Cybersecurity is now an integrity issue. Academic credibility is one breach away. In June, I wrote to several universities and training institutions urging them to rethink their cybersecurity and examination systems. I got no response. Perhaps they still believe cybersecurity is an IT issue, not an integrity issue. Artificial Intelligence has become the new exam leak. Students no longer smuggle notes; they smuggle algorithms. They do not copy answers; they generate them. The crisis is no longer about cheating; it’s about credibility. AI is quietly eroding the trust in academic qualifications. Employers now ask, “Did this graduate learn or just generate?” The distinction between brilliance and plagiarism is disappearing. Universities that ignore this shift are preparing students for a world that no longer exists. This is why cybersecurity and academic reform must now move together. The next breach won’t come from a hacker; it will come from a chatbot. Join us this Cybersecurity Awareness Month. Attend and sponsor the Cybersecurity and Risk Management Conference on 16th October 2025 at Speke Resort Munyonyo. Because the integrity of your institution is now your strongest firewall. The illusion of academic integrity Most university leaders still believe cheating begins in the exam room, with crib notes, phones under desks, and “helpful” invigilators. That belief is a dangerous illusion. Cheating today starts in the server room. Academic fraud has evolved. The modern cheat doesn’t hide a paper chit; they manipulate digital systems, intercept emails, and buy leaked exams weeks before they are printed. The true battlefield is not in lecture halls but in university data centers, where passwords are reused, systems are unpatched, and “temporary staff” have permanent access. The tragedy is that integrity, once a personal virtue, is now a cybersecurity metric. The lecturer’s password is the university’s moral compass. Every compromised email account can alter a grade, rewrite a transcript, or destroy years of reputation. Universities must understand: their biggest cybersecurity risk is not ransomware. It is academic dishonesty engineered through digital access. The dark campus economy Every university has a silent underworld, an informal marketplace where grades, exam drafts, and coursework circulate like contraband. “Suspect 1,” a lab assistant in one Ugandan university, discovered that information sells faster than airtime. His part-time job maintaining the exam submission portal gave him privileged access to uploaded papers. With a single copied folder, he could earn what his salary took three months to provide. In closed WhatsApp and Telegram groups labeled “revision materials,” leaked exams trade hands for mobile money or data bundles. Students call it “help.” Staff call it “hustle.” The system calls it “a breach.” Academic corruption now has a payment gateway. Mobile money becomes the bloodstream of digital dishonesty, leaving behind transaction trails that only a skilled forensic auditor can trace. When Summit Consulting investigated a similar case, patterns emerged: suspicious deposits before exam weeks, identical IP addresses linking students to staff, and “midnight logins” that no one could explain. The dark campus economy is not fiction. It’s the new tuition business. How exams are hacked before they are set Many institutions assume exams leak after being printed. In reality, most leaks happen before they are even finalized. The exam-setting process is a chain of trust, and every link is fragile. Papers are typed, emailed to subject heads, reviewed, printed, sealed, and stored. Along this chain, a careless click or misplaced flash drive can expose the entire exam. “Suspect 2,” a part-time IT technician, was responsible for server backups. One evening, he made a copy of the exam folder “to ensure redundancy.” That duplicate, saved on his personal hard drive, was later accessed by students preparing for the same course. The breach didn’t involve a hacker from Russia. It involved a careless human in Kampala. Universities often rely on shared folders, unencrypted drives, and unsecured emails. Exams are stored in the same location as coursework files, making them easy targets for anyone with modest digital curiosity. Cybersecurity is not about firewalls, but about process design. The moment an exam touches a personal device, it is already public. The password paradox In one investigation, Summit Consulting found over 60% of university staff using passwords like Admin123, Welcome2020, or