Future Proof – Protecting our digital future

In September 2013, the National Audit Office of the UK released a report, Managing the risks of legacy ICT to public service delivery.

The report notes that ‘as budgets are reduced, departments with large legacy ICT estates have found it challenging to reduce costs and improve customer service through better use and sharing of information’.

This is why legacy ICT is of great interest and concern to State Records.

State Records wants quality business information to be at the core of government service delivery innovation. Information must also be better understood and protected as an asset in legacy ICT planning and management strategies.

Government organisations need to be able to access and use their business information, and often this information is needed for very long periods of time.

Poor understandings of the risks posed by legacy ICT or, as we sometimes see in NSW, ill-defined legacy ICT replacement strategies that orphan or silo business information, do impair organisational capacity to use and share information and therefore impact on organisational effectiveness.

The Audit Office report shows that legacy ICT can impact an organisation’s ability to innovate and that the transition away from legacy needs to be very well considered and managed, which is why this report is of such interest to us.

What are legacy systems?

In its report, the Audit Office defined legacy ICT as:

systems and applications that have been operationally embedded within a business function but superseded by newer and more effective technologies and changed business needs.

Because of rapid technology evolution, changing business needs and the large costs associated with technological changes and upgrades, all organisations tend to have legacy ICT challenges. And many fundamental government programs and services are dependent on legacy ICT.

For example, in the UK, the Audit Office estimated that that:

in 2011-2012 at least £480 billion of the government’s operating revenues and at least £210 billion of non-staff expenditure such as pensions and entitlements were reliant to some extent on legacy ICT.

What are the key risks facing legacy systems?

The Audit Office identified eight key risks that legacy ICT is commonly exposed to:

 * disruption to service continuity

* security vulnerabilities

* vendor lock-in, reducing competition and value for money

* skills gaps

* manual workarounds

* limited adaptability

* hidden costs associated with necessary manual workarounds

* decreased speed and increased cost and complexity when responding to business change

This last challenge can be particularly difficult when business and client expectations are increasingly for government services that are ‘digital by default’.

What works best for legacy ICT management?

The report makes clear that there are no easy or standard answers to dealing with the challenges of legacy ICT. In some scenarios it may make sense to adapt and extend the life of legacy ICT while in others the best business decision may be to replace legacy technology.

Determining appropriate solutions for legacy ICT requires complex analysis of business requirements, short and long term information needs, technological dependencies and an ideal future state. The report suggests that these complex assessments will need to become more commonplace in the increasing drive for the complete digital transformation of business.

In assessing legacy management scenarios, the Audit Office developed four case studies that examined the strategies that are typically used within organisations to manage legacy ICT systems. These strategies are:

 * no change to legacy systems

* enhance and maintain legacy systems, or

* replace legacy systems.

 The Audit Office then examined the extent to which these strategies managed the key risks they identified well or whether legacy risks still remained once these strategies were implemented.

In the four case studies assessed, none of the implemented strategies completely mitigated all risks but many useful examples and lessons can be drawn from the UK government experience of legacy ICT management.

So what lessons can NSW government learn from the UK Government’s experiences and apply to the management of legacy ICT?

Legacy systems can still work very well but they are unlikely to deliver desired digital service transformation

The report does not deny the value of legacy ICT. One system the Audit Office examined originated in 1973 and another in 1987. The Audit Office reports that both have been successfully adapted over the years and continue to provide a stable business platform for core government services.  However the report also identifies a 2008 system that became legacy soon after its creation due to business and service delivery changes affecting its parent organisation.

The Audit Office’s research found that business transformation is challenging when it involves legacy ICT and full digital business transformation is unlikely to be delivered using legacy ICT. They also found that business owners, unaware of their legacy ICT dependencies, did not fully know of the risks and limitations to their operations and to their future business plans posed by legacy ICT.

In today’s business environment where organisations have to do more with less, it can therefore be challenging to achieve desired service improvements and cost reductions with ‘retain’ or ‘enhance and maintain’ legacy ICT strategies.

However there are risks too in moving away from legacy ICT

The report also emphasises that there are risks associated with the replacement of legacy ICT, including the risks of

migrating data, operations staff and customers on to the new service while ensuring business and service continuity.

State Records has also seen the lack of data migration, caused by an inability to transition business information out of legacy ICT into new operating environments cause risks to ongoing government service delivery. There are also scenarios where, because of poor data migration pathways, legacy and new systems have had to operate in parallel, increasing the costs of service, requiring ongoing licensing costs, complicating processes and limiting business capacity for a unified view of clients or services.

Any transition away from legacy ICT therefore needs to fully consider ongoing needs for the business information maintained within legacy systems and to develop appropriate management and transition strategies.

So liaison is critical

Business, ICT and records staff need to work closer together to define long term strategies for business information and processes that are based on business needs, not technological or vendor limitations.

The Audit report recommends that staff should work together to develop a complete ‘end to end service’, that is, they should take a long term and strategic view of the information and services required and then together define the technologies that can best take them there.

Poor analysis and recordkeeping around the operational costs and effectiveness of legacy ICT can limit the possibility of change

The Audit Office found that in the organisations it examined, ‘the monitoring of service costs was not as complete as we would have expected’ and there was a lack of ICT cost and performance data in all the organisations they audited. While this impacted to some degree on the audit, more importantly they found that, ‘without a full analysis of service performance, operational efficiency and cost breakdown for the service over recent years, it is impossible to generate a robust business case for change.’

In an era of limited budgets, increasing needs for cost reductions and the desire for ‘digital by default’ service delivery, the lack of data about current costs and service delivery impacts of legacy ICT was seen as a significant inhibitor to change.

Legacy ICT ‘enhance and maintain’ strategies implemented through system integrations or ‘wrappers’ do come at a cost

To extend the life of legacy systems, many organisations develop integration pathways or apply wrappers between legacy and other systems.

The report notes that ‘this approach can be used to make transformational change, for example, introducing online channels’. However, it also:

* creates a more complex technology estate

* often increases costs

* often increases skill requirements

* does not replace the legacy and so leaves inherent legacy risks in place

* can become unsustainable in the longer term due to the increasing cost and complexity of maintaining the wrappers.

Organisations do therefore need to look very carefully at the short and long term costs of their ‘enhance and maintain’ strategies. The long term costs and complexities associated with maintaining necessary business information are seldom comprehensively understood and do need to be built into any planned legacy system management strategies. They also inhibit the reality of completely digital by default strategies into the future.

The report also notes that given legacy ICT often requires many interfaces and connections with other systems and these many dependencies make even routine system changes costly and protracted.

All systems will one day become legacy so plan for the future now

The National Audit Office report helps us to understand the complex relationship between business, information, service delivery and technology.

With technology continually evolving and government business undergoing significant transformation, the report is an incredibly well considered and well timed reminder to always consider the future in our plans for today.

The systems we deploy today will become the legacy systems of tomorrow, so how can we implement today’s technologies in the most flexible and open ways possible? How do we implement technologies that enable business and business information to be easily and comprehensively transitioned from one operating environment to the next? What can we do today to enable the most potential tomorrow?

Thank you to the National Audit Office of the UK for their fantastic, well designed and very thought provoking report.