Risk Methodology

Owner	Classification	Review Date	Status
CDO Office	Internal	April 2027	Active

| Document Type | Policy |
| Owner | CISO |
| Classification | Confidential |
| Review Cycle | Annual |

Document #: SP-RM-043 | Version: V1.2 | Issue Date: 05/09/2025

---

Document Creation

Field	Details
Document #	SP-RM-043
Document Title	Risk Methodology
Version	V1.2
Confidentiality Level	Class 2 (Private Data / Confidential)
Date Created	26/03/2021
Issue Date	05/09/2025
Document Owner	Chief Information Security Officer
Author(s)	Simpaisa
Purpose	To ensure that Risk Methodology is implemented
Authorised By	Yassir Pasha

Steering Committee

Name	Role
Yassir Pasha	Chief Executive Officer
Kamil Shaikh	Chief Operating Officer
Osama Hashmi	Chief Financial Officer
Bachir Njeim	Chief Strategy and Operations Officer
Saqlain Raza	Acting Chief Technology Officer
Rizwan Zafar	Chief Product Officer
Ahsan Hussain	Payment Channel Partnerships
Danish Abdul Hameed	Chief Information Security Officer
Shahroze Khan	Head of International Merchant Sales and Strategic Alliances
Noor Ali	Country Head Pakistan
Shoukat Bizinjo	Global Head of Regulatory Affairs — Regulatory

Change Control

Version	Date of Issue	Author(s)	Brief Description of Changes	Approved By
V1.0	08/04/2021	Rizwan Zafar	Initial release	Salim Karim
V1.1	07/02/2022	Rizwan Zafar	Annual review	Salim Karim
V1.2	02/02/2023	Rizwan Zafar	Annual review	Salim Karim
V1.2	27/09/2024	Syed Zubair Ahmed	Annual review	Yassir Pasha
V1.2	05/09/2025	Simpaisa	Annual review	Yassir Pasha

---

1. Introduction

This document defines the risk methodology used by Simpaisa to identify, analyse, evaluate, and treat information security risks. The objective is to provide a structured and consistent approach to risk management that supports the protection of Simpaisa's information assets and ensures compliance with applicable laws, regulations and contractual obligations, including ISO 27001 and PCI DSS.

Risk management is an ongoing process. This methodology shall be applied at planned intervals and when significant changes occur within the organisation or its environment.

2. Governing Laws and Regulations

Simpaisa's risk management approach is informed by the following risk categories:

1. Strategic Risk — Risks arising from adverse business decisions, or failure to implement appropriate business decisions in response to changes in the business environment.

2. Operational Risk — Risks arising from inadequate or failed internal processes, people and systems, or from external events.

3. Compliance / Regulatory Risk — Risks arising from failure to comply with laws, regulations, contractual obligations or internal policies.

4. Financial Risk — Risks arising from financial exposure to loss resulting from information security events.

5. Reputational Risk — Risks arising from damage to the organisation's reputation resulting from security incidents or non-compliance.

6. Technology Risk — Risks arising from the failure or misuse of technology systems, infrastructure or data.

7. Third-Party / Supply Chain Risk — Risks arising from the organisation's reliance on third-party suppliers, service providers or partners.

8. Physical and Environmental Risk — Risks arising from physical security failures, natural disasters, or environmental hazards.

3. Risk Assessment and Mitigation Process

3.1 Risk Criteria

Before conducting a risk assessment, Simpaisa shall define the criteria against which risks are evaluated:

• Risk Acceptance Criteria: The level of risk that Simpaisa is prepared to accept. Risks below this threshold may be accepted without further treatment. The risk acceptance threshold is defined by executive management and reviewed annually.

• Risk Evaluation Criteria: The criteria used to determine whether an identified risk is significant enough to warrant treatment.

3.2 Risk Acceptance Criteria

Risk Level	Score	Action Required
Low	1–4	Accept — monitor and review annually
Medium	5–9	Treat — implement controls within 90 days
High	10–16	Treat — implement controls within 30 days
Critical	17–25	Treat immediately — escalate to executive management

3.3 Risk Assessment Process

The risk assessment process follows these steps:

1. Establish Context

2. Risk Identification

3. Risk Analysis

4. Risk Evaluation

5. Risk Treatment

6. Risk Acceptance

7. Monitoring and Review

Step 1 — Establish Context

Define the scope of the risk assessment, including:

• The organisational context (internal and external factors)

• The boundaries of the Information Security Management System (ISMS)

• The assets, processes and systems in scope

• The applicable legal, regulatory and contractual requirements

Step 2 — Risk Identification

For each asset in scope, identify potential threats and vulnerabilities:

• Assets: Identify information assets (hardware, software, data, people, processes, facilities) within scope.

• Threats: Identify threats that could exploit vulnerabilities (e.g., malware, unauthorised access, natural disaster, human error).

• Vulnerabilities: Identify weaknesses in systems, processes or controls that could be exploited.

