Managing Legacy Systems & Data – A Comprehensive Technology Management Approach
Legacy systems persist at the heart of UK justice and policing services and organisations, inhibiting organisational agility, increasing operational risk and cost, and reducing service experience. Perhaps one of the best-known examples is the Police National Computer, used by all UK police forces as the primary criminal record database since 1974. Likewise, the legacy National Offender Management Information System is pivotal to the UK justice system.
Awareness of the presence and barriers legacy technology imposes on delivering effective public services has existed for many years. More recently, the topic of legacy has become a significant priority in official reports (NAO, GIAA, etc.), digital strategies, and financial budgets for UK public sector organisations. For example, the Ministry of Justice (MoJ) Digital Strategy 2025 states the need to reduce, if not remove, reliance on all legacy systems, and the HMCTS Reform Programme, started in 2016, has placed upgrading legacy systems at the heart of its next phase. In a recent update to Parliament, it was reported that MoJ, HM Courts and Tribunals Service (HMCTS), and the Home Office have a combined total of 33 red-rated legacy systems. This figure represents over 50% of the total number of red-rated legacy systems reported by the 27 departments onboarded to the CDDO risk assessment framework.
Having dealt with legacy systems for more than ten years in private and public sector organisations, I propose that a legacy system is one that no longer meets its fundamental non-functional requirements (NFRs) - usability, security, maintainability, extensibility, supportability, scalability, etc. High-risk legacy systems are those that fail to meet their NFRs, and the effort to address their shortcomings is substantial if not insurmountable or cost prohibitive. For example, a system may no longer be maintainable because expertise is scarce in the market, let alone within an organisation. Similarly, a vendor may no longer support a technology, and extended support cannot be purchased, leading to unaddressed security vulnerabilities. But it is important to distinguish “old” from “legacy” and dispel misconceptions that “new” and “cloud” automatically mean “good” and “fit for purpose.”
When and whether a legacy system needs to be addressed depends on its context, including its active usage, planned life and future intent, importance to the organisation, exposure to potential vulnerabilities, and more. It is crucial to identify, assess, prioritise, and report on legacy systems and their remediation in a consistent manner, establishing data and assessment standards early. The CDDO legacy risk assessment framework embodies much of this and is intended to aid and drive consistency across HMG. This includes the definition of a threshold above which legacy systems are identified as critical – “red-rated.” The challenge is then how best to gather the volume of disparate data needed for this analysis in a scalable and sustainable manner. Automation is key.
Furthermore, it is crucial to understand, plan, and address legacy at an enterprise architecture and “system of systems” level. Replacing individual components with up-to-date versions may address supportability and security issues at a technical and infrastructure level, but it is unlikely to improve end-to-end processes and experiences. Instead, legacy processes, experiences, and architectures will persist over brand-new technology, missing the opportunity to transform and likely failing to achieve the desired outcomes of the organisation.
Through the Crown Commercial Service (CCS) Digital & Legacy Application Service (DALAS) framework, public sector organisations have simplified access to suppliers who can provide IT digital and legacy application services and support the rollout of future applications less dependent on legacy technologies. This, combined with increased prioritisation and funding, has led to the mobilisation of many legacy programmes across HMG. These programmes often involve a complex arrangement of internal teams and third-party suppliers collaborating across different areas of an organisation. The challenge is then how best to segment the legacy landscape and coordinate and govern all initiatives, resources, and changes within legacy programmes, alongside wider transformation efforts and ongoing operations.
It is imperative to address the underlying behaviours that led to each organisation’s accumulation of legacy. In my experience, the root of the problem lies in non-technical aspects, including ineffective funding, resourcing, and governance models. If underlying issues are not addressed by establishing comprehensive enterprise technology management capabilities, efforts to remediate legacy technology will not endure. Often, organisations focus on fixing the technology but not on fixing business behaviours, governance, and management, resulting in legacy systems continually toggling between red-rated and green.
Organisations must shift from short-term, project-based funding to enduring, service- and product-based models. Business leaders must be deeply involved in digital decision-making alongside DDaT leaders. Additionally, organisations must apply a risk-based approach, including technology risks in their enterprise risk register and managing them at the executive level. Technology governance should be embedded across the organisation’s operating model, supported by robust strategies, standards, and policies that balance accelerated delivery through informed and empowered decision-making while maintaining standardisation across the organisation.
Efforts to address legacy must be laser-focused, highly coordinated, and well-governed, driven by data and intelligence that continually identifies, prioritises, plans, and monitors complex and uncertain programmes of work, resources, investments, technologies, stakeholders, suppliers, and timelines. Leading organisations establish a digital control tower as a strategic capability that provides end-to-end visibility, insight, automation, and orchestration across their digital business value streams, technology landscape, and portfolio of investments and change. In doing so, they are continually empowered to make effective holistic and risk-based business decisions about their organisation’s digital performance, from executive to operational levels.
Find out more about how ServiceNow are helping UK Government address the legacy challenge.
Photo by R.AYDIN: https://www.pexels.com/photo/air-traffic-control-tower-at-belgrade-airport-18949825/
Georgie Morgan
Georgie joined techUK as the Justice and Emergency Services (JES) Programme Manager in March 2020, then becoming Head of Programme in January 2022.
Cinzia Miatto
Cinzia joined techUK in August 2023 as the Justice and Emergency Services (JES) Programme Manager.
Ella Gago-Brookes
Ella joined techUK in November 2023 as a Markets Team Assistant, supporting the Justice and Emergency Services, Central Government and Financial Services Programmes.
Digital Justice updates
Sign-up to get the latest updates and opportunities on our work around Digital Justice from our Justice and Emergency Services programme.