Risk Assessment and Treatment Policy

Home

Last Updated: 22 Oct 2025

Effective Date: 18 september 2023

Issued by: Neobank Capital

Approved by: Chief Risk Officer (CRO) & Chief Information Security Officer (CISO)

1. Purpose

The purpose of this Risk Assessment and Treatment Policy is to establish a structured process for identifying, evaluating, managing, and mitigating risks to Neobank Capital’s operations, systems, and customers.

Objectives:

  1. Protect customer data and financial assets.
  2. Ensure compliance with global regulations, including GDPR, UK GDPR, CCPA, PCI DSS, and fintech-specific standards.
  3. Reduce the likelihood and impact of operational, financial, cybersecurity, and strategic risks.
  4. Support informed decision-making across all business functions.

2. Scope

This policy applies to:

  1. All employees, contractors, vendors, and third-party service providers.
  2. All systems, applications, cloud services, APIs, decentralized infrastructure, and operational processes.
  3. All risk categories including:
  4. Operational: Process failures, human error, system downtime
  5. Cybersecurity: Data breaches, hacking, malware, and cryptographic key compromise
  6. Financial: Fraud, payment errors, liquidity risks
  7. Regulatory & Compliance: Non-compliance with local or international regulations
  8. Strategic & Reputational: Business disruption, public perception, customer trust

3. Risk Management Principles

Neobank Capital follows these principles:

  1. Proactive Identification: Continuously detect potential threats to systems, processes, and data.
  2. Risk-Based Decision Making: Prioritize risks based on likelihood and potential impact.
  3. Regulatory Alignment: Ensure all risk treatments meet regulatory and industry standards.
  4. Continuous Monitoring: Maintain ongoing risk evaluation through automated systems, audits, and reporting.
  5. Integration: Align risk management with incident response, BC/DR, security, and compliance programs.

4. Roles and Responsibilities

Role

Responsibility

Chief Risk Officer (CRO)

Lead enterprise risk management; approve risk treatment plans.

Chief Information Security Officer (CISO)

Identify and mitigate cybersecurity and IT risks.

Data Protection Officer (DPO)

Evaluate data privacy risks; ensure GDPR and CCPA compliance.

Department Heads / Managers

Identify operational risks and implement mitigation controls within their areas.

Employees / Contractors

Report observed or suspected risks; comply with risk mitigation measures.

Risk Committee

Review high-level risks, approve treatment strategies, and monitor effectiveness.

5. Risk Assessment Process

5.1 Identification

  1. Identify risks to people, processes, technology, and third-party relationships.
  2. Sources may include internal audits, monitoring tools, incident reports, and regulatory updates.

5.2 Analysis

  1. Determine likelihood (rare, unlikely, possible, likely, almost certain).
  2. Determine impact (insignificant, minor, moderate, major, critical) on:
  3. Customers
  4. Business operations
  5. Financial position
  6. Regulatory compliance
  7. Document risk scenarios and affected assets.

5.3 Evaluation

  1. Assign a risk rating (low, medium, high, critical) using a risk matrix.
  2. Prioritize risks for treatment based on impact and probability.

6. Risk Treatment

Neobank Capital applies the following risk treatment strategies:

  1. Avoidance: Eliminate activities or exposures that present unacceptable risk.
  2. Mitigation: Implement controls to reduce likelihood or impact, e.g., encryption, MFA, or process redesign.
  3. Transfer: Shift risk to third parties or insurers where appropriate, e.g., cyber insurance or vendor contracts.
  4. Acceptance: Acknowledge low-level risks and monitor them continuously.

Each treatment plan must include:

  1. Assigned owner
  2. Timeline and deadlines
  3. Required resources
  4. Monitoring and review plan

7. Risk Monitoring and Reporting

  1. Maintain a centralized Risk Register with all identified risks, assessments, and treatments.
  2. Monthly risk reports to the Risk Committee and senior management.
  3. Quarterly reviews of high and critical risks.
  4. Automated alerts for new or escalated risks detected in IT systems or business operations.

8. Third-Party and Vendor Risk

  1. Assess and monitor all third-party vendors for operational, security, and regulatory risk.
  2. Include risk mitigation and compliance requirements in contracts and SLAs.
  3. Conduct periodic audits and reviews of high-risk vendors.

9. Risk Documentation

Each risk assessment must include:

  1. Risk description and source
  2. Likelihood and impact evaluation
  3. Risk rating and category
  4. Assigned owner
  5. Risk treatment plan and status
  6. Monitoring and review notes

All records are retained for minimum 5 years or longer if required by law.

10. Training and Awareness

  1. Annual training on risk identification, reporting, and mitigation for all employees and contractors.
  2. Scenario-based exercises to reinforce understanding of cyber, operational, and financial risks.
  3. Specialized training for Risk Committee members, IT staff, and department heads.

11. Policy Review

  1. Reviewed annually or after any significant incident, regulatory change, or operational shift.
  2. Updates require approval by CRO, CISO, DPO, and Risk Committee.

12. Contact Information

Chief Risk Officer (CRO)

📧 risk@neobank.capital

Chief Information Security Officer (CISO)

📧 security@neobank.capital

Data Protection Officer (DPO)

📧 privacy@neobank.capital

On this Page
Contents 1. Purpose 2. Scope 3. Risk Management Principles 4. Roles and Responsibilities 5. Risk Assessment Process 6. Risk Treatment 7. Risk Monitoring and Reporting 8. Third-Party and Vendor Risk 9. Risk Documentation 10. Training and Awareness 11. Policy Review 12. Contact Information

© 2025 Neobank Capital Legal Center | Privacy & Compliance Hub

Support
Marketing
...