CDO Briefing Pack: Q2 2026 Leadership Offsite¶
Prepared for: Daniel O'Reilly, Chief Digital Officer Offsite: Karachi, 14-15 April 2026 Classification: Confidential — Leadership Only Date prepared: 4 April 2026
Purpose¶
This pack gives you concrete data and positions for each offsite session. Not talking points. Evidence. The offsite principles say "speak with clarity and intent" and "challenge ideas, not people." This pack arms you with facts that make vague claims impossible.
Day 1: April 14th¶
Session: Simpaisa Status Quo (09:30-11:15)¶
Your position: We have a $1B+ platform running on the foundations of a startup.
The architectural review (completed April 2026) assessed two critical dimensions:
Security Posture: 4 out of 10 (Critical)
| Area | Score | What it means |
|---|---|---|
| Webhook Security | 2/10 | Merchants cannot verify our callbacks are genuine |
| Rate Limiting | 2/10 | No defence against brute-force or DDoS |
| Secret Rotation | 2/10 | Credentials do not rotate |
| Data Protection (PII) | 3/10 | Customer phone numbers and account details stored in plain text |
| Authentication | 4/10 | Pay-Ins has no request signing — anyone with a merchantId can forge transactions |
Six critical findings require immediate remediation. The most severe: Pay-Ins (our highest-volume product) has no request signing. A third party knowing a merchantId can forge transaction requests against the platform processing $1B+ annually.
Data Maturity: 1 out of 5 (Initial/Ad Hoc)
Every dimension scores 1/5. Highlights: - Single shared MySQL database for all four product lines. A schema migration in Pay-Ins can cause full platform outage. - PII stored in plain text without column-level encryption across all six jurisdictions. - No data retention policy. Records accumulate indefinitely. - No documented compliance mapping for any of the six regulators.
Key message for this session: These are not opinions. These are assessed findings from an architectural review of the production systems. The gap between our transaction volume ($1B+, 270M+ transactions) and our infrastructure maturity (1/5 data, 4/10 security) is the core risk to everything else in the strategy.
Session: Why We Are Losing Traction (11:30-13:00)¶
Your position: Three root causes, all structural.
Root Cause 1: Knowledge is scattered and undiscoverable. I joined as CDO and could not get a list of systems, repositories, or where company knowledge lives. If the most senior digital leader cannot find information, nobody can. Decisions get made that contradict existing standards because the standards are buried in Confluence pages nobody reads, Slack threads that scroll away, and repos with no search.
We have now documented 214 standards, ADRs, schemas, threat models, and workflows in a canonical Architecture repo. But documentation without discoverability is a filing cabinet. We are building Maerifa to make this searchable across all sources.
Root Cause 2: No execution framework connects strategy to delivery. The 2026 strategy defines five strategic goals and six foundational supports. But there is no documented framework for how initiatives are prioritised, tracked, reviewed, and closed. "Institutionalise execution" is Strategic Goal 2, but the execution framework itself does not exist yet.
Root Cause 3: Security and data architecture debt is compounding. Every new market, every new product, every new partner integration inherits the same single-database, no-encryption, no-signing architecture. The debt is not linear. It compounds. A platform processing 270M transactions with 4/10 security is not a technical problem. It is a business risk.
Expected output from this session: List of 6-8 root causes. Ensure these three are on the list. They are structural, not symptomatic.
Session: Strategic Direction — How We Win (14:00-15:15)¶
Your position: Horizon 1 first. No shortcuts.
The strategy correctly identifies Horizon 1 (Strengthen the Core) as the priority. The architectural review confirms this is not optional. You cannot scale (Horizon 2) on a platform with 4/10 security and 1/5 data maturity. Every new market inherits the debt.
Concrete Horizon 1 priorities from the CDO division: 1. Security remediation — address the 6 critical findings (request signing, webhook HMAC, rate limiting, OTP window, credential rotation, PII encryption) 2. Database decomposition — separate the single MySQL instance into per-service databases (Pay-Ins, Pay-Outs, Remittances, Cards, Platform) 3. Knowledge infrastructure — Maerifa deployed, all standards searchable and citable 4. Observability — end-to-end transaction tracing with SLOs per service
Horizon 2 (Scale with Discipline) is dependent on Horizon 1 completion. Entering new markets with the current security posture creates regulatory risk in every new jurisdiction.
Session: Strategic Prioritisation (15:30-17:30)¶
Your position: Here are the trade-offs you need to make.
The strategy proposes five strategic goals. The offsite must force-rank them. Here is the CDO view on prioritisation:
| Priority | Goal | Rationale |
|---|---|---|
| 1 | SG1: Operational Excellence | Platform stability is non-negotiable. A security incident affecting $1B+ in transaction flow is existential. |
| 2 | SG3: Financial Discipline | Settlement, reconciliation, and liquidity controls must be system-driven, not experience-dependent. Manual processes do not scale. |
| 3 | SG2: Execution Management | The execution framework is the meta-capability that makes all other goals achievable. Without it, initiatives stall. |
| 4 | SG4: Market Expansion | Only after Horizon 1 foundations are in place. Each new market multiplies the existing debt. |
| 5 | SG5: Revenue Diversification | Revenue growth on a 4/10 security platform is borrowing against future risk. |
Trade-off to surface: Speed of market expansion (SG4) vs depth of platform remediation (SG1). Every month of delay on security remediation is a month of operating a $1B+ platform with known critical vulnerabilities. But every month of delay on expansion is revenue the business cannot capture.