their own names. These are not passwords. They are resignation letters waiting to be signed. The irony is that many lecturers teach information systems but still reuse personal passwords across university platforms. A single compromised Gmail account can open the student record system, the marks portal, and the HR database. Cybercriminals do not need to hack; they just need to guess. And they often guess right. When asked why they don’t change passwords, one senior academic replied, “Because I forget them.” That excuse cost the institution its entire assessment database when a stolen password was used to download exam drafts. In cybersecurity, laziness is a luxury no university can afford. Passwords protect more than data, they protect dignity. Every institution must treat password hygiene as a cultural reform, not a technical policy. The invisible insider The most dangerous hacker on campus already has an ID card. Insiders know the systems, processes, and blind spots. They understand how marks are uploaded, who approves results, and when systems are most vulnerable. “Suspect 3,” a data entry clerk, used their access to alter grades in exchange for “transport.” Access control existed, but accountability didn’t. Multiple users shared login credentials “for convenience.” When the marks changed mysteriously, no one could tell whose account was used. This is how academic manipulation thrives: through shared passwords, weak segregation of duties, and absence of digital logs. Internal fraud rarely looks like a crime; it looks like teamwork. Universities must rethink access. Not everyone who touches data needs to edit it. Not everyone who edits data needs to approve it. And not everyone who approves should do so without a second set of eyes. The invisible insider is not a tech problem. It’s a governance problem disguised as convenience. The anatomy of an academic breach Picture this: a student connects to campus

“Your NGO is not losing money through sacks of maize. It is losing it through megabytes of data.” Most leaders still picture fraud in physical form, missing fuel, fake receipts, ghost beneficiaries, or warehouses half-empty. Yet today’s fraudster doesn’t touch a truck. He touches a keyboard. Donor dollars vanish quietly, with the click of an “approve” button, authorized by login credentials stolen from the very staff you trust. NOTICE Effective 1st October 2025, the technical training arm of Summit Consulting Ltd, the Institute of Forensics and ICT Security (IFIS), has taken the lead as Uganda’s global champion for Cybersecurity Awareness Month. To mark this, we are sharing powerful cybersecurity insights across all our newsletters, bringing cybersecurity to the very center of governance and leadership conversations.   And we are not stopping there. You and your team can now register for a free virtual Cybersecurity Awareness Session worth UGX 5 million, offered at no cost as part of our global Cybersecurity awareness. Simply visit https://event.forensicsinstitute.org/ to secure your slot. For organizations that prefer in-person training, IFIS is offering on-site sessions at your place of work at a facilitation fee of only UGX 500,000 per team, per session. Do not gamble with silence. Invest in awareness before a breach forces you to pay in panic. Register today. The danger is simple: corruption has gone digital, but leadership is still analog. Boards debate procurement policies while ignoring who controls the server. EXCOs argue over per diem ceilings while the finance portal has no two-factor authentication. Leaders obsess about visibility in the field but remain blind to what happens on the network. The greatest fraud in NGOs today is not collusion between procurement and stores. It is a collusion between IT and Finance. Why? Because donor funds move electronically, via SWIFT, mobile money, or internal transfers. A single insider can reroute funds to a ghost service provider with no warehouse trail, no physical audit, and no drama. Other common ways NGOs lose money include: Ghost beneficiaries. Hundreds of “recipients” with AI-generated photos and phone numbers. Mobile wallets opened, funds disbursed, activity logged. Paper trail? Fabricated. Fake invoices. Suppliers that exist on paper only. Scanned invoices, doctored purchase orders, and bank transfers to shell accounts. Inflated procurements. Legitimate vendors collude with program staff to inflate prices; the surplus is siphoned off in cash. Payroll ghosts. Phantom staff on the payroll; advances “reconciled” with forged