Skip to main content

      At a mid-tier commercial bank in Lusaka, an IT policy manual sits neatly stored on the intranet—approved, version-controlled, and last reviewed three years ago. On paper, it is comprehensive: change management, access controls, incident response. In practice, however, system privileges are granted through informal emails, critical non-emergency system changes are justified after implementation, and policy exceptions are neither documented nor escalated beyond management.

      One weekend, a routine system update leads to prolonged service downtime. When management turns to policy for answers, it becomes clear that compliance had become optional and enforcement ambiguous. More troubling still, no Board committee had ever reviewed policy effectiveness, questioned deviations, or assessed whether IT policies aligned with the institution’s risk appetite and regulatory obligations.

      This illustrates a recurring reality in Zambian institutions: IT policies exist primarily to satisfy audits and regulators, not to actively govern behaviour. Without Board-level accountability, policies lose authority, controls erode, and technology risk silently accumulates. The challenge, therefore, is not policy deficiency—but the absence of a governance culture that gives those policies force, ownership, and consequence.



      Building a Culture of IT Governance in Zambia