Navigating the Hidden Risks of Legacy Systems
April 19, 2022 | Written by Sree Ravela
Photo by P. L.
When IT leaders inherit legacy systems, they encounter potential risks within technology, operations, finance, business, security and compliance, and team culture. To successfully navigate these risks, they must first understand each risk type, then develop an execution plan for mitigation. Here’s a step-by-step guide of how to do just that.
Understanding Risks Types
Legacy system risks span technological limitations, operational inefficiencies, financial burdens, business process constraints, security vulnerabilities, compliance issues, and resistance within team culture. Careful analysis reveals how these limitations are intertwined and ultimately impact business outcomes. Let’s evaluate each type of risk and review real-world scenarios of well-known companies that have encountered challenges with legacy system failures and how they were impacted.
Technical Risks
Obsolescence: Outdated technology hinders integration and limits scalability.
Complex code: Poorly documented or modified code complicates understanding and changes.
Vendor lock-in: Proprietary technology limits flexibility and raises migration costs.
Data integrity: Inefficient data management leads to inaccuracies and duplication.
Scalability: Increased transactions per user load stunts growth.
Integration limitations: The inability to connect to new APIs, Cloud services, or other applications limits technological innovation.
🌎 Universal healthcare was introduced to the United States in 2013 via healthcare.gov, but poor integration of legacy systems with new platforms led to widespread technical failure. Millions of Americans couldn't enroll in health insurance when the site was initially rolled out, and it took several months to fix the problem.
Operational Risks
Downtime and reliability: Downtime, outages, and performance issues cause revenue loss.
Maintenance costs: Ongoing expenses for maintenance, fixes, and support impact the company’s bottom line.
Skill shortages: A shrinking pool of legacy skills like COBOL, RPG, CAPLEX, and mainframes are leading to a knowledge void in the industry.
Process rigidities: Older systems are designed around outdated processes that aren't adaptable to current business needs.
🌎 A power outage disrupted legacy systems at Delta Airlines in 2016, grounding flights globally. Over 2,000 flights were canceled, resulting in an estimated loss of $150M. The root cause was lack of system redundancy and a disaster recovery plan.
Financial Risks
Budget limitations for replacements: Replacing or upgrading a system comes at a hefty expense. The associated costs of upgrades usually strains operating budgets.
Opportunity cost: The time devoted to holding on to and maintaining aging systems diverts funds toward debt servicing instead of innovation and strategic IT investment.
🌎 In 2012, a legacy batch processing system failed at the Royal Bank of Scotland (part of RBS Group) during a routine update. As a result, 6.5 million customers were locked out of their accounts, costing the bank £125M. Lesson learned: Financial services relying on outdated core banking systems risk substantial losses.
Strategic and Business Risks
Scalability challenges with business growth: Lack of agile systems slows down progress in enabling business capabilities.
Loss of competitive advantage: Outdated IT infrastructure limits innovation as well as the ability to enhance customer experiences and react to market demands.
Resistance to change: Employees that work on legacy systems for an extended period of time tend to resist migration efforts, leading to delays and inefficiencies.
System integration challenges during M&A: If a company is involved in M&A, integrating old systems with the acquired business presents major complexities.
🌎 Blockbuster's continued reliance on physical stores and outdated POS and inventory systems in the 2010s hindered its shift to digital content delivery. This required Cloud scalability, digital rights management, and streaming infrastructure. Technical limitations and resistance to change impacted their ability to compete with Netflix. As a result, the entire company failed its operations, and streaming services took over the market.
Security and Compliance Risks
Cybersecurity vulnerabilities: The lack of security features found in newer hardware and software leads to vulnerable cyber threats.
Regulatory and compliance gaps: Many legacy applications don’t comply with updated regulations, such as GDPR, HIPAA, or PCI-DSS.
Unpatched systems: End-of-life or unsupported systems may be unable to receive patch upgrades or security patches for known exploits.
Weak access controls: Older identity and access management (IAM) methods may allow unauthorized access and privilege escalation.
🌎 In 2017, legacy systems that were left unpatched for months at Equifax allowed attackers to exploit Apache Struts vulnerability. This resulted in a data breach of 147 million Americans' private data. Legacy systems often can't keep up with modern security patches.
Cultural Risks
Employee morale: Slow, antiquated systems cause employees to become frustrated and dissatisfied with their jobs due to redundancies and dependencies, leading to a decline in productivity.
Knowledge loss: When key employees leave organizations with institutional knowledge, it becomes increasingly difficult to sustain or move away from legacy systems.
Competing priorities: Executive leaders may have varying opinions about the priority of modernization, which turns into an endless path of kicking the can down the road, requiring complex remediation in the future.