signatures. Consultant capture. Phantom consultants submit glossy reports; payments are made up-front, and no deliverables are delivered. Cash corridors. Field cash disbursements “recorded” with receipts that match no serials; collectors disappear. Collusion with IT. Low-privilege staff climb privileges; approval workflows are bypassed or backdated. AI-assisted deception. Deepfakes for IDs, synthetic invoices, convincingly forged emails that pass basic verification. “Donor dollars are not stolen in sacks. They leak in megabytes.” Hope is not an audit trail. Boards that obsess over petty receipts while ignoring digital controls are writing their own obituary. Defence is simple in principle, hard in execution: strong segregation of duties, real-time anomaly detection (yes, AI can help), mobile money reconciliations matched to KYC, mandatory forensic spot checks, and a board-level cyber posture that treats prevention as governance. The Cyber Leakage assessment tool This is a practical governance tool every NGO EXCO should adopt. It tracks four dimensions: Access control: who has the keys to your financial system? Transaction monitoring: Are donor dollars matched to verified beneficiaries? Data visibility: Can leadership see anomalies in real time, or only in quarterly reports? Incident readiness: When, not if, a breach occurs, do you have a tested response plan? Today’s activity As part of this month, run a boardroom simulation. Give your managers a scenario: “A hacker has cloned your NGO’s domain email. Donors have received fake invoices with your logo. How do you detect, respond, and reassure donors within 48 hours?” The discussion will reveal gaps in awareness and controls faster than any report.  “Donor confidence is not lost when you are hacked. It is lost when you have no credible answer”, Mr Strategy. Cybersecurity is no longer about IT departments. It is about leadership survival. If you run an NGO, know this: the future of donor trust lies not in your warehouses but in your WiFi. Join us this October. Cybersecurity Awareness Month is your chance to shield your NGO from the fraud you cannot see, but cannot afford to ignore. Board Briefing on Cyber Leakage Readiness vs Target Donor dollars are stolen in MBs, not in sacks. Chart 2 below shows your NGO’s cyber leakage readiness against the global best practice target (scale 0–5). While the board routinely debates fuel theft or procurement receipts, the real leakage is invisible, happening in data flows, weak systems, and insider collusion. Chart 2: Cyber Leakage Readiness vs Target Cyber Leakage Readiness vs Target (Sample data). Access Control: 5 vs 5 Transaction Monitoring: 0 vs 5 Data Visibility: 8 vs 5 Incident Readiness: 5 vs 5 Key implications for the board There is a trust gap with donors. They assume their money is cyber-secure. Weak scores show a silent erosion of trust. Once lost, donor confidence rarely returns. Clear oversight blind spots are visible. Boards focus on warehouse audits, yet digital leakage bypasses those checks. Cyber fraud today requires governance, not just finance oversight. At 5 readiness, the NGO is effectively unprepared to respond to a cyber breach. A single spoofed email or fake invoice could cripple operations. This leads to incident paralysis that must be addressed immediately. The collusion risk at scale. The weakest links are Transaction Monitoring and Incident Readiness. This is where IT and Finance collude undetected, because the board lacks visibility. Red flags to look out for Staff sharing logins to financial systems. Email approvals without multi-factor authentication. No real-time visibility of funds-to-beneficiary matching. The incident response plan is either untested or non-existent. Action steps for EXCO and board Mandate Cyber Leakage Radar reporting – Require quarterly board dashboards on the four dimensions. Close the readiness gap – Prioritize

