is no longer optional

Financial regulators expect mature vendor oversight programs. Federal agencies face EO 14028 and NIST SP 800-161r1 mandates. CMMC Phase 2 is raising the bar for defense contractors. Across every regulated sector, organizations are discovering that compliance frameworks alone do not create operational resilience.

Most organizations need more than a checklist. They need someone who has built and operated a risk program at scale — who understands the difference between a policy that satisfies an auditor and a control that actually reduces risk.

OCC / FFIEC EO 14028 NIST SP 800-161r1 CMMC 2.0 NIST SP 800-171
What We Do

Advisory Services

Practical, governance-first advisory built on 14 years of operational experience in regulated environments.

01

C-SCRM Program Design

Helping agencies implement NIST SP 800-161r1 compliant supply chain risk programs. From policy frameworks to operational controls.

Learn more → 02

Third-Party Risk Architecture

Vendor tiering, oversight frameworks, lifecycle governance, and board-level reporting. Built on managing 600+ vendor relationships.

Learn more → 03

CMMC Readiness Advisory

Gap analysis against NIST 800-171 controls, remediation planning, and assessment preparation for defense contractors.

Learn more → 04

Risk Governance Training

Curriculum development and delivery for agency staff on C-SCRM, vendor risk, and compliance frameworks.

Learn more → 05

Fractional Chief Third-Party Risk Officer

Senior TPRM leadership on a retained basis - program oversight, examination readiness, and board-level reporting without the overhead of a full-time executive hire.

Learn more →

Looking for a focused starting point? See our targeted engagements - scoped projects that deliver results in 1-4 weeks.

  • GARP Financial Risk Symposium Speaker
  • Published Researcher
  • 14 Years in Regulated Banking
  • 600+ Vendor Program
Research

Featured Publication

Provenance Risk Research

The Collective Fragility Paradox

How entity-based risk frameworks miss dependency-level risk propagation in software supply chains. Research that maps directly to NIST SP 800-161r1 C-SCRM requirements and challenges conventional vendor oversight models.

Read on trevorkavanaugh.com →
Get in Touch

Start a Conversation

Whether you are strengthening vendor oversight for regulatory exams, evaluating C-SCRM requirements, or building a third-party risk program from scratch, we are here to help.

Email trevor@provenanceriskadvisory.com
Phone 469-578-9502
Location Dallas, TX
Schedule a Consultation