Independent research on third-party risk, software supply chain security, and operational resilience in financial services.
Peer-reviewed research, industry briefings, and diagnostic frameworks that make invisible dependencies visible to the institutions that carry them.
An executive briefing on the major technology incidents from 2020-2026 that propagated through technical dependencies rather than traditional vendor failures. Identifies three emerging risk dimensions and traces the regulatory lag pattern that follows every dependency-level incident.
A 104-page working paper reframing third-party risk around three categories - supply chain, software delivery, and cloud concentration - that propagate through technical dependencies rather than the legal entities existing frameworks stop at.
Three programs, one through-line.
Financial institutions carry risk through dependencies they cannot see and cannot directly govern. Provenance Risk Research is organizing three programs to change that.
Research
Peer-reviewable working papers documenting where current TPRM and attestation frameworks miss the dependency-level risk they purport to cover. The Collective Fragility Paradox is published as Working Paper No. 1; Paper 2 targets the Journal of Operational Risk in 2026.
Industry Briefings
Executive-friendly briefings on the systemic technology dependencies and incidents shaping financial services third-party risk. The inaugural State of Third-Party Technology Risk: 2026 Edition is published; the briefing recurs annually.
Diagnostic Frameworks
Practitioner-facing diagnostic question methodologies and analytical tools that translate the research into assessments third-party risk teams, auditors, and regulators can apply directly to their own environments.
Targets the Journal of Operational Risk, 2026. Uses a diagnostic-question methodology to reveal gaps in SOC 2 and similar attestation frameworks for the software supply chain conditions that cause correlated failures. Includes a ten-jurisdiction regulatory survey and introduces the Concentration Risk Index.