Your core banking system is not your biggest risk. Your tellers are. The wheelbarrow mentality is a condition where staff wait to be pushed to do what they are already paid to do. In banking, this mentality is lethal. A teller who logs into the core system with one hand, while texting a cousin on mobile money with the other, is not just inefficient; he is your greatest cyber liability. CEOs love to boast about multimillion-dollar core banking upgrades. “We bought the latest system,” they say, as if code could cure culture. It cannot. A teller with a smartphone can reroute millions faster than your IT firewall can blink. Hackers don’t need to break through your perimeter when the insiders open the gates daily. Every fraud story I have investigated begins the same way: with misplaced trust in “loyal” staff. The weak passwords are written on sticky notes. The workstation was left unlocked for tea. The supervisor who signs off without verifying. Banks do not lose billions through Russian hackers; they lose them through inattentive, underpaid, or compromised insiders. It’s a paradox. The more technology you deploy, the more human discipline you require. Yet most boards spend 90% of their budgets on systems, and less than 5% on building a security-aware culture. That is like buying a bulletproof car but hiring a reckless driver. “Cybersecurity is not about technology. It is about trust. And trust, once broken, is uninsurable.” If you are a CEO, your greatest cyber risk does not sit in Moscow or Lagos. It sits in your banking hall, smiling, stamping, and waiting for a chance to strike. Audit culture as aggressively as you audit systems. Train, monitor, and enforce discipline daily. Technology is only as strong as the teller who uses it. Stay safe. Most leaders talk about cyber as if it were an IT line item. That is why they lose. Hackers don’t attack firewalls; they exploit governance gaps. The weakest control is often not the system; it is the boardroom silence. To win, directors need a simple but ruthless tool that cuts through jargon and exposes blind spots. Enter the Cyber Risk Radar™: a one-page governance weapon that forces the right questions, demands evidence, and shows instantly whether your organization is drifting toward breach or building resilience. This is not a checklist for IT. It is a mirror for the board. Table 1: The board’s Cyber Risk Radar Dimension Board question to ask Evidence required What “weak” looks like What “strong” looks like Board action 1. Insider threat exposure If a teller left their desk unlocked, how much could we lose before detection? Data on maximum exposure per workstation, incident logs No monitoring; staff share logins; no transaction caps Real-time monitoring; auto-logouts; transaction caps per user Demand simulation results; insist on quarterly insider threat testing 2. Cyber red flag dashboard Do we have a one-page quarterly dashboard? Dashboard showing logins, insider breaches, near-misses, and financial exposure IT jargon slides, no metrics linked to money Clear numbers tied to financial risk and trends Require dashboard as a standing board pack item 3. Executive accountability Whose bonus is reduced if we suffer a breach? HR policy linking EXCO pay to cyber incidents “Cyber is IT’s problem.” CRO, CIO, and COO have performance-linked accountability Direct RemCo to tie pay to cyber outcomes 4. Business continuity drill What happens if the system goes down for 1 hour? Documented BCP/DRP test results, staff performance logs Panic; no plan; reliance on IT improvisation Blackout drill executed; operations continue via backups/manual fallback Order an annual “blackout drill” with the board observing the results 5. Board cyber maturity score How do we rate ourselves: ignorant, informed, or intelligent? Independent maturity assessment, board training records Board waits for IT updates; no training Board challenges assumptions, links cyber to strategy, demands controls Schedule quarterly board self-assessment and annual cyber training   How to use this table in practice Insert it into every quarterly board pack. Score yourselves honestly on each dimension (1 = weak, 5 = strong). Track movement quarter by quarter. If you’re not moving up, you’re drifting into irrelevance. “Cybersecurity is not a technical war. It is a governance war. And boards lose by silence.” Mr Strategy. About the IFIS, https://forensicsinstitute.org/about/ At IFIS, we live by our motto, “Discere Faciendo. Learn by Doing.” Every course, certification, and training session emphasizes practical, hands-on skills that empower you to solve real-world challenges from day one. Learn by doing, be empowered to transform your career and life. At the Institute of Forensics & ICT Security (IFIS), we specialize in bridging the gap between knowledge and application. Whether you are navigating the challenges of cybersecurity, mitigating enterprise risks, investigating fraud, or analyzing complex data, our cutting-edge certifications and practical training programs prepare you to lead in today’s dynamic world. Come and get skills that you can apply to your job instantly and transform your career and life. Copyright IFIS 2025. All rights reserved.

