Project management of risk

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.


The Bank of America has the legal department that is responsible for the legal-risks and legal affairs of the bank as well as its subsidiaries. Highly-skilled outside counsel and in-house lawyers have been employed by the department because they are strongly committed to the bank, to ensure a cost-effective, timely and responsive service, and uphold high standards of professionalism. Furthermore, the bank is in dispute with watchdogs over federal-aid. In view of the fact that regulators want the Bank of America to pay substantial amounts of money to insure its losses, the bank is drawing back, arguing that it ought not to pay anything because it did not use the program (Bank of America, 2009).

This paper is going to examine the probable risks of the Bank of America. In doing so, it will outsource the following situations: the usage of Iron Mountain for its data storage; the usage of enterprise service-providers for processing information system applications such as sales order taking, payroll, or human resources (EDS/HP); the usage of a Vendor to support its desktop computers (Dell); and the usage of a vendor to provide network support (AT& T). Moreover, the paper will encompass each mitigation strategies for each circumstance. The paper will further look at a risk management plan that may restore all facilities, systems, people, businesses and processes. Finally, the paper will scrutinize the changes that ought to be integrated into the risk management plan of the bank, and the changes that one recommends for the Forum of Information Security 2007 Standard.

Possible risks to the Bank of America

      a) The Usage of Iron Mountain for data storage

According to the Iron Mountain Annual Report (2007), the Bank of America uses Iron Mountain to offer data backup, records management and information destruction services to its customers. Iron Mountain is a high security storage facility. The bank has a risk of misplacing or loosing customer data and files, especially, tapes that contain private information such as social security numbers and home addresses (Bank of America, 2009). The risk mitigation strategy used in this situation is that the Bank of America has began to retrofit its unmarked trucks and vans with a new alarm and security system using a chain-of-custody, so as to minimize the exposure of customer files and data to potential loss. Moreover, it uses real-time tracking capabilities and radio-frequency authentication to help minimize actual removal or mysterious disappearance of tapers from the vehicles during transit (National Press Photographers' Association, 2007).

      b) The use of EDS/HS for processing Information system applications such as payroll, human resources, or sales order taking

EDS, now HP was established by the Bank of America to provide quality systems engineering systems, which are cost-effective for HP operational-units. EDS/HP was a part of the global network for the Bank (Liam, 2009). Operating as an extension, EDS/HP supported employees to meet the prospective and current requirements of their customers, by addressing their business requirements (Tom, 2008). The risk here is that, the initial focus on EDS/HP systems were on consulting engagements and systems integration, but new opportunities have presented the growth in outsourced IT applications (such as sales order taking, human resource and payroll)and business process (Liam, 2009). These new opportunities require global expertise by the Bank's employees. The risk mitigation strategy is that the bank should concentrate on a wider range of software and hardware expertise in one-location. This will enhance delivery effectiveness and reduce the duplication of specialized skills (Yulin and YI, 2006).

      c) The use of vendor to support your desktop computer (Dell)

As Ryan (2008) assert, the bank is proving that its operations that are eco-friendly can coexist within the growth of a business. Through the usage of desktop computers (such as Dell), the bank reduced paper use by 32 percent despite the growth in customers. This also assisted to minimize the potential risks that are associated with paper work. The risk mitigation strategy used in this circumstance was to persuade Dell-computer to take back legislation, which convinced the Bank on the growth of business practices that are eco-friendly. Dell computers are deemed to be costly and expensive products to dispose of safely. Dell normally permits the Bank of America to return any products (Dell branded) back to the company. Moreover, the company has established programs that can accept printers, computers or monitors for safe-disposal, thus provides a risk mitigation strategy for that situation (Ryan, 2008).

      d) The use of vendor to provide network support (AT & T)

Cisco as well as AT & T multi-service optical platforms are used by the bank of America to provide the required bandwidth and extend applications that are vital such as customer care (Cisco Systems, 2009). The Bank of America is the 2nd largest in the globe, with its offices in 150 nations. It operates an internet-website used by over 7 million users, about 4,200 US banking centers, and 13 thousand ATMs. In order for the bank to sustain these functionalities, its network was comprised of an ATM (Asynchronous Transfer Mode) network infrastructure unified with traditional T3 and T1 circuits, which are provided by an incorporation of long-distance and local carriers. The risk here is that the architecture of AT& T normally experience problems that encompass a shortage of bandwidth, dependence on various carriers, and positioning troubles. To that effect, the risk mitigation strategy is that vendors should use AT &T infrastructures for multiple service types, each requiring a separate management and support effort. Moreover, the bank should employ experienced initiatives such as company wide CRM (customer relationship management) due to limited bandwidth and scalability (Cisco Systems, 2009).

Using AT & T, the vendors of the bank implemented a multi-service ocular core network that managed 13 major operations using controlled wave-length services. The local-offices are tied to the corporate locations and regional computer centers, creating a high availability, consolidated and high bandwidth network infrastructure. Consequently, the Wide Area Network can effectively sustain data traffic, consolidated voice and video without bumping into provisioning obstacles. The AT & T provides a multi-service networking capability that can maintain storage, traditional voice requirements and data. All these are used to minimize risks (Bank of America Annual Report, 2009).

