If your board is still relying on quarterly reports to understand risk, you are already too late. At one of the financial Institutions I consulted, the board confidently signed off on a clean internal audit report only to wake up to a ransomware attack that shut down operations for three days. The audit committee chair later confessed to Mr Strategy, “We asked all the wrong questions. We trusted compliance reports instead of interrogating risk intelligence.” That is the new reality of risk in the digital age: fast, silent, and often invisible—until it is too late. Today, governance without digital risk literacy…

A chair of a national commission once told me, “Our board is fine, we trust each other.” Six months later, three directors were under investigation, two strategic projects had stalled, and the CEO stopped attending meetings. The Company Secretary called again, not for strategy support, but for crisis recovery. Most board failures do not begin with fraud or scandal. They begin with blind spots, unchecked assumptions, unchallenged behaviours, and unmeasured effectiveness. The boardroom is the cockpit of your institution. If you never check the instruments, do not be shocked when the organisation crashes. The truth is simple: Boards that are…

Unlike other types of crime, the majority of cybercrime incidents in Uganda and the East African Community go unreported, primarily due to the affected entities’ efforts to protect their reputations. Often, victims are financial institutions entrusted with safeguarding customer deposits. They are obliged to keep customer data safe. In 2022 and 2023, the reported annual costs of cybercrime, according to the Uganda Annual Police Report, were UGX 19,193,008,000 and UGX 1,165,850,696, respectively (see Figure 16). Figure 16: Cost of cybercrime in Uganda, Source: Annual reports of Uganda Police Force.  Over the years from 2016, the annual cost of cybercrime in…

In an age where one wrong decision can erode years of progress, Key Risk Indicators (KRIs) have become a powerful governance tool. Yet, most KRI dashboards in organizations today are incomplete, outdated, or too focused on technical metrics that fail to drive meaningful boardroom conversations. At Summit Consulting Limited, we believe the purpose of a KRI dashboard is not just to tick compliance boxes, but to connect risk directly to strategy and decision-making. That’s why we developed a Board-Calibrated KRI Register, a practical table designed to help leadership teams see risks clearly, act early, and lead with confidence. It is…

Boards do not hate auditors, but what they truly hate are surprises disguised as reports, issues that surface long after decisions have been made, risks have matured, and opportunities have been lost. In many organizations, audits are still perceived as backward-looking exercises focused on profiling compliance failures and pointing out what went wrong. This perception reduces the internal audit function to a reactive watchdog instead of positioning it as a strategic ally. To change this, audits must evolve. They must shift from merely highlighting historical gaps to providing forward-looking insights. Boards want to know not just what went wrong yesterday,…

As East Africa rapidly embraces digital transformation, the region is increasingly becoming a target for sophisticated cybercriminal networks. In particular, Uganda, Kenya, Tanzania, and Rwanda face growing cyber threats as businesses, government agencies, and service providers expand their digital footprints. This surge in digital adoption, while fueling innovation and economic growth, also expands the attack surface, exposing critical systems, applications, and data to serious risks. Cybersecurity is no longer a luxury; it is a strategic imperative. The cyber threat landscape in Uganda and the broader East African region is intensifying. Businesses are relying more on digital platforms to serve customers…