October is here. Across Uganda, thousands of employees will walk into offices, open emails, and click without thinking. One careless click is all it takes. That is why Cybersecurity Awareness Month is not just another “theme month.” It is a survival drill. Cybercrime is no longer a distant story from America or Europe. It is a Ugandan reality. From SACCOs in Masaka losing millions via mobile money SIM swaps, to hospitals in Kampala locked out of patient records by ransomware, to government agencies paying ransom quietly, cyber risk is here. It is local. It is expensive. And it is growing. Why awareness matters The biggest myth in cybersecurity is that technology alone will protect you. Firewalls, antiviruses, and fancy dashboards mean nothing if your people are blind to threats. Eight out of ten breaches in Uganda begin with human error: a staff member reusing passwords, downloading fake invoices, or sharing sensitive data on WhatsApp. Cybersecurity Awareness Month exists to break that ignorance. To remind every staff member that they are the first firewall. The cost of ignorance A Tier 2 bank lost UGX 1.4 billion in a single phishing campaign. A private school had its entire website defaced, leaving parents questioning its credibility. An NGO donor froze funding after hackers exposed project data. None of these began with a “major hack.” They began with an ignored awareness. What must leaders do this October? Make cybersecurity cultural, not seasonal – One month of slogans is not enough. Embed cyber habits into daily work. Invest in drills, not posters – Staff remember simulated phishing tests, not motivational banners. Hold EXCO accountable – Cyber risk is a governance issue. Boards must demand evidence of preparedness, not promises. At Summit Consulting Ltd, we say: “Cybersecurity is not IT. It is a survival strategy.” This month, we are running free awareness trainings for organizations that dare to take risk seriously. One hour with us could save your organization billions. The question is not whether hackers will strike. It is whether your team will recognize the attack when it happens. Stay aware. Stay protected. Visit https://event.forensicsinstitute.org/ to access free resources. Be safe online.   Cybersecurity Month 2025 is here: Stay aware. Stay protected. One careless click. That’s all it takes to lose millions. Cybercrime is no longer a foreign headline; it is Ugandan. A SACCO in Masaka was wiped out via SIM swaps. A Kampala hospital was locked out of patient records by ransomware. A Tier 2 bank is losing UGX 1.4 billion to phishing. None of these started with “big hacks.” They started with ignorance. The truth? Technology won’t save you if your people are blind. Eight out of ten breaches in Uganda begin with human error, weak passwords, fake invoices, or sharing data on WhatsApp. This October, the Institute of Forensics & ICT Security, a technical training arm of Summit Consulting, is leading Cybersecurity Awareness Month. We are offering free awareness training to organizations ready to treat cyber risk as a governance issue, not an IT problem. Boards, EXCOs, and CEOs: stop asking “What if hackers strike?” Start asking: “Will my team recognize the attack when it comes?” Register your team today. Save your reputation tomorrow. events.forensicsinstitute.org Stay aware. Stay protected.

UGX 46 million vanished in less than an hour. Not through a sophisticated hack. Not through some dark web syndicate. But because one junior accountant at a mid-sized SACCO forgot to press Ctrl+Alt+Del before stepping out for tea. That’s it. One forgotten click. While managers were busy preparing for their weekly meeting and members queued outside to deposit their hard-earned savings, Suspect 1—a teller with sharp instincts for weakness- seized the moment. He slid into her still-active workstation, typed nothing, and yet unlocked everything. Within minutes, he rerouted UGX 76 million through three mobile money accounts. By the time the IT team noticed “irregular logins,” the cash had already been withdrawn in brown envelopes from Kikuubo agents. This wasn’t a cyber genius at work. It was a crime of opportunity, powered by complacency. Here’s the bitter truth: fraud in Uganda rarely starts with billion-shilling heists or complex malware. It starts with tiny details everyone dismisses. A door left ajar. A system is left logged in. A control left unenforced. And because leaders gamble that “nothing big will happen,” something massive always does. This SACCO didn’t lose because it lacked technology. It lost because it lacked discipline. The myth of “small” risks Many leaders are obsessed with the big stuff: market