Managing Legacy Systems & Data – A Comprehensive Technology Management Approach

Legacy systems persist at the heart of UK justice and policing services and organisations, inhibiting organisational agility, increasing operational risk and cost, and reducing service experience. Perhaps one of the best-known examples is the Police National Computer, used by all UK police forces as the primary criminal record database since 1974. Likewise, the legacy National Offender Management Information System is pivotal to the UK justice system.

Awareness of the presence and barriers legacy technology imposes on delivering effective public services has existed for many years. More recently, the topic of legacy has become a significant priority in official reports (NAO, GIAA, etc.), digital strategies, and financial budgets for UK public sector organisations. For example, the Ministry of Justice (MoJ) Digital Strategy 2025 states the need to reduce, if not remove, reliance on all legacy systems, and the HMCTS Reform Programme, started in 2016, has placed upgrading legacy systems at the heart of its next phase. In a recent update to Parliament, it was reported that MoJ, HM Courts and Tribunals Service (HMCTS), and the Home Office have a combined total of 33 red-rated legacy systems. This figure represents over 50% of the total number of red-rated legacy systems reported by the 27 departments onboarded to the CDDO risk assessment framework.

Having dealt with legacy systems for more than ten years in private and public sector organisations, I propose that a legacy system is one that no longer meets its fundamental non-functional requirements (NFRs) - usability, security, maintainability, extensibility, supportability, scalability, etc. High-risk legacy systems are those that fail to meet their NFRs, and the effort to address their shortcomings is substantial if not insurmountable or cost prohibitive. For example, a system may no longer be maintainable because expertise is scarce in the market, let alone within an organisation. Similarly, a vendor may no longer support a technology, and extended support cannot be purchased, leading to unaddressed security vulnerabilities. But it is important to distinguish “old” from “legacy” and dispel misconceptions that “new” and “cloud” automatically mean “good” and “fit for purpose.”

When and whether a legacy system needs to be addressed depends on its context, including its active usage, planned life and future intent, importance to the organisation, exposure to potential vulnerabilities, and more. It is crucial to identify, assess, prioritise, and report on legacy systems and their remediation in a consistent manner, establishing data and assessment standards early. The CDDO legacy risk assessment framework embodies much of this and is intended to aid and drive consistency across HMG. This includes the definition of a threshold above which legacy systems are identified as critical – “red-rated.” The challenge is then how best to gather the volume of disparate data needed for this analysis in a scalable and sustainable manner. Automation is key.

Furthermore, it is crucial to understand, plan, and address legacy at an enterprise architecture and “system of systems” level. Replacing individual components with up-to-date versions may address supportability and security issues at a technical and infrastructure level, but it is unlikely to improve end-to-end processes and experiences. Instead, legacy processes, experiences, and architectures will persist over brand-new technology, missing the opportunity to transform and likely failing to achieve the desired outcomes of the organisation.

Through the Crown Commercial Service (CCS) Digital & Legacy Application Service (DALAS) framework, public sector organisations have simplified access to suppliers who can provide IT digital and legacy application services and support the rollout of future applications less dependent on legacy technologies. This, combined with increased prioritisation and funding, has led to the mobilisation of many legacy programmes across HMG. These programmes often involve a complex arrangement of internal teams and third-party suppliers collaborating across different areas of an organisation. The challenge is then how best to segment the legacy landscape and coordinate and govern all initiatives, resources, and changes within legacy programmes, alongside wider transformation efforts and ongoing operations.

It is imperative to address the underlying behaviours that led to each organisation’s accumulation of legacy. In my experience, the root of the problem lies in non-technical aspects, including ineffective funding, resourcing, and governance models. If underlying issues are not addressed by establishing comprehensive enterprise technology management capabilities, efforts to remediate legacy technology will not endure. Often, organisations focus on fixing the technology but not on fixing business behaviours, governance, and management, resulting in legacy systems continually toggling between red-rated and green.

Organisations must shift from short-term, project-based funding to enduring, service- and product-based models. Business leaders must be deeply involved in digital decision-making alongside DDaT leaders. Additionally, organisations must apply a risk-based approach, including technology risks in their enterprise risk register and managing them at the executive level. Technology governance should be embedded across the organisation’s operating model, supported by robust strategies, standards, and policies that balance accelerated delivery through informed and empowered decision-making while maintaining standardisation across the organisation.

Efforts to address legacy must be laser-focused, highly coordinated, and well-governed, driven by data and intelligence that continually identifies, prioritises, plans, and monitors complex and uncertain programmes of work, resources, investments, technologies, stakeholders, suppliers, and timelines. Leading organisations establish a digital control tower as a strategic capability that provides end-to-end visibility, insight, automation, and orchestration across their digital business value streams, technology landscape, and portfolio of investments and change. In doing so, they are continually empowered to make effective holistic and risk-based business decisions about their organisation’s digital performance, from executive to operational levels.

Find out more about how ServiceNow are helping UK Government address the legacy challenge.

Photo by R.AYDIN: https://www.pexels.com/photo/air-traffic-control-tower-at-belgrade-airport-18949825/

Georgie Morgan

Head of Justice and Emergency Services, techUK

Georgie joined techUK as the Justice and Emergency Services (JES) Programme Manager in March 2020, then becoming Head of Programme in January 2022.

Georgie leads techUK's engagement and activity across our blue light and criminal justice services, engaging with industry and stakeholders to unlock innovation, problem solve, future gaze and highlight the vital role technology plays in the delivery of critical public safety and justice services. The JES programme represents suppliers by creating a voice for those who are selling or looking to break into and navigate the blue light and criminal justice markets.

Prior to joining techUK, Georgie spent 4 and a half years managing a Business Crime Reduction Partnership (BCRP) in Westminster. She worked closely with the Metropolitan Police and London borough councils to prevent and reduce the impact of crime on the business community. Her work ranged from the impact of low-level street crime and anti-social behaviour on the borough, to critical incidents and violent crime.

Email:: [email protected]
LinkedIn:: https://www.linkedin.com/in/georgie-henley/

Read lessmore

Cinzia Miatto

Programme Manager - Justice & Emergency Services, techUK

Cinzia joined techUK in August 2023 as the Justice and Emergency Services (JES) Programme Manager.

The JES programme represents suppliers, championing their interests in the blue light and criminal justice markets, whether they are established entities or newcomers seeking to establish their presence.

Prior to join techUK, Cinzia held positions within the third and public sectors, managing international and multi-disciplinary projects and funding initiatives. Cinzia has a double MA degree in European Studies from the University of Göttingen (Germany) and the University of Udine (Italy), with a focus on politics and international relations.

Email:: [email protected]

Read lessmore

Ella Gago-Brookes

Team Assistant, Markets, techUK

Ella joined techUK in November 2023 as a Markets Team Assistant, supporting the Justice and Emergency Services, Central Government and Financial Services Programmes.

Before joining the team, she was working at the Magistrates' Courts in legal administration and graduated from the University of Liverpool in 2022. Ella attained an undergraduate degree in History and Politics, and a master's degree in International Relations and Security Studies, with a particular interest in studying asylum rights and gendered violence.

In her spare time she enjoys going to the gym, watching true crime documentaries, travelling, and making her best attempts to become a better cook.

Email:: [email protected]

Read lessmore

Digital Justice updates

Sign-up to get the latest updates and opportunities on our work around Digital Justice from our Justice and Emergency Services programme.

Authors

Graham Williamson

Chief Technology Officer for UKI Public Sector, ServiceNow

Return to listing