Beware cumulative end-of-life risk across your software portfolio

 
end-of-life risk.jpg

Wayne Byres, Australian Prudential Regulatory Authority Chairman, addressed the Curious Thinkers conference in Sydney on September 24th. His speech “Peering into a cloudy future” covered a wide range of technology issues and opportunities facing the Australian regulated financial institutions (FIs) including cyber security, crypto currencies and banks needing to make data available to customers and competitors.  I’ve included a link to the full speech below.  

One of the sections that really caught my attention was Chairman Byres’ comments about the end-of-life and out-of-support risks associated with legacy systems within FIs.  This is not a topic I’ve often seen addressed publicly either by banking executives or by regulators. In the section titled “A Dark Cloud” he specifically mentioned that:

  • there has been persistent underinvestment in the health of systems by banks for many years;

  • this issue is not well understood by peak decision makers, (executive and boards), and

  • increased investment will be required for some time to catch-up the backlog of maintenance activities.

I couldn’t agree more that this is an issue that requires more attention by governing boards and executive teams, as well as CIOs, not just within Australia’s FIs, but across all industries that have accumulated significant portfolios of technology over the last few decades.  Organisations in telecommunications, energy, government, transportation and logistics, education, health, mining, and many other industries have all, just like banks, spent decades accumulating sizeable technology portfolios that contain the same end-of-life risk that Wayne Byres is requiring FIs to address.  

I frequently speak to directors and executives about technology end-of-life and mostly hear that they are well aware of specific examples of end-of-life legacy systems within their organisations.  However, I find very few organisations have a good handle on their cumulative end-of-life risk profile, nor how that risk profile is likely to change over the coming years.  Without an understanding of the cumulative end-of-life risk it is not possible to assess whether or not technology related operational risk will remain within risk appetite. It is also impossible to know whether or not the organisation’s investment capacity and technology delivery capacity will be sufficient to sustainably address the forecast levels of remediation work. 

An analogy I find useful as mental model is to look at an organisation’s portfolio of technology systems in a similar way to how an airline would look at its fleet of aircraft. For an airline the acquisition of new planes is indeed one important way that the size, age and performance of the fleet can change.  Yet understanding the investment in new planes is necessary but not sufficient in order to govern the sustainable, safe and profitable operation of the entire fleet of aircraft. Peak decision makers within airlines also need to govern other aspects of the fleet such as:

  • the timing of decommissioning or sale of older aircraft, and

  • the oversight of maintenance activities throughout the useful life of the aircraft in the fleet.  

For illustrative purposes let’s take a medium sized airline, like Qantas, that operates around 300 aircraft.  If the airline were to decommission its oldest 10 aircraft and buy 10 new aircraft each year, then the average age of the fleet would remain stable at around 15 years.  However, if our illustrative airline were to stop purchasing new aircraft or decommissioning any aircraft then the average age of the entire fleet would be ageing a year, every year.  Under this scenario, even if no major incidents have occurred yet, owners and owners’ representatives would no doubt be keen to understand whether or not the ageing of the fleet presented any threat to the on-going safety record of the airline.  They would also be keen to understand more about the sustainability of current financial performance and/or be concerned about the airline’s ability to survive in the medium to long term with this profile of underinvestment in the fleet.  

Like an airline’s board and executive team would be expected to understand all the key dimensions of their airline fleet, an organisation that depends on its technology portfolio for both day to day operations and execution of its strategy should have its peak decision makers across the key dimensions of its system portfolio including:

  1. How many systems does the organisation have?

  2. What is the average age of those systems?

  3. How many new systems were added in the last year?

  4. How many were decommissioned in the last year?

  5. How many systems will be out-of-support and or end-of-life over the next year? 

  6. How many major version upgrades were completed across the portfolio over the last year?

  7. When you combine all of the above how much older or younger did the whole portfolio get in the last year?  

Each time I’ve been through this exercise over the last few years, peak decision makers have been surprised at:

  1. the large size of their technology portfolio, with software applications often numbering in the thousands, 

  2. the slow pace at which it changes due to the relatively small number of additions, major upgrades and decommissions delivered each year (a bit like an airline only adds a modest number of new planes and/or decommissions a modest number of planes each year), therefore it takes time to significantly reshape the technology portfolio, 

  3. the older than expected average system age, and

  4. of most concern, how rapidly the fleet is ageing, i.e. their current approach is not sustainable.

Bottom line is... governance changes are needed to give peak decision makers both visibility and insights into the size, age and health of their technology systems portfolio. Once this foundational understanding is established, it becomes easier to then build the broader understanding peak decision makers need across areas like operational risk mitigation, disruption risk mitigation and the setting of the investment envelope needed to sustainably operate the technology portfolio.

If you need help with governance of your technology performance and risk free to reach out to me on david.boyle@cap2its.com.

Wayne Byres address to the September 24th , Curious Thinkers conference in Sydney:

https://www.apra.gov.au/media-centre/speeches/peering-cloudy-future


About the author: David Boyle’s IT career over 30 years spans both the buy side and sell side of technology services.  He’s worked with Accenture, EY, Commonwealth Bank of Australia and until recently was the Group CIO at NAB.  David is now the Managing Director of CAP2ITS, a technology advisory firm focusing on technology strategy, performance and risk. 

 
David Boyle