Risk Management at PridePoint Bank

Risk Management at PridePoint Bank Caselet #1:
IT Risk Identification
Dr. Charles DeSassure, Associate Professor of Computer Science
University of the Cumberlands
Summer 2018
Instructions: Review the content of the case project and thoroughly
answer each question. All answers are within this case project. Use the
template on the web site. After answering each question, convert your
template into a PDF file for grading. You will lose 10 points if your file is
NOT in PDF file format. Assessment: 16.7 points for each question.
▪ Risk management refers to the co-ordinated activities taken by
an enterprise to direct and control activities pertaining to risk.
▪ Risk management is an active process, not simply a form of
elaborate observation.
o ‘Control’, when used as a verb in the context of risk
management, is often used as a synonym for ‘measure’.
o However, the results of measurement must be used as the
basis for directing actions and activities.
▪ Comprehensive risk management includes four steps:
1. Identification
2. Assessment
3. Mitigation (response)
4. Ongoing monitoring and reporting
What is risk
How does it
benefit an
How does it
benefit a
▪ The core objective of every enterprise is value creation.
o In for-profit enterprises, ‘value’ is linked to profit, but non-
profit and public enterprises also seek to create value.
▪ Risk is commonly defined as the combination of the probability of
an event and its consequence.
o Consequences may be positive or negative.
o When the consequence of an event is positive, risk refers to a
missed opportunity to add value.
o When the consequence is negative, risk refers to the loss of
value (as opposed to its preservation).
▪ Being able to manage risk—and thereby to both seize
opportunities to grow value and avoid scenarios that destroy
value—directly benefits the core objective.
What is risk
How does it
benefit an
How does it
benefit a
▪ Information technology (IT) risk always exists in every enterprise,
whether it is recognised or not.
▪ An enterprise that lacks a formalised approach to risk
management may successfully identify some risk before it results
in missed opportunities for lost value, but:
o The key drivers of controlling risk in such circumstances are
individual experience and luck.
o Warning signs may be missed by less experienced staff.
o Employee turnover has an unpredictable effect on risk
management within the enterprise.
▪ With a formalised approach, risk management grows
progressively more effective over time through institutional
knowledge and distributed experience.
What is risk
How does it
benefit an
How does it
benefit a
▪ Company Profile – PridePoint Bank
▪ Background Information
▪ Your Role
▪ Situation Briefings
▪ Your Tasks
▪ Discussion Questions
Profile of PridePoint Bank
Mid-sized, privately-held
regional bank
Created from a merger one year
ago between two smaller banks
operating in adjacent regions
2,700 employees and an
additional 1,200 contractors
Background: Overview
▪ PridePoint is the dominant bank across three states with 85
branch locations.
o Customers include both individual consumers and
regionally established businesses.
o Largest business customers average revenues in
excess of $50 million per year.
▪ PridePoint offers cash-rewards credit cards using the Visa
and MasterCard networks.
▪ Most account holders began their relationship with the bank
prior to the merger and have been assured that there will
not be any sudden changes.
Org. Structure
Business Goals
Background: Financials
▪ PridePoint’s financial profile is generally typical of a mid-
sized bank.
o Total assets of $3.3 billion
o Non-interest income is 18.4% of total revenue
o 80.3% loan-to-deposit ratio
▪ One exception is its relatively high percentage of non-
performing loans, which stands at 6.97%.
▪ PridePoint was created through the 2013 FDIC-assisted
takeover by OnPoint Bank of struggling Prideful Bank,
which was weakened by the 2008 financial crisis.
▪ The high rate of non-performing loans is a legacy cost
inherited as a result of the merger.
Org. Structure
Business Goals
Background: Organisational Structure
▪ PridePoint has a five-person board of directors which the
chief executive officer (CEO) heads as executive chairman.
▪ The CEO has three direct reports:
o Chief financial officer (CFO)
o Chief operating officer (COO)
o Senior vice president (SVP) of Administration
▪ Technology Operations and Information Security report to
the COO through the chief information officer (CIO).
▪ Facilities and Physical Security report to the SVP,
Administration through Human Resources.
▪ Procurement oversees contractors and reports to the CFO.
▪ Operational Risk and Internal Audit report to the CFO.
Org. Structure
Business Goals
Background: Organisational Structure
Org. Structure
Business Goals
Operational Risk Internal
Technology Infrastructure
Network Operations
Disaster Recovery
Information Security
Consumer Banking
Commercial Banking
SVP, Administration
Physical Security
Legal Compliance
Background: Operations
Org. Structure
Business Goals
▪ The board of directors has established the goal of taking
PridePoint public next year.
▪ To meet this goal, the CEO aims to increase profitability.
▪ Increasing revenues is the responsibility of the COO, who
oversees both consumer and commercial operations.
o He sees the greatest potential for new revenues in
branch-based consumer operations.
▪ The CFO is charged with financing operations, controlling
risk, and reducing cost.
o Employee benefits are PridePoint’s fastest-growing cost.
o Facility maintenance costs are also increasing rapidly.
▪ The CIO is responsible for guaranteeing the continuity of
technology on which operations rely.
Background: Competition
Org. Structure
Business Goals
▪ Prior to the merger, OnPoint Bank was the second-largest
bank in the region with 56 branches, while Prideful was the
fourth largest with 29 branches.
▪ Miners Bank, formerly the largest bank in the region, is
PridePoint’s largest competitor:
o 62 branches
o Total assets of $2.9 billion
▪ Miners Bank is aggressively pursuing new consumer bank
deposits, the same target market as PridePoint.