Mitigation strategy, due to personnel and facility limitations to eliminate the outsourcing-not proposed in the paper

The protection and management of the Bank's information security is one of the key elements of the outsourcing company. Although based on the current situation, even with advanced security management systems, as well as, advanced security technology, it is not probable to minimize problems from occurring because of lapses in the integrity of the Bank's personnel (Yulin and YI, 2006). The principle of prevention is employed by the information relevance management to make sure that during the operation process, the Bank's information will be secure. Moreover, the management of the bank should follow the AROPI model, which encompasses the following: Analyzing; resolving; compartmentalized tasks (out pf order); processing; and integration to undergo processing. The sequence of the information will be broken to ensure its security. The risk mitigation strategy provided will prevent security-lapses due to man-made reasons (such as personnel and facility limitations). During the process of software outsourcing for the Bank, the AROPI model will be followed by the distributive development so as to protect the intellectual property rights and the safety of the information for the Bank. The four outsourced companies are: HP, Dell, Iron Mountain, and the Bank of America (Tom, 2008).

Managing Risks

The management structure of the bank enables it to control the major aspects through an incorporated review and planning process that encompasses risk, strategic, associate and financial planning (Michelle, 2008). Much of its revenue is derived from risk management. The risk is assessed with a goal restoring all facilities, systems, people, businesses and facilities. This will assist the bank to increase shareholder value, produce sustainable revenue, and reduce earnings volatility (Bank of America, 2009). The Bank of America uses various methods and has developed control processes to align risk-management and risk taking throughout the company. An efficacy management plan used by the bank has been implemented with regard to "Three lines of defense," that is, corporate audit; lines of business, and support units (encompassing legal, risk management, personnel, compliance and finance).

As the Bank of America Annual Report (2009) explains, it is the responsibility of the management to identify, quantify, mitigate and manage all risks with their lines of business. For instance, the Corporate Treasury function manages interest rate risks that are linked with the activities of the bank. The natures of a risk can be changed by the line-of business management, which executes and makes the business plan. Therefore, best actions ought to be taken by the bank to manage and mitigate those risks. Self-assessment reports are prepared by the management of the bank to identify the status of risk issues, which may encompass mitigation plans, if necessary. These reports assist the executive management of the bank to identify enterprise wide issues and to ensure an appropriate and risk-management (Bank of America Annual Report, 2009).

The management policies, processes and structures of the Bank of America assist it to provide clear lines for accountability and decision making and comply with regulations and laws. Nonetheless, the bank attempts to house authorities to make decisions while retaining administrative control functions from both outside of and in the lines-of business. Approved business plans are translated by the risk management organization into approved limits. The changes that ought to be integrated into the risk management plan are approved by the risk-management organization, which also approves the transactions and work-closely with lines of business to monitor and establish risk parameters (Bank of America, 2009)

The Bank of America, as Tom (2008) observes, uses several methods to manage risks at the line of corporate wide and business echelons. These methods may encompass hedging strategies, forecasting and planning, models, risk forums and committees, and limits. Forecasting and planning provides a sign of unexpected risk level and facilitates the analysis of planned versus actual results. In general, risk forums and committees are comprised of finance personnel, line of business and risk management, who monitors performance against introduction of new products, plan, potential issues and limits. Models are used to both unexpected and expected losses for line of business and each product. Hedging strategies are used to manage the risk in the portfolio, counterparty concentration risk or risk of borrower (Michelle, 2008).

The changes one can recommend for the Information Security Forum's 2007 Standard is that apart from the benchmarking program as Michelle (2008) observes, the Information Security Forum (ISF) should be modified to publish and develop research tool and reports addressing a wider variety of subjects in order to well govern the Bank of America.


The Bank of America is accountable for the legal-risks and legal affairs of the bank as well as its subsidiaries. The potential risks of the bank can be outsourced from a variety of situations, which may encompass: Usage of Iron Mountain for data storage; use of service providers for processing information-systems applications; use of vendors to support dell; and use of AT & T to provide network. Each potential risk to the bank has a risk mitigation strategy. Nonetheless, the bank has an effective risk management plan that assists it to restore all facilities, systems, processes, businesses and people. Therefore, we can recommend that the methodologies used by the Information Security Forum's 2007 Standard should be able to formalize the approaches to information risk assessment.


Bank of America (2009): Outside Counsel Procedures, Legal Department. Accessed on 30th January, 2010 from

Bank of America Annual Report (2009): Management's Analysis and Discussion-Managing Risks, financial review. Accessed on 3oth January, 2010 from mngt/risk management.htm

Cisco Systems (2009): Managed Multi-service Optical Networking, White paper. Accessed on 29th January, 2010 from

Iron Mountain Annual Report (2007): Accessed on 29th January 2010 from

Liam H (2009): HP Enterprise services, Dublin. Accessed on 4th February, 2010 at

Michelle C (2008): Professor Howard Appointed President of the Information-Security Forum. Accessed on 30th January, 2010 from

National Press Photographers' Association (2007): Under Iron Mountain. Accessed on 29th January, 2010 from

Ryan G (2008): 25 Big Companies That Are Going Green, Green Business, Environment. Accessed on 30th January 2010 from mngt/dell.htm

Tom J (2008): Security sets to go beyond IT director control. Accessed on 30th January, 2010 from Retrieved 2008-11-25

Yulin D and YI L (2006): Information Management- Strategy management of Information security in outsourcing industry. Accessed on 1st February, 2010 from