🌎 GE launched a bold initiative in the 2010s to reinvent itself as a "digital industrial" company, betting big on its Predix platform for industrial IoT. The goal was to modernize operations and become a tech-forward powerhouse. But their “hardware engineering-first” culture resisted the pivot to software and data because legacy divisions viewed digital as an add-on instead of a core transformation. Despite the costly investment, business units didn’t end up adapting workflows to the new platform.
What gets us here won’t get us there. IT Leaders should always be scanning for legacy system risks in their environment and proactively plan mitigation strategies.
How to Mitigate Risks
Risk mitigation means staying informed about competition, upholding relevancy, and adhering to regulatory compliance. In order to mitigate risks, you must assess and categorize the risk types, prioritize the components of each one, develop an execution roadmap and establish governance, then initiate change management.
1. Assess all risks, then categorize them by type.
Before making any decisions, perform a comprehensive risk assessment to categorize the various risk types. First, conduct interviews with business and IT teams to identify pain points. Then perform a gap analysis between the current state and industry best practices. Lastly, leverage tools for penetration testing, monitoring logs, and dependency mapping to gather insights. Here’s an example of a risk matrix you can reference to organize your findings:
Risk Matrix
2. Prioritize the components of each risk type by impact.
Once you’ve assessed all risk types, prioritize the components of each one based on business impact and the feasibility of resolving them. You can do this by evaluating short-term and long-term impacts. Here’s an example of a component risk matrix:
System / Component Matrix
💡 Pro tip: For short-term, high-impact fixes, apply immediate security patches, improve monitoring, and document systems. For medium-term fixes, upgrade infrastructure, refactor critical modules, and improve compliance measures. For long-term fixes, implement full-scale modernization, re-platforming, and re-architecting with microservices or Cloud. Here are some examples of short-term and long-term solutions for the action plans in this matrix:
-
Short-Term
Apply patches and security upgrades to give the system more usable life.
Improve documentation for knowledge retention.
Use APIs to improve integration.
Long-Term
Start using a hybrid architecture, e.g., Cloud-native components with some on-prem integration.
Rebuild monolithic applications to microservice or service-based architecture.
Use automation and DevOps practices to establish more streamlined updates.
-
Short-Term
Improve monitoring and alerting (e.g., Splunk, Datadog, New Relic).
Create a backup and disaster recovery strategy.
Long-Term
Create a phased migration strategy to reduce the disruption for end-users.
Prepare staff on modern technologies to reduce dependency on classic technology support.
-
Short-Term
Perform a Total Cost of Ownership (TCO) analysis.
Identify cost-saving opportunities like SaaS alternatives.
Long-Term
Present a business case for modernization (ROI analysis, cost savings).
Negotiate with vendors for better licensing terms.
-
Short-Term
Perform risk analysis with a fragmented landscape.
Map technical debt by risk types.
Long-Term
Plan legacy system retirements.
Perform business process pre-engineering for standardization to avoid customization.
-
Short-Term
Enforce multi-factor authentication (MFA).
Limit system access based on roles (RBAC).
Perform security audits and penetration testing.
Long-Term
Decommission systems that cannot be secured.
Migrate to a Cloud provider with compliance controls (AWS, Azure, GCP).
-
Short-Term
Perform a Total Cost of Ownership (TCO) analysis.
Identify cost-saving opportunities, like SaaS alternatives.
Long-Term
Present a business case for modernization (ROI analysis, cost savings).
Negotiate with vendors for better licensing terms.
4. Develop an execution roadmap and establish governance.
Once you’ve defined mitigation strategies, develop a structured execution plan and establish governance. You can do this by forming a steering committee (IT, Business, and Finance) to oversee risks. Then set up KPIs for success by measuring system uptime, number of business capabilities enhanced, security incidents, maintenance costs, and business agility. Here’s an example of a KPI matrix:
KPI Matrix
5. Initiate Change Management to gain team alignment.
One of the biggest challenges in legacy modernization is resistance to change. Address this by regularly communicating with IT teams about the benefits—help them understand how these changes can make their jobs easier. Implement training programs to upskill employees on new technologies, and pilot programs to test new systems before full rollout. And remember, always incorporate feedback loops to improve based on lessons learned.
•••
IT leaders must have a clear understanding of the intertwined risks of managing legacy systems. Effective mitigation requires a dual approach, encompassing both strategic technological upgrades and cultural adoption. Ensure a more resilient future by comprehensively assessing risks to guide you in developing a pragmatic pathway for transitioning away from legacy infrastructure while minimizing disruption.