share, regulatory approvals, new loans, donor inflows. Yet it is the “small” things that cripple organizations. A missed reconciliation of UGX 200,000 in petty cash. A supplier contract is missing one clause on delivery timelines. An unpatched firewall is ignored because “IT is busy.” A guard sleeping outside the warehouse, “just one night.” Each feels negligible in isolation. But in practice, small risks are never small. They are the loose threads that unravel the entire fabric. The details that destroyed giants The ghost fuel deliveries – A transport company ignored “minor” discrepancies in trip sheets. Over time, those “few missing litres” added up to UGX 1.2 billion siphoned off by colluding drivers and pump attendants. The board only woke up when clients began to terminate contracts. The weak password tragedy – A private university IT officer reused the same password across systems. Hackers cracked it within minutes. What began as a “small vulnerability” led to the leak of student data, lawsuits, and millions in damages. The fake signature scandal – A government project officer approved “small” field expenses without verifying signatures. For two years, fictitious names collected allowances. By the time Summit Consulting was hired, UGX 3.7 billion had evaporated. The pattern is clear: small risks ignored turn into scandals that cripple. Why leaders dismiss details The psychology is simple: details feel boring, beneath senior executives. Boards like grand narratives, not red flags about missing invoices. CEOs prefer PowerPoint on expansion strategies, not notes on untrained security guards. But risk thrives in the margins, not in the headlines. Remember: The Titanic wasn’t sunk by a fleet of icebergs. It hit one small detail, an iceberg tip nobody thought mattered. Take Suspect 2, a procurement officer in a local hospital. She began by “borrowing” UGX 100,000 from supplier refunds. Nobody noticed. Encouraged, she increased to UGX 500,000, then UGX 2 million. By year three, she had rerouted over UGX 600 million. When caught, her defence was chilling: “If they ignored the small things, why wouldn’t I keep going?” Fraud rarely begins with billions. It begins with overlooked details. The red flags good investigators look for When we investigate fraud, we don’t start with the “big scandal.” We start with the details: Expense claims are repeatedly just below approval thresholds. Staff who never take leave (afraid their fraud will be discovered). Delayed reconciliations were excused as “system issues.” IT logs showing after-hours access that nobody questions. Petty cash never balances to the last shilling. Each is a whisper of a coming storm. Ignore them, and you invite catastrophe. Why do details matter? Culture – A culture that ignores details creates silent permission for fraud. If bosses laugh off small control breaches, staff take it as a green light. Compounding effect – UGX 100,000 stolen weekly becomes UGX 5.2 million annually. Over five years, it’s UGX 26 million. By then, the fraudster has graduated to bigger schemes. Regulatory cost – Donors and regulators don’t care whether theft began “small.” They penalize based on total loss. And in Uganda, reputational damage is instant and unforgiving. Lessons for leaders Interrogate the details – Ask about small variances, small delays, small exceptions. That’s where truth hides. Reward vigilance, not speed – A staff member who takes extra minutes to cross-check signatures is more valuable than one who rushes. Automate the boring stuff – Use fraud analytics and dashboards. Machines don’t get bored by details; humans do. Hold managers accountable for the “small stuff” – Don’t let senior leaders hide behind strategy slides. Make them answer for reconciliations, leave rosters, and password policies. At Summit, we tell clients: “Ignore the decimal point, lose the whole figure.” Every investigation we’ve cracked, whether UGX 80 million or UGX 8 billion, started with small anomalies someone dismissed. Our forensic accountants don’t chase headlines. They chase details. That’s how we catch the ghosts. The devil lives in the details Small risks are never small. They are termites chewing silently at the foundation. They rarely shout, but they always multiply. And by the time leadership notices, the cost is catastrophic. The riskiest leaders in Uganda today are not the ones who gamble boldly. They are the ones who ignore details, shrugging off small risks as “minor.” The next fraud in your organization won’t start with UGX 1 billion. It will start with UGX 100,000; nobody cares about it. The question is, who is watching the details? Copyright IFIS 2025. All rights reserved.  

