GOVERNANCE REPORT RISK REPORT REMUNERATION REPORT
  Technology risk Technology risk is the risk that the strategic technology investment is not aligned to the Group’s purpose or business strategy, or catastrophic failure of technology to deliver secure IT services that provide critical
business services. System breakdowns or systems being offline are examples of this risk materialising.
  How we mitigate this risk
The information security and IT risk and compliance teams collaborate with the technology GPRO and subsidiary PROs to identify risks. These are communicated to managers who are responsible for executing remediation plans.
An effective control environment has been created to identify critical issues as they arise and to deal effectively with severity incidents as they occur. Risks are tracked and reported within the risk governance structures.
The Group employs a standardised architecture to combat threats and reduce the effort required to support and maintain all systems. International frameworks and standards from ISO, NIST and ISACA are used to augment and support internal processes, standards and policies.
GOVERNANCE OVERSIGHT
Technology risks are reported to subsidiary management risk committees. Quarterly risk reports are submitted to the subsidiary board risk and compliance committees, as well as the Group risk committee and BARC. Material technology risks are reported to GBITC.
MORE INFORMATION
Read more about IT governance in the governance report on page 55.
 Key risk indicators
• High-severity incidents
• System uptime
• Cyber attacks
PRIORITIES FOR 2020 AND PROGRESS MADE
• Disaster-recovery failures • Support call metrics
• IT change metrics
  • An enterprise-wide information asset register was compiled, and an Information Classification Framework was approved.
• Group IT continued reducing the complexity and single-point of failure for the banks’ internal and external network equipment and connectivity. Progress is evident from the improvement in system stability in Zambia and Botswana.
• A full data centre recovery capability was built and successfully tested in Botswana. In Namibia, disaster recovery was performed successfully over a two-week period in October 2019.
• The Agile approach was embedded. It continues improving the rate of project delivery and promoting the relevance of the projects delivered regarding the strategy.
• Service level processes were embedded.
   88
FUTURE FOCUS AREAS
• Standardise technologies used across the Group
• Continue enhancing information security controls
• Embed the enhanced vendor management process and controls
• Continue focusing on strengthening cybersecurity
• Configure and align the delivery platforms for development and operations