top of page

Have you ever wondered what motivates an Internal Auditor? Is it improving a process important for the business through determined investigation? Is it creating a proposal that is first welcomed by the business, approved by the Board, implemented by the organization, and finally recognized by the company as having provided quantifiable benefits?

Third-party risk management (TPRM) can be such a process. Third-parties are an important enabler for the business. However, they also bring risk from data breach. Third-party data breach risk is significant and increases with the number of vendors that can expose a company's data. But most TPRM programs do not measure or directly manage this cumulative-risk despite most regulations and many frameworks requiring it. Ineffective management of cumulative-risk can limit a company's ability to leverage third-parties. Ineffective management of cumulative-risk can also undermine the goals of internal cybersecurity investments and leave a company over-exposed.

We show how Internal Audit can use new statistical models to work with the TPRM team to objectively test that third-party data breach risk is within management’s risk tolerance. We also explain changes Internal Audit can recommend, that allows the TPRM team to manage cumulative-risk if it exceeds management’s risk tolerance or if it is limiting the ability of the business to leverage third-parties.

Download white paper: Assessing the Effectiveness of Third-Party Risk Management using Quantitative Models

A new protocol for Internal Audit to assure that third-party data breach risk is within management's risk-tolerance.

Screenshot 1st page.tiff

Related Material

About the Authors

David Hann is the director of the UK based DHann Consulting which partners with organisations to tackle diverse and complex challenges, from transforming processes and implementing systems, to assessing risk and helping drive organisational change. 


David has over twenty-six years of experience in risk, audit, and consulting within the UK and overseas. His experience is founded on a 12-year career focused on Technology Risk at PwC (UK), Deloitte (Australia), and KPMG (Australia), followed by 7-years at Lloyds Banking Group (UK) where he held several ‘Head of Audit’ roles including Retail Banking Technology, Digital Banking and Telephone Banking. David’s focus moved to concentrate on third-party risk and regulatory compliance. As a regional product director at IHS Markit, he helped to successfully launch one of the world’s first third-party risk management due diligence utilities. He subsequently went on to assist clients in implementing solutions to manage their third-party and outsourcing regulatory obligations. 


His most recent consulting successes include managing Third-Party Risk programmes, including delivering a global Cyber Security transformation, and implementing a global Third-Party Risk framework. Projects have also included managing part of a multimillion-pound post-merger integration programme in financial services and internal audit assessments at leading digital banks in the UK.


David holds a degree in Physics from the University of Southampton. David can be contacted at


Axel Troike provides consulting services at the intersection of compliance, business and IT, with over 20 years of management experience. In recent mandates, Axel has focused on his specialized expertise in conducting assessments of how processing activities and data transfers impact compliance with data protection regulations such as the EU’s GDPR.


Previous experiences include leading roles in developing IT-audit guidelines, performing audits of the structural and process organization in application development as well as implementing measures to mitigate identified risks and to optimize efficiency.


Axel has conducted more than 100 projects in 8 countries advising client enterprises regarding the organizational and conceptual aspects of Data Governance, Data Privacy, Master Data Management, Data Strategy, Data & Process Modeling and related topics. He is also President at Grandite in Quebec (Canada), the supplier of the SILVERRUN Business Architecture Tools.


Axel holds a Master's Degree in Mathematics from Christian-Albrechts-University in Kiel, Germany. Axel can be contacted via Linkedin.

Thomas Lee Ph.D. is the CEO of VivoSecurity, a Silicon Valley based company focused on data collection, regression modeling and A.I. to bring predictability to the randomness of data breach. In cybersecurity, Thomas has developed models to forecast fraud in online banking, forecast data breach costs and probability for lawsuits in the event of a PII data breach. He has developed models to forecast PII data breaches by state and models to forecast the number of data breaches in the healthcare industry and probability of a PII data breach for companies and third-parties. Thomas has been an invited speaker at the Richmond Fed research conference 2018, invited participant at Richmond Fed cyber security workshop 2019, invited speaker at O.R.X Toronto & Milan 2018, speaker at OpRisk North America 2018, ACAMS panelist 2019, PRMIA NYC & BCG 2018, invited speaker at WiCyS Silicon Valley chapter in 2022, and ISACA Silicon Valley chapter in 2022.

Outside of cybersecurity, Thomas has pioneered computational techniques in medicine for refining x-ray diffraction data, noise reduction in electron micrographs using in 2D Fourier filtering, and singular value decomposition applied to electron micrographs to determine molecular packing of hemoglobin molecules in sickle cell anemia. In the industrial controls industry, he has pioneered pattern matching in the Fourier domain for particle size analysis and pattern matching for acoustic range finders.


Thomas has multiple patents and publications in peer reviewed journals and holds BS degrees in Physics and Electrical Engineering from the University of Washington, and an MS and Ph.D. in Biophysics from the University of Chicago. Thomas can be contacted at

bottom of page