top of page
Download white paper: How to Improve Third-Party Risk Management Using Statistical Models

Third-party risk may account for as much as half of an organization’s operational risk, yet Third-Party Risk Management (TPRM) is typically not resourced at the level of non-third-party risks. We believe TPRM is under-resourced because the true magnitude of this risk is not well understood.

In this white paper, we will describe current practice for TPRM and how it can be improved by incorporating cumulative risk—the risk from the sheer number of vendors, using statistical models. These improvements will not only increase the effectiveness of TPRM programs at reducing risk, but also quantify this risk in terms that corporate leadership can act upon. It will justify an increase in resources commensurate with this very significant risk.

White paper first page

Related Material

David Hann is the director of the UK based DHann Consulting which partners with organisations to tackle diverse and complex challenges, from transforming processes and implementing systems, to assessing risk and helping drive organisational change. 


David has over twenty-six years of experience in risk, audit, and consulting within the UK and overseas. His experience is founded on a 12-year career focused on Technology Risk at PwC (UK), Deloitte (Australia), and KPMG (Australia), followed by 7-years at Lloyds Banking Group (UK) where he held several ‘Head of Audit’ roles including Retail Banking Technology, Digital Banking and Telephone Banking. David’s focus moved to concentrate on third-party risk and regulatory compliance. As a regional product director at IHS Markit, he helped to successfully launch one of the world’s first third-party risk management due diligence utilities. He subsequently went on to assist clients in implementing solutions to manage their third-party and outsourcing regulatory obligations. 


His most recent consulting successes include managing Third-Party Risk programmes, including delivering a global Cyber Security transformation, and implementing a global Third-Party Risk framework. Projects have also included managing part of a multimillion-pound post-merger integration programme in financial services and internal audit assessments at leading digital banks in the UK.


David holds a degree in Physics from the University of Southampton. David can be contacted at

About the Authors

Thomas Lee Ph.D. is the CEO of the Silicon Valley based VivoSecurity, a company focused on data collection, regression modeling and AI to quantify cyber security risk.


Thomas has spoken at the Richmond Fed research conference 2018, invited participant at Richmond Fed cyber security workshop 2019, invited speaker at O.R.X Toronto & Milan 2018, speaker at OpRisk North America 2018, ACAMS panelist 2019, PRMIA NYC & BCG 2018, multiple patents for quantifying cyber security risk.


Thomas holds degrees in Physics and Electrical Engineering from the University of Washington in Seattle, and an MS and PhD in Biophysics from the University of Chicago.

bottom of page