• Existing Controls: Document existing controls that currently mitigate the identified threats and vulnerabilities.

Step 3 — Risk Analysis

For each identified risk, assess:

Likelihood — The probability that the threat will exploit the vulnerability:

Likelihood Level	Score	Description
Rare	1	May occur only in exceptional circumstances (less than once in 5 years)
Unlikely	2	Could occur at some time (once in 2–5 years)
Possible	3	Might occur at some time (once per year)
Likely	4	Will probably occur in most circumstances (once per quarter)
Almost Certain	5	Is expected to occur in most circumstances (monthly or more)

Impact — The consequence if the risk materialises:

Impact Level	Score	Description
Insignificant	1	Negligible effect on operations, minimal financial loss
Minor	2	Minor disruption, low financial loss, limited reputational impact
Moderate	3	Significant disruption, moderate financial loss, noticeable reputational impact
Major	4	Serious disruption, high financial loss, significant reputational damage
Catastrophic	5	Complete operational failure, severe financial loss, critical reputational damage

Risk Score = Likelihood × Impact

Risk Heat Map

| Insignificant (1)| Minor (2)| Moderate (3)| Major (4)| Catastrophic (5)
---|---|---|---|---|---
Almost Certain (5)| 5| 10| 15| 20| 25
Likely (4)| 4| 8| 12| 16| 20
Possible (3)| 3| 6| 9| 12| 15
Unlikely (2)| 2| 4| 6| 8| 10
Rare (1)| 1| 2| 3| 4| 5

Step 4 — Risk Evaluation

Compare the risk score against the risk acceptance criteria to determine whether the risk requires treatment. Prioritise risks for treatment based on their score, with the highest-scoring risks treated first.

Step 5 — Risk Treatment

For each risk that requires treatment, select one or more of the following treatment options:

• Avoid — Eliminate the activity or condition that gives rise to the risk.

• Reduce / Mitigate — Implement controls to reduce the likelihood or impact of the risk.

• Transfer / Share — Transfer the risk to a third party (e.g., through insurance or contractual arrangements).

• Accept — Formally accept the risk where treatment is not cost-effective or feasible, subject to management approval.

A Risk Treatment Plan shall be produced for each risk requiring treatment, detailing:

• The selected treatment option

• The specific controls to be implemented

• The responsible owner

• The target implementation date

• The residual risk after treatment

Step 6 — Risk Assessment Report

Upon completion of the risk assessment, a formal Risk Assessment Report shall be produced, containing:

• Executive summary

• Scope and context

• Methodology used

• List of identified risks with scores

• Risk treatment decisions

• Residual risks and acceptance decisions

• Recommendations

The report shall be reviewed and approved by executive management.

Step 7 — Risk Mitigation and Management Approval

• Risk treatment plans shall be submitted to executive management for approval before implementation.

• Treatment owners are responsible for implementing controls in accordance with the agreed timelines.

• Evidence of control implementation shall be retained.

3.4 Monitoring and Review

• Risks and controls shall be monitored on an ongoing basis to detect changes in the risk environment.

• A formal risk review shall be conducted at least annually, or following significant changes to the organisation, its systems, or the threat landscape.

• Risk owners are responsible for reporting any changes to their assigned risks to the CISO.

• The risk register shall be maintained and kept up to date.

3.5 Roles and Responsibilities (RACI)

Activity	Executive Management	CISO	Risk Owners	IT/Operations
Define risk acceptance criteria	A	R	C	I
Conduct risk assessment	I	A	R	C
Approve risk treatment plans	A	R	C	I
Implement risk treatment controls	I	A	R	R
Monitor and review risks	I	A	R	C
Report risk status	I	R	C	I

R = Responsible, A = Accountable, C = Consulted, I = Informed

4. Targeted Risk Analysis Procedure

For specific projects, system changes, or new services, a targeted risk analysis shall be performed:

1. Define the scope of the targeted analysis.

2. Identify assets and processes affected by the change.

3. Identify new or changed threats and vulnerabilities introduced by the change.

4. Assess the risk using the standard likelihood × impact methodology.

5. Determine appropriate treatment options.

6. Obtain management approval for the treatment plan.

7. Implement controls and document evidence.

Targeted risk analyses shall be completed before any significant change is deployed to the production environment.

5. Review and Update Requirements

This Risk Methodology document shall be reviewed and updated:

• At least annually as part of the ISMS management review process

• Following any significant changes to the organisation's risk environment, business processes, or IT infrastructure

• Following a significant information security incident

• When required by regulatory or contractual obligations

All revisions shall be subject to the Change Control process and approved by executive management.

6. Conclusion

Simpaisa's risk methodology provides a structured, repeatable framework for managing information security risks. By consistently applying this methodology, Simpaisa can maintain an appropriate level of security, demonstrate compliance with applicable standards and regulations, and protect its information assets, customers, and reputation.

All employees, contractors and third parties operating within the scope of Simpaisa's ISMS are expected to support the risk management process by identifying and reporting risks promptly to their line manager or the CISO.