Central Government updates
Sign-up to get the latest updates and opportunities from our Central Government programme.
Legacy IT - Reframing the challenge & adopting a comprehensive approach
Legacy systems continue to persist at the heart of UK Public Services and organisations, inhibiting organisational agility, increasing operational risk and cost, and reducing service experience.
Awareness of the presence and barriers legacy technology imposes on delivering effective public services has existed for many years. However, more recently, the topic of legacy has become an increasingly significant priority, as reflected in official reports (NAO, GIAA, etc.), digital strategies, and financial budgets for UK public sector organisations. For example, the CDDO Roadmap for digital and data, 2022 to 2025 states “We need to deal with the costly issue of legacy IT that has been allowed to build up over multiple financial cycles and is now a barrier to the delivery of great policy and services”. This policy is reflected in departmental strategies, such as the Defra Digital & Data Transformation Strategy 2023-2030 and Ministry of Justice (MoJ) Digital Strategy 2025.
Having dealt with legacy systems for more than ten years in private and public sector organisations, I propose that a legacy system is one that no longer meets its fundamental non-functional requirements (NFRs) - usability, security, maintainability, extensibility, supportability, scalability, etc. High-risk legacy systems are those that fail to meet their NFRs, and the effort to address their shortcomings is substantial if not insurmountable or cost prohibitive. For example, a system may no longer be maintainable because expertise is scarce in the market, let alone within an organisation. Similarly, a vendor may no longer support a technology, and extended support cannot be purchased, leading to unaddressed security vulnerabilities. But it is important to distinguish “old” from “legacy” and dispel misconceptions that “new” and “cloud” automatically mean “good” and “fit for purpose.”
When and whether a legacy system needs to be addressed depends on its context, including its active usage, planned life and future intent, importance to the organisation, exposure to potential vulnerabilities, and more. It is crucial to identify, assess, prioritise, and report on legacy systems and their remediation in a consistent manner, establishing data and assessment standards early. The CDDO legacy risk assessment framework embodies much of this and is intended to aid and drive consistency across HMG. This includes the definition of a threshold above which legacy systems are identified as critical – “red-rated.” The challenge is then how best to gather the volume of disparate data needed for this analysis in a scalable and sustainable manner. Automation is critical to success.
Furthermore, it is crucial to understand, plan, and address legacy at an enterprise architecture and “system of systems” level. Replacing individual components with up-to-date versions may address supportability and security issues at a technical and infrastructure level, but it is unlikely to improve end-to-end processes and experiences. Instead, legacy processes, experiences, and architectures will persist over brand-new technology, missing the opportunity to transform and likely failing to achieve the desired outcomes of the organisation.
Through the Crown Commercial Service (CCS) Digital & Legacy Application Service (DALAS) framework, public sector organisations have simplified access to suppliers who can provide IT digital and legacy application services and support the rollout of future applications less dependent on legacy technologies. This, combined with increased prioritisation and funding, has led to the mobilisation of many legacy programmes across HMG. These programmes often involve a complex arrangement of internal teams and third-party suppliers collaborating across different areas of an organisation. The challenge is then how best to segment the legacy landscape and coordinate and govern all initiatives, resources, and changes within legacy programmes, alongside wider transformation efforts and ongoing operations.
It is imperative to address the underlying behaviours that led to each organisation’s accumulation of legacy. In my experience, the root of the problem lies in non-technical aspects, including ineffective funding, resourcing, and governance models. If underlying issues are not addressed by establishing comprehensive enterprise technology management capabilities, efforts to remediate legacy technology will not endure. Often, organisations focus on fixing the technology but not on fixing business behaviours, governance, and management, resulting in legacy systems continually toggling between red-rated and green.
Organisations must shift from short-term, project-based funding to enduring, service- and product-based models. Business leaders must be deeply involved in digital decision-making alongside DDaT leaders. Additionally, organisations must apply a risk-based approach, including technology risks in their enterprise risk register and managing them at the executive level. Technology governance should be embedded across the organisation’s operating model, supported by robust strategies, standards, and policies that balance accelerated delivery through informed and empowered decision-making while maintaining standardisation across the organisation.
Efforts to address legacy must be laser-focused, highly coordinated, and well-governed, driven by data and intelligence that continually identifies, prioritises, plans, and monitors complex and uncertain programmes of work, resources, investments, technologies, stakeholders, suppliers, and timelines. Leading organisations establish a “digital control tower” as a strategic capability that provides end-to-end visibility, insight, automation, and orchestration across their digital business value streams, technology landscape, and portfolio of investments and change. In doing so, they are continually empowered to make effective holistic and risk-based business decisions about their organisation’s digital performance, from executive to operational levels.
Find out more about how ServiceNow are helping UK Government address the legacy challenge.
Heather Cover-Kus
Heather is Head of Central Government Programme at techUK, working to represent the supplier community of tech products and services to Central Government.
Ellie Huckle
Ellie joined techUK in March 2018 as a Programme Assistant to the Public Sector team and now works as a Programme Manager for the Central Government Programme.
Annie Collings
Annie joined techUK as the Programme Manager for Cyber Security and Central Government in September 2023.
Austin Earl
Austin joined techUK’s Central Government team in March 2024 to launch a workstream within Education and EdTech.
Ella Gago-Brookes
Ella joined techUK in November 2023 as a Markets Team Assistant, supporting the Justice and Emergency Services, Central Government and Financial Services Programmes.
Authors