▪ There is one other regional bank that is primarily focused on
commercial accounts.
▪ Ten smaller banks and credit unions operate in the area.
Background: Business Goals
Org. Structure
Business Goals
▪ The top business goal is to increase profitability in anticipation
of an initial public offering (IPO) next year.
▪ The strategy for meeting this goal is to:
o Increase non-interest bearing deposits; and
o Reduce operating costs.
▪ PridePoint has so far retained most of its pre-merger
customers, and their continued retention is considered
essential to the business strategy.
Your Role
▪ Five years in information
technology with an
exceptional track record.
▪ Hired last week from a non-
financial services company;
new to banking.
Subordinate Groups:
▪ Network Operations
▪ Disaster Recovery
Peer Group:
▪ Information Security
▪ As Director of Technology Infrastructure, you:
o Make sure that the network and systems
work well
o Get anything that stops working well back to
working well as soon as possible
▪ You report to the CIO, who reports to the COO.
▪ Your peer, the Director of Information Security, is
responsible for perimeter monitoring and
▪ The CIO and your two direct reports previously
worked together at OnPoint Bank.
▪ The Director of Information Security worked for
Prideful Bank prior to the merger.
Situation: Network Operations
▪ PridePoint presents a seamless new web interface to customers; however, behind the
scenes, both pre-merger networks are still operating:
o The Prideful data centre is connected to the primary OnPoint data centre by high-
speed fibre.
o Public network traffic is directed through OnPoint perimeter security suites and
routed to the Prideful sub-network where appropriate.
o Certain applications used by both pre-merger banks exist in distinct instances on
each network, with their own support teams.
o Customer-service positions have been consolidated, and user accounts from
either network may be used to log onto the other network through a trust
o Administrator accounts are limited to the scope of their specific networks (no
▪ The Prideful sub-network is based on a virtual-server architecture, while the OnPoint
network uses physical servers for all major applications.
Situation: Disaster Recovery
▪ The Prideful sub-network:
o Can overcome hardware losses within its data centre through movement of virtual
servers to new physical platforms.
o Has capacity for continuity and recovery available at a leased facility 75 miles
away, administered by a contractor that provides most staff at the Prideful data
▪ The Prideful disaster recovery plan (DRP) requires:
1. Recovery of virtual servers from backup media
2. Recovery of data from backup media
3. Establishment of a link back to the OnPoint data centre via virtual private network
▪ Full operating capacity should be available no more than 12 hours after activation of
the DRP.
▪ Third-party contractors at the recovery site are trained to complete the process without
assistance from the Prideful data centre.
Situation: Disaster Recovery (cont.)
▪ The OnPoint sub-network:
o Uses a hot-site dual data centre architecture in which each system has a
redundant counterpart at the secondary data centre, located 20 miles from the
primary site.
o Has high-speed fibre connectivity between the primary and secondary sites.
o Completes automatic failover of systems in no more than 15 minutes.
▪ Redundancy between the two data centres extends to the perimeter suites, so traffic
from the public Internet can reach either data centre.
o In the event of a recovery scenario for the Prideful sub-network, these suites will
be the means by which VPN traffic from the recovery site reaches the main
▪ Continuity operations for the OnPoint sub-network focus on arrangements to relocate
staff from the primary data centre to the secondary site.
▪ There is no out-of-region capacity for the OnPoint sub-network.
Situation: Information Security
▪ Perimeter security suites configured for redundancy with robust capabilities:
o Application-layer firewall (capacity scaled for 30% higher than typical usage)
o Network proxy server for outbound traffic
o Intrusion detection system (IDS) with external logging
o Remote access capability for connectivity with bank branch locations
o Mail gateway with virus detection capabilities
▪ Inside the perimeter, the flow of traffic between the two sub-networks is unrestricted,
and there is no monitoring or logging of internal traffic.
▪ Software firewalls on client systems currently allow all traffic.
▪ Servers are optimised for performance with unnecessary applications removed.
▪ Client antivirus software is maintained by a central management server.
▪ Security awareness training has been cancelled due to staffing cuts.
The PridePoint Network
Perimeter Suite
Primary Data
Data Centre
Perimeter Suite
Data Centre
Situation: CIO Perspective
▪ PridePoint inherited two complete networks and their associated staff.
o The CIO is under pressure from the CFO to reduce costs.
o The COO has directed the CIO to do whatever it takes to guarantee uninterrupted
access to customer-facing systems.
▪ Guaranteeing this availability is considered the top priority for limited resources, and
projects focused on improving efficiency are judged against this priority.
o Consolidation of user accounts was rejected out of concern that it might lead to
access problems at branch locations.
o The sort of fundamental re-engineering that would be needed to align the two sub-
networks is out of the question based on current objectives.
▪ The same dynamic applies to staffing.
o Most application-support positions that existed prior to the merger remain in place.
o In contrast, nearly half of the information security staff has been eliminated.
Discussion Questions
See the Case Project template for questions.
Looking for Discount?

You'll get a high-quality service, that's for sure.

To welcome you, we give you a 15% discount on your All orders! use code - ESSAY15

Discount applies to orders from $30
©2020 EssayChronicles.com. All Rights Reserved. | Disclaimer: for assistance purposes only. These custom papers should be used with proper reference.