Unthinkable. It happened at 11:48 p.m. in a private hospital in Kampala. The lights were still on, but the hospital’s heartbeat, the patchwork of digital and manual systems holding it together, flatlined. The pharmacy system froze. The laboratory printer jammed mid-test. The mobile money integration for patient payments collapsed. Even the old desktop server that held patient histories blinked into darkness. Nurses in the ICU reached for files that weren’t there. The paper charts had long been replaced with a “digital records upgrade” that now lay hostage to a system crash. In the theatre, a surgeon barked: “Get me the blood group!” But the lab technicians stood helpless; the results were trapped in the system. An intern sprinted down the corridor, searching for handwritten notes. A nurse fumbled through a drawer with loose papers, praying for a clue. Relatives pressed against the glass windows, panicked, whispering, “What if someone dies?” One mother clutched her rosary, eyes fixed on the ICU where her child lay on a ventilator. The machines still beeped, but no one could pull up the latest dosage records. What began as a “minor systems maintenance” had spiraled into a night of terror. By morning, the CEO arrived, sweating, shaken, summoned by a flurry of midnight calls from doctors and the board chair. His first question was blunt: “How did this happen?” The bitter truth is that it hadn’t “just happened.” For months, the IT officer had raised red flags. The hospital was running on outdated software, free antivirus, and a third-party backup service that had never been tested. Internal audit had flagged the risks, filing memos no one read. Leadership, eager to look modern with a “digital hospital” brand, had gambled that prevention was too costly. They were wrong. By the time the systems limped back seven hours later, two scheduled surgeries had been postponed. One patient’s transfer to the ICU had been delayed because payment could not be confirmed. The pharmacy issued wrong doses due to a lack of updated stock records. Trust shattered. Word spread across WhatsApp groups: “Don’t go there, they nearly killed people last night.” The financial cost ran into hundreds of millions. But the reputational damage was unquantifiable. In Uganda, where hospitals live or die by word of mouth, this was lethal. Families spoke of negligence. Journalists sniffed for a story. Regulators circled like vultures. It wasn’t just a system crash but a mirror held up to leadership blindness, choosing optimism over action, brand over backbone. And in those seven hours, lives dangled on the edge because someone thought silence was cheaper than prevention. The illusion of safety Leaders often mistake silence for safety. Because no disaster is visible today, they assume tomorrow will be the same. But risk is like termites in timber. It eats silently, invisibly, until one day the entire roof caves in during a storm. Think about it. How many Ugandan companies waited until fraud broke headlines before they strengthened controls? How many universities ignored student unrest until a protest burned down offices? How many hospitals shrugged off weak fire systems until lives were lost? Ignoring risk is not risk avoidance. It is deferred suicide. The psychology of ignoring risk Why do smart executives act dumb when it comes to risk? Three reasons stand out: Optimism bias – “We have never had a major fraud before, so why should it start now?” That is the reasoning of a chicken celebrating Christmas Eve because the farmer hasn’t slaughtered it yet. Short-termism – Many executives are rewarded for quick wins, not for preventing invisible disasters. Why spend UGX 200 million on cybersecurity when you can buy new cars for management and show “progress”? Fear of bad news – Some boards treat risk officers like prophets of doom. Raise too many alarms, and you’re branded “negative.” So auditors soften language, executives sugarcoat reports, and directors sleep through board packs. Until the wake-up call arrives at 2 am. The hidden cost of ignored risk The cost of ignoring risk is never obvious on day one. It accumulates quietly. Banks that ignore credit concentration wake up to billions locked in real estate loans when the sector crashes. NGOs that ignore whistleblower reports discover 30% of project funds siphoned off by “ghost beneficiaries.” Manufacturers that ignore machinery maintenance see production halt when a single bearing breaks. Government agencies that ignore data security pay ransom in Bitcoin to hackers hiding in Moscow or Nairobi. Risk is a tax collector. It never forgets, never forgives, and always charges compound interest. A case in point I’ll share three anonymized cases from my investigations with Summit Consulting Ltd: Case of the vanishing payroll – In 2023, a government parastatal ignored audit flags about payroll irregularities. “We’ll deal with it next quarter,” said the HR director. By the time Summit was called in, over UGX 4.8 billion had been siphoned into mobile money wallets linked to ghost employees. The red flags were visible for two years. They were simply ignored. Case of the locked warehouse – A local FMCG company ignored repeated risk reports about inventory mismatches. One weekend, staff arrived to find the warehouse padlocked, not by management, but by suppliers owed millions. Goods worth UGX 2.3 billion were trapped inside. That “minor reconciliation issue” turned into a company-wide crisis. Case of the paralyzed hospital – A private hospital ignored cybersecurity warnings, assuming “hackers only target big banks.” In June 2024, ransomware locked patient records. Doctors could not access lab results or prescriptions for 48 hours. Two patients died. Losses? Beyond money, reputation, trust, and human lives. Each case shows the same pattern: warnings existed, but leaders chose inaction. Why ignoring risk is leadership failure The board’s role is not to cheer quarterly profits but to protect long-term survival. Ignoring risk is leadership malpractice. It signals three weaknesses: Poor governance – When boards don’t challenge management, blind spots become black holes. Weak culture – Organizations that punish whistleblowers and auditors cultivate silence, not vigilance. Complacency – Success