Calculating the Risks of Replacing Tried and Tested Technology

Any business activity has risk associated with it.  We assess risk by considering the probability that a particular thing will happen and the impact if it does. The issue is then to calculate the appetite for risk.  Despite the potential for things to go wrong, an organisation with corporate knowledge embedded in proven business practices and delivered by trained and well managed people; knows how to deliver work involving significant risk with confidence of a successful outcome.

Situations with a significant level of risk can become opportunities to win business. If an organisation can demonstrate its understanding of risk and management strategies, it can be trusted to deliver on time and to budget.  A quotation for business from such a supplier may be more expensive, with the suspicion that a risk premium is being charged to increase profitability. In fact, usually a win-win results because of transparency in identifying and pricing in the additional risk activities, with success and reward driven by delivering to plan.  An organisation’s “appetite for risk” describes its desire to take on risky projects because it is confident of delivering more reliably than its competitors

Classifying risks

Risk can be categorised into classes. Some risks relate to an ability to deliver a desired outcome and depend directly on the competency to manage the risk.  Other risks are external and often beyond our control, such as changes to interest rates, the emergence of a new competitor, an extreme weather event such as flooding, or external cyber security attacks.

Risk can also be classified as operational or project risk.  Operational risk typically relates to risks to processes such as cyber security, an accident, a process mistake or fraud by staff.  We should expect such risks and use our skill to minimise the number of occurrences and the impact of each, for example to ensure an incident does not stop production.

Project risk typically relates to specific activities, perhaps things that only happen once. We can plan around that activity and remove the risk once the activity has been successfully delivered.  Data transformation projects are material examples of projects involving substantial risk because within an organisation they are infrequent and the project management skills needed inhouse to successfully pilot such important programmes may not exist.

Risks specific to IT migration projects

Typical IT migration projects include moving key business systems from on premise to the cloud, or migrating from one application, which is bespoke or from a trusted vendor, to another application from a new provider. Such fundamental changes can affect the running of core business processes.  These changes may be performed decades apart and so management experience from previous projects has often been lost.

Beyond pure project management skills of how to set up, run, monitor and keep the project on time and within budget, IT migration projects need people who can understand the current state as well as the desired future state. This can be a tall order because legacy technologies used to run the business may have few remaining experts in the workforce and the ‘To Be’ state may feature cutting-edge technology needing new skills that are often in high demand and so are expensive and hard to find.

Take input from across the business

Migration projects should not be considered as purely the realm of IT as often they cover the mission critical systems which enable the business to run its core operations. Project delays or failure could risk revenue, profits, contractual and legal obligations, reputation and brand value or even the survival of the whole enterprise.

It is important to first identify as many potential risks as possible, which might relate to the type of IT migration project being planned. This will be most successful if a wide range of perspectives from across the business are sought, for example, finance, human resources and production. End users, partners, suppliers and major customers could also provide valuable input.

IT risks – one major risk category

Typically for IT migration projects technology-related risks will provide one of the most important categories for in-depth consideration. Risks are likely to include those related to data, hardware, software, the technology platform and IT personnel.

Often the driver for an IT migration project is that the current system is out of date or under-performing. Unfortunately, these imperatives also lead to some of the most severe risks for migration projects. As legacy systems age, the employees who understand how they work, their history, how potential catastrophes in the past were averted etc. become rarer, indispensable and probably more expensive.

Such employees are vital to keep the current applications and the business running – while at the same time documenting the ‘AS IS’ state which indicates which data, processes and interfaces need to be replaced and improved upon by the new system. This reliance on a small pool of ‘experts’ can bring its own risks as the employees inflate their perceived value or may be lost to early retirement.

Business risks

Beyond the pure IT-related risks are wider business and timing risks which could also have significant impacts. How critical is the IT system to running core business processes? Will the migration project coincide with critical business events like year-end, peak sales periods or planned mergers and acquisitions?

What would the business impacts be if key project milestones or go-live dates were missed? There may only be a single window of opportunity to get the project done. Or if an implementation date is missed, the whole project might have to be delayed, maybe for as long as a year until timing criteria are met again. The most successful packaged software sales people have often been the ones to identify customers’ ‘burning platforms’ and exploit these for commercial gain.

The fabled ‘Y2K bug’ which drove many migrations from inhouse written software to third party packages is probably the greatest example of a ‘burning platform’ – projects had to be completed by December 31st, 1999, there was no opportunity for delay. Likewise, legislation changes can provide immovable deadlines for project delivery.

Consider wider risks

Recent experiences due to COVID and the invasion of Ukraine indicate that additional risks could originate from geopolitical events affecting the global economy. It’s worth scanning further than your immediate horizon for such ‘black swans’. There are many third parties which publish annual lists of global risks such as the World Economic Forum (WEF)[1] and investment advisors like Blackrock.

An example from Blackrock’s latest Top 10 Global Risks list[2] is the IT impact of rising tensions between the US and China. This might mean some technologies rapidly disappear. Huawei’s removal as a potential-provider springs to mind. The UK government has ruled that the vendor’s technology must be removed from 5G networks by 2027. The banning of TikTok provides another example. Could other vendors and solutions be banned if tensions with China continue to increase?

The rise of AI solutions such as ChatGPT and Bard are great examples of technology disruptors which appear rapidly from leftfield. Such solutions, which seemingly come from nowhere, could start to dominate IT investment thinking, raise questions on existing projects and introduce new risks.

The tipping point for cloud migration?

A Time magazine article[3] from October 2022 reports that the Taiwan Semiconductor Manufacturing Company (TSMC) is the world’s largest producer of the semiconductors that power phones, computers, and data centres. The story highlights that “TSMC has around 55% of the global market for contract chip fabrication, far above OPEC’s 40% market share for oil. And unlike the oil market, where each barrel is more or less the same, there are vast differences between types of chip.” An escalation in tensions between China and Taiwan could reduce chip availability and dislocate the global economy.

Global risks such as these should not derail IT migration projects but research into their likelihood might change the timing of elements of the project. New kit could be ordered much earlier or from different sources to increase the certainty it will be available when needed. Hardware availability risks might even become the impetus to make the IT migration project about moving to the cloud, rather than just switching from one inhouse system to another.

How Diegesis can help

Diegesis is a UK-based business technology and IT systems integration company. We bring over 30 years’ experience in data management across both public and private sectors to data migration projects.

Our experienced consulting team combines expertise in legacy technologies such as Ingres, Informix and Db2 with the latest practices in developing and deploying solutions on Amazon AWS, Microsoft Azure and Google GCP cloud platforms.

[1] World Economic Forum Global Risks report 2023


[2] Blackrock Geopolitical Risk Dashboard

[3] Time magazine – “The Chips That Make Taiwan the Center of the World”