Despite the many millions of pounds of taxpayers' money that have been spent modernising IT systems across the public sector, serious concerns remain that critical public services are overly reliant on old technology. Some believe that it's only a matter of time before legacy systems that are already creaking under the strain will come crashing down. But in this age of austerity and in the face of a number of high profile public sector IT projects that are not running to schedule or budget, politicians are reluctant to be seen to be pushing new and expensive modernisation programmes. Last week, the National Audit Office published its report into how the risks of legacy ICT to delivery of public services can be managed. Although focussing on the public sector, the NAO findings should prove to be equally applicable to those private sector companies with an unhealthy reliance on out-dated technology.

The NAO report estimates that in 2011-12 at least £480 billion of the government’s operating revenues and at least £210 billion of non-staff expenditure such as pensions and entitlements had some dependency on legacy ICT. Consequently, effective management of legacy IT is imperative in order to maintain the performance of these services. The report highlights that dependence on old technology inhibits the implementation of new policies and the roll-out of improvements in public services. Added to which, this has resulted in over-reliance on long-term contracts with large IT service providers and increased costs, both in maintaining legacy systems and in the provision of public services.

Clearly, there is no quick-fix, and quite rightly, the report stresses that the cost and risks of staying with legacy systems should be weighed against the cost and risk of implementing replacement IT before any strategy for change is embarked upon. Unfortunately, this sort of assessment has all too often been over-looked, sometimes with disastrous results.

In reaching its findings, the NAO draws on the lessons learned from four government case studies: the DWP's pension service; HMRC's VAT collection service; the NHS Business Services Authority's prescription payment service; and the OFT's consumer credit licensing service. The findings themselves highlight three strategies typically used in the management of legacy ICT (the meanings of which are self-evident):

  • "no change"
  • "enhance and maintain"
  • "replace"

The case studies demonstrate that legacy systems that are well managed and adapted (if that is possible) can deliver continuity of service and enhanced functionality successfully. They also show that, done well, the implementation of new systems can deliver benefits such increased efficiencies and costs savings. Conversely, adopting a "no change" approach will result in the size and probability of risks occurring increasing over time, in particular those common risks that the NAO identified in the four case studies, namely:

  • Higher security vulnerabilities
  • Lock-in to uncompetitive, single supplier support arrangements
  • Skills necessary to support legacy ICT become scarcer, leading to gaps in capability
  • Manual processes proliferate to overcome difficulties in adapting legacy ICT to meet changing business needs
  • Legacy ICT is harder to adapt to meet changing business needs
  • Hidden costs arise as new business process are introduced to compensate for the limited adaptability of the legacy ICT system
  • Increased complexity caused by additional interfaces and connections with other systems makes routine changes to legacy ICT costly and protracted

In concluding, the NAO questions whether, in the face of changes to the way that government commissions public services to make them digital, cheaper and more adaptable to user needs, the existing approaches to legacy ICT will be sufficient to deliver the transformation envisaged by the government's digital strategy. It also makes a number of recommendations. For those transforming public services involving legacy ICT, it recommends that public bodies should:

  • ensure that they have a full analysis of cost, performance and risks of their service over time and of the impact of legacy ICT;
  • draw more on cross-government comparisons and examples of best practice of managing legacy ICT while transforming to digital; and
  • ensure that managers of public services are fully aware of the risks to their services posed by legacy ICT.

For the Cabinet Office, it recommends:

  • a response to the demand across government for the Cabinet Office to do more to support public bodies in making change and delivering service improvement involving legacy ICT, including knowledge sharing and offering practical guidance; and
  • as well as organisations following existing Cabinet Office guidelines and advice, in deciding what additional support to offer, the Cabinet Office should listen to the needs of service managers and those undertaking digital transformation across government.

The full report can be found here.