From vulnerable to vigilant: Building a risk-resilient organisation

The early morning storm. On 12th September 2023, a sudden downpour turned Kampala Road into a river. While taxi drivers cursed and boda riders fought for shelter, a quiet disaster unfolded in the basement of a city-centre insurance company. Their server room, yes, underground, beside a drainage pipe, flooded within minutes. By morning, customer policies, claims data, and even payroll files were inaccessible. Staff resorted to WhatsApp groups to track client requests.

By the third day, their competitors were advertising on the radio: “Bring your policy here, we process in 24 hours.” The once-confident insurer was left begging clients for patience. The flood was not the real disaster. The real disaster was that the organisation was fragile. Imagine the entity that sells “peace of mind” becomes the one at rest at the core!

When investigators are called in to investigate, it is not just what happened, but why. In this case, the findings were: “This company was vulnerable long before the rain came. The storm only exposed it.”

Why organisations stay fragile

Fragility is not caused by disasters. It is caused by denial. In Uganda, executives cling to optimism like a lucky charm. They assume:

“That cannot happen to us.”

“We have insurance.”

“Our IT guy knows what to do.”

But risk does not respect hierarchy or hope. Fragility thrives in cultures where bad news is buried, where internal audit reports are filed instead of acted upon, and where management believes resilience is an IT project, not a governance mandate.

The anatomy of vulnerability

Our investigation found three pressure points that doomed the insurance company.

1. Single point of failure. All systems ran on one server in the basement. No redundancy. No cloud backup.
2. Paper illusion. Business continuity plans existed, but in files, not in practice. Staff had never done a single simulation drill.
3. Leadership blind spots. The board saw “risk” as a compliance checklist, not as a weapon of survival.

When you run an organisation this way, you are not managing risk. You are praying.

From vulnerability to vigilance

The difference between the collapsed insurer and its competitors is simple. Resilience is built before the crisis, not during it. A risk-resilient organisation does not wait for the rain to test its roof. It assumes storms will come, insiders will betray, and systems will fail. And then it builds structures to bend but not break.

Summit Consulting framed the rescue plan under three pillars

1. Identify critical risks, not just obvious ones. Floods, cyber-attacks, power outages, insider fraud, supply chain choke points.
2. Build buffers, backup servers, liquidity cushions, and cross-trained staff.
3. Drill crisis responses, empower staff to act fast, and learn from every incident.

The insider betrayal

During our wider review, we uncovered a secondary scandal. While systems were down, Suspect 1, a finance officer, initiated manual claims payouts. Since controls were “relaxed due to crisis,” he colluded with Suspect 2, a junior IT support officer, to insert ghost claimants. Funds were sent to mobile money wallets registered under street vendors in Nakawa, Ntinda, Wandegeya and Kisaasi. Within three weeks, UGX 780 million vanished.

Resilience is not only about floods. It is about human opportunism. When controls are weakened, insiders strike.

How the fraud was cracked

Here is how we conducted our forensic trail

1. Extracted mobile money statements linked to claims.
2. Found patterns, three different “claimants” withdrawing at the same kiosk daily.
3. Cross-referenced with CCTV footage. Same boda rider, three SIM cards.
4. Interviewed IT staff. One panicked and confessed.

The board was stunned; the crisis had multiplied because fragility created gaps for exploitation.

The red flags were ignored

This company had been warned.

Audit flagged the basement risk three years earlier. Management said moving servers was “too expensive.”

IT requested cloud backup. Denied, “Why pay dollars when we can keep everything local?”

Finance questioned lifestyle inflation. The finance officer who later stole UGX 780m had bought land in Mukono, but the HR file still listed him as “earning modestly.”

Ignoring red flags is corporate suicide.

The cost of fragility

By the time Summit concluded the assignment, the insurer had:

1. Lost UGX 780m to fraud.
2. Spent UGX 1.2bn on emergency IT rebuild.
3. Watched customer numbers fall by 40% in two months.

Compare that with the cost of proactive resilience, estimated at UGX 350m annually for backups, drills, and monitoring. Fragility is always more expensive than vigilance.

Building vigilance as culture

How then can Ugandan organisations build resilience that lasts?

1. Board ownership. Resilience is a strategy, not IT. The board must demand simulations and drill reports.
2. Continuous rehearsal. Every quarter, simulate a crisis, cyberattack, power cut, or insider fraud. Measure response time.
3. Never keep the crown jewels in one place. Spread servers, diversify suppliers, cross-train staff.
4. Real-time detection. Use analytics to flag anomalies, not manual reviews weeks later.
5. Culture of bad news. Reward staff who escalate problems early, not those who hide them.

Executives often ask, “What if we invest in resilience and never face a crisis?” The correct response: “What if you do not invest, and face one tomorrow?” Fragility is invisible until it is fatal. Vigilance may look costly, but it is always cheaper than collapse.

The insurer eventually survived, but as half its former self. Competitors took its market share. The board learned, too late, that risk resilience is not a choice but an imperative. A resilient organisation is not the one that avoids storms. It is the one that sails through them.

Today, the difference between survival and extinction is captured in one equation:

Vulnerability + denial = collapse.

Vigilance + resilience = continuity.

Which is your business equation?

Copyright, IFIS, 2025. All rights reserved.