How to develop a robust risk mitigation plan for legacy IT systems – Image by Wokandapix on Pixabay The existence of legacy IT systems creates several strategic risks for organisations. While organisations may decide to modernise mission-critical applications and migrate to the cloud taking this path creates its own risks. A full understanding of the potential risks including security and data protection is necessary to create the right strategies and to protect investments.

Broadly speaking there are two main categories of risk associated with an organisation’s legacy IT, these are vendor and people risk.

Vendor risk

Most organisations are now largely reliant on systems and technology written by third-party suppliers. This has removed huge risk and expense. However, it has introduced new types of risk through reliance on those technology vendors.

Technology end of life risks

If a vendor is financially unstable or goes out of business the software it provides might no longer be supported and future updates might not be developed. Bugs and vulnerabilities subsequently identified might not be fixed. The software may no longer run on new hardware or operating systems. Integrations to other vendors’ systems that are still being upgraded may start to fail. There may be no alternative other than to rip out the system and replace it.

The same drastic action may be needed if a software vendor ‘sunsets’ a product if it is no longer profitable or supportable. In this situation, customers will typically have more time to find a replacement. The vendor may offer a more up-to-date alternative and provide a migration path from the end-of-life product to its replacement. However, organisations may be forced to make significant expensive changes such as knock-on upgrades, rewriting interfaces and testing. Completing the transition may incur business interruption.

Technology end of life mitigation

An organisation needs to keep itself in a position of maximum flexibility with as many options as possible for change or for keeping the status quo. Awareness of the potential lock-ins which leave a business over-reliant on a particular vendor or bind it into using a particular solution is of paramount importance.

Here are some tips to minimise the lock-ins:

  • Look for solutions that use open-source. The source code may be readily available and there will be a bigger pool of people who can work with it
  • Favour applications that use open APIs so that all the touchpoints with other systems are clear and well-defined
  • Look for the exclusive use of stored procedures to keep vendor-specific SQL out of the code.

Vendors changing commercial terms

The original commercial terms for the use of the software may be changed unfavourably over time. If a vendor ‘sunsets’ a product or if customers stay on an old version of a product, often for good reasons, they may be faced with vastly increased charges. These annually rising charges can include support, access to hotlines, subsequent upgrades, services etc. Usually, initial agreements attract substantial discounts which might not be offered subsequently or an unlimited usage model might revert to the standard per-user model. The customer’s own changing circumstances might drive a switch in terms. The business might have been sold or downsized so that the favourable deals open to large enterprises are no longer available.

Many software agreements provide the right for the vendor to instigate occasional audits of software usage. If an organisation does not maintain awareness of the latest contract terms and keep an up-to-date record of the spread of active users around the organisation, then an audit might uncover over usage, perhaps pushing the business into higher pricing bands resulting in additional charges.

Does every cloud have a silver lining?

To mitigate some of the lock-in pitfalls it may seem attractive to migrate existing solutions to the cloud or move to new cloud applications. However, organisations need to be aware that such courses of action can introduce new traps and handcuffs.

A cloud platform such as AWS, Azure or Google offers a very rich set of facilities, capabilities, security, interfaces and APIs for all aspects of a deployment and run time environment. It’s almost too attractive and tempting – but once you’ve put all your eggs in one basket, what if a particular vendor gets hit by a cyber-attack, hikes prices or data storage rules change? Develop a strategy, or at least an awareness, to facilitate the ability to migrate solutions between the major cloud vendors and others that might emerge.

Other mitigation strategies to reduce vendor risk

Third-party systems keep organisations running, so choosing the right vendor is vital. Here are some strategies to help mitigate vendor risks:

  • Avoid dependency on a single solution and vendor. Alternative solutions may be a better fit for different parts of the business. Keep details of your software selection process and stay updated on other vendor solutions
  • Have standards and processes that are common across products so that any switch between solutions will be easier to implement
  • Certain solutions provide unique features – becoming reliant on these will lock you into a vendor. Aim to ring-fence their implementation and put these at the top of the list of questions when considering alternative vendors
  • Maintain strict awareness and control of your software licenses and usage
  • Ensure that you keep all solutions on supported versions and have an ongoing upgrade strategy and timetable
  • Monitor version vulnerability notifications and apply patches to resolve important vulnerabilities in a timely fashion
  • Monitor each vendor’s financial viability, brand reputation and the likelihood of a take over
  • Ensure that you have access to sufficient compute resources (inhouse or cloud) to plan and test version upgrades reliably
  • Maintain a map of your complete solution landscape to highlight integrations and dependencies. Try to maintain an environment that will allow single solutions to be upgraded at a time
  • Minimize your modifications to vendor packages – excessive modifications increase upgrade timescales, costs and lock-in risks. They can also complicate migration to cloud software.

People risks

As legacy systems age, the employees who understand how they work, their history, how potential catastrophes in the past have been addressed etc become rarer, more expensive and indispensable. These people are vital to keep the systems and the business running. However, this reliance can bring its own risks as the employees become set in their ways, inflate their perceived value or consider retirement.

Mitigation strategies to reduce people risk

It is easy to forget that you allow one of the organisation’s most vital assets to walk out of the door every night – its people. There is also no guarantee that it will remain safe and be back tomorrow. Here are the top three people risk mitigations:

  • Keep employees mobile between projects, solutions and technologies. This mitigates the risk of an individual becoming a single point of failure. It also helps to verify that the system documentation is fit for purpose and gives people wider experience and variety
  • Restructure responsibilities to make roles more business process-oriented rather than system-oriented
  • Review promotion and remuneration packages to reflect personal desires to either remain a “system expert” or become a “people manager”. Create levels of seniority independent of the organisation’s hierarchy with associated recognition and rewards.

In conclusion

Systems and people that have always worked satisfactorily for years can become invisible, yet they can be vital to the smooth running of some of your most critical operations. There are several areas of strategic risk including vendor and people risks. The good news is that focusing on these topics and asking some searching questions can help build robust mitigation strategies.

Diegesis LogoDiegesis is a business technology and IT systems integration company that specialises in delivering outcomes using RDBMS, integration and data analytics technology. The company has a proven track record delivering successful projects that provide tangible business value to large and mid-size organisations through the effective combination of people, process and technology. Diegesis specialises in helping organisations to release the hidden knowledge and wisdom from within their entire range of diverse sources of information (documents, emails, core business systems and applications, databases, intranet, internet and presentations) to support swift and effective decision-making.  For more information, visit


Please enter your comment!
Please enter your name here