Recommended framing: SG1 and SG4 are not sequential. Security remediation and market expansion can run in parallel if — and only if — new market entries use the new architecture (KrakenD gateway, HMAC signing, per-service databases) rather than extending the legacy platform.
Day 2: April 15th¶
Session: Organisational Clarity (09:15-11:00)¶
Your position: Every system needs a named owner.
The system catalogue for the Maerifa project revealed that every major system has "owner: TBD." Pay-Ins, Pay-Outs, Remittances, Cards, Merchant Portal, Platform Services — six systems, zero named owners.
Ownership means: - Who is accountable for uptime and SLOs? - Who approves schema changes? - Who responds to security incidents? - Who owns the roadmap?
Ask from this session: Leave with a named owner (person, not team) for each of the six systems. These names go into the system catalogue and become the authority Maerifa references.
Session: Operating Model & Interaction (11:15-12:45)¶
Your position: Cross-functional collaboration requires shared knowledge.
The current model: decisions happen in Slack threads, tribal knowledge lives in people's heads, and standards exist but nobody can find them. Cross-functional collaboration fails when teams cannot discover what other teams have already decided.
Maerifa directly addresses this. When Product asks "what's the API contract for Pay-Outs?", the answer is a cited query, not a Slack DM to an engineer in Pakistan who has been there longest. When Compliance asks "what are our data localisation obligations in Iraq?", the answer comes from the indexed Cross-Border Compliance Framework with citations, not a "let me check and get back to you."
Session: Execution Framework (13:45-15:15)¶
Your position: Propose the framework.
The strategy identifies this as a foundational support but does not define it. The offsite expects to leave with an "agreed execution model, cadence, and decision on PMO ownership."
Proposed framework elements from the CDO division:
- Initiative lifecycle: Intake → Prioritise → Plan → Execute → Review → Close
- Cadence: Fortnightly initiative review (leadership), weekly execution standup (teams)
- Tracking: Each initiative has a named owner, success criteria, deadline, and status (not started / in progress / blocked / complete)
- PMO: Lightweight. Tracks status and surfaces blockers. Does not manage delivery.
- Knowledge capture: Every completed initiative produces documented standards/ADRs in the Architecture repo. Maerifa indexes them automatically.
- Non-negotiable: "In progress" has a time limit. Initiatives open longer than one quarter without a status update are escalated or closed.
The CDO division's contribution: We will document this as STD-GOV-135 (Execution Framework Standard) once the offsite agrees on the model. The standard becomes part of the Architecture repo and is immediately searchable via Maerifa.
Session: Governance & Accountability (15:30-17:00)¶
Your position: Governance must be documented and discoverable.
The Architecture repo already contains governance standards: - Architecture Review Board Charter (STD-GOV-124) - ADR Lifecycle Standard (STD-GOV-133) - Technical Debt Management (STD-GOV-125) - Build vs Buy Decision Framework (STD-GOV-128)
What is missing: - An overarching governance structure that connects these pieces - Escalation rules (who decides when teams disagree?) - Review cadence (how often are decisions revisited?) - Accountability mechanisms (what happens when standards are not followed?)
Ask from this session: Decision on governance structure. CDO division will document it as a standard. Maerifa makes it queryable from day one.
Session: Leadership Alignment (15:30-17:00)¶
Non-negotiable behaviours from the CDO perspective:
- Decisions are documented. If a decision is not in writing (ADR, Confluence, standard), it does not exist. Verbal agreements are not enforceable across six markets and six time zones.
- Standards are followed, not optional. A standard that is routinely ignored is worse than no standard — it creates false confidence.
- Security findings are not backlog items. Critical security findings (4 items at Critical severity) have SLAs, not priorities. They are not competing with features for sprint capacity.
Appendix: What the CDO Division Has Built (Q1 2026)¶
| Deliverable | Status | Impact |
|---|---|---|
| Architecture repo (214 documents) | Complete | Canonical source of truth for all technical standards |
| Security Architecture assessment | Complete | 4/10 posture documented with 6 critical findings and remediation roadmap |
| Data Architecture assessment | Complete | 1/5 maturity documented with target state and migration roadmap |
| 90+ ADRs | Complete | Every major architectural decision documented |
| 4 OpenAPI specifications | Complete | Pay-In, Pay-Out, Remittance, Cards APIs specified |
| 5 threat models | Complete | Per-system security threat analysis |
| 6 SurrealDB schemas | Complete | Target-state database schemas per service |
| 4 Temporal workflow definitions | Complete | AML/KYC, disbursement, FX quote, webhook delivery |
| Maerifa | Built, pending deployment | Temporal knowledge graph across all knowledge sources |
| Strategy alignment analysis | Complete | Maps Maerifa and architecture work against 2026 strategy |
Total architecture artefacts: 214 documents, 195 issues tracked and completed.
One-Page Summary for the Room¶
If you need one slide or one statement:
Simpaisa processes $1B+ annually on a platform with 4/10 security and 1/5 data maturity. We have now documented 214 standards defining the target state. The gap between where we are and where we need to be is clear, assessed, and actionable. The question for this offsite is not "what should we do" — it is "in what order, with what resources, and who owns each piece."