assess the business impact of technology obsolescence · pdf file4 assess the business impact...

INFORMATION TECHNOLOGY SERVICES

Assess the Business Impact of Technology Obsolescencekpmg.com

© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of in-dependent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved. NDPPS 304517

ContentsExecutive Summary ..........................................................................................................2

Adopt a Risk Perspective on Technology Management ............................................3

Understand the Technology-Risk Life cycle Curve and its Implications .....................3

Assess Technology Risks for Better Decision Making ...............................................4

Three Steps to Develop a Unified View of Technology Risk ......................................5

Step 1: Provide a Complete End-to-End View of Systems Performance and Cost .....5

Step 2: Frame Technical Risk by its Operational and Financial Impacts ....................6

Step 3: Use Common Language to Communicate the Risks ......................................7

Next Steps ..........................................................................................................................8


Assess the Business Impact of Technology Obsolescence2

During its life cycle a business application passes through five stages from emerging through obsolescence and each stage has associated business value, costs, and risks. Risks and costs tend to be higher at the early stages, when technology is untested and deployment costs are high, and at the end-of-life, when management must deal with challenges such as interoperability and integration issues, limited functionality, lower-than-expected service levels, extended support contracts, increasingly expensive maintenance, and lack of skills and support from vendors.

Many business executives are unsure, or even unaware, of the risk technical obsolescence presents to the business value of their applications. As a result, companies make poor decisions, take unintended risks, and mismanage related costs. Recommendations to remediate risk and manage costs are complex and frequently inconsistent across the enterprise. Only risk assessments based on objective, fact-based, and external market data are of real value. IT and the business can only make informed decisions and plan their paths forward when the technology risk is understood and quantified.

Technology risk management is a broad, complex process, which neither business leaders nor IT leaders can execute without the other. Working in partnership, the business can provide IT with greater understanding of how the business processes work, and IT can provide business with transparency into the multitude of applications, systems, servers, and other technology components necessary to support the business processes. Gaining this shared view of how the business and technology work together is the foundation for developing a unified view of technology risk and help executives make better tech-related decisions.

By assessing the risk of end-to-end technology solutions, and not just applications, businesses can work with IT to extract greater value: streamlining business processes, altering upgrade life cycles, and facilitating innovation. Completing a risk assessment of critical applications allows companies to plan both short and long-term actions to understand and mitigate legitimate technology risks in the overall application portfolio.

Many organizations are much better at developing and acquiring applications than they are at retiring them. As a result, they end up managing a large, expensive to maintain portfolio of legacy applications. KPMG research reveals that these organizations may be significantly underestimating the cost of operating older applications by not adequately considering the inherent technology risks.

Executive Summary


Assess the Business Impact of Technology Obsolescence 3

Adopt a Risk Perspective on Technology Management

Take the example of a major food processing company that found itself in the midst of an enterprise resource planning (ERP) transformation. The plan was to standardize a few business processes and improve and accelerate their outcomes by rolling out a new business application across dozens of lines of business over a number of years. Despite devoting a considerable amount of resources to planning the transformation, business leaders were divided on the proposed solution, with some clamoring to quickly move from their aging legacy systems, while others felt their existing platforms were adequate and their transition could be postponed for a year or more. The CIO was tasked to conduct an assessment of the risks associated with maintaining the status quo and provide recommendations on

how to make better decisions around the ongoing technology considerations including the transition planning to a unified ERP solution.

Specifically, the CIO wanted help to assess legacy applications and the infrastructure that supports them in order to identify potential obsolescence risks associated with these technologies. This included assessing product life cycles, support costs, application failure/outage data, and other relevant information to determine technology risks. The assessment results were used to identify costs associated with the risks and include those costs in the ongoing application life cycle management process including the transition from legacy applications to a centralized ERP.

Understand the Technology-Risk Life Cycle Curve and its ImplicationsWhen assessing the risks associated with technology, senior executives need to look at how the relationship between technology risk and business value changes over time. Only by putting the organization’s appetite for risk in context with value and time will they be able to make more informed decisions. During their life cycle, most business applications will traverse through five stages (see Figure 1):

Figure 1: The Five Stages of the Technology Life Cycle

Many companies looking to trim software costs analyze their technology portfolios from the perspective of licensing costs, vendor relationships, and contract terms; astute CIOs even tie software portfolio road maps to corporate strategies for delivering more business value from IT and enabling business agility. But one important aspect of portfolio management is often neglected: assessing risks associated with technology obsolescence and the associated direct and indirect costs.

High strategic potential but limited business adoption

Increased degree of alignment with business needs, advancements on application development; limited expertise and knowledge available for implementation and operations

Proven and cost-efficient, returning most of value to the business; characterized by an active market of service providers and supplemental solutions

Operational in production, maintenance is available but more costly; declining value as business needs start to outpace the capabilities of the technology

Archaic technology superseded by modernized applications; inability to meet business needs with existing technology

1EMERGING

2GROWTH

3MAINSTREAM

4CONTAINMENT

5OBSOLESCENCE



Across these five stages, the business value of the application will generally follow a curve that peaks in the mainstream phase, when the technology is proven, cost-efficient, and returning the most value to the business (see Figure 2). Over the same life cycle, the risk and cost of the application follows a “bathtub curve”: Risks and costs tend to be higher at early stages, when technology is untested and deployment costs are high, and at the end-of-life, when the management has to address challenges such as interoperability and integration issues, limited functionality, lower than expected service levels, extended support contracts, increasingly expensive maintenance, and lack of skills and support from vendors.

Figure 2: Business Value, Risk, and Cost over Technology Life Cycle (Illustrative)

Our experience is that many organizations are much better at managing the risk and cost associated with emerging applications then they are at retiring them. Similar to the food processing company, organizations tend to build portfolios of applications over time and then cannot agree on a common strategy to manage them for optimal business results. Part of the problem is that many business and IT executives significantly underestimate or do not even know the cost of operating older applications and infrastructures and they are unaware of the risk-to-value gap, which inherently opens during the containment phase and rapidly widens towards the end of the life cycle.

For many applications, investing in upgrades can slow this aging process. Hardware is more challenging given the substitutable nature of the technology and the complexity of component-based enhancements; however, its life cycle is more predictable and through a consistent hardware refresh process, exposure to hardware-based technology risk can be more regularly avoided. But what decision makers need to do is to identify and monitor the risk-to-value gaps in their portfolios and determine when and where they need to invest in retiring, replacing technologies, or extending their life cycles.

Assess Technology Risks for Better Decision Making Assessing technology risks is not a trivial process. For example, when the executives at the food processing company decided to evaluate the risks of obsolescence in their corporate applications, they first found that the organization was missing the basic capabilities for performing such an assessment.

Many executives are unsure, or even unaware, of the risk obsolescence presents to their technology portfolios. Their uncertainty stems from not having the right data, operating with inconsistent definitions, and dealing with conflicting points of view on need, priority, value, and risk, as many legacy applications have large variation in age and correctness of their documentation. Poor governance further complicates the decision making as often the roles and responsibilities required to manage this information remain unclear and the processes for maintaining and using these insights for decision making are poorly understood or undefined.

As a result, companies make poor decisions, leading to unintended risks and mismanaged related costs. Recommendations to remediate risk and manage costs are complex and typically inconsistent across the enterprise. Only risk assessments based on objective, fact-based, and external market data are of real value. IT and the business can only make informed decisions on paths forward when the technology risk is understood.

1EMERGING

2GROWTH

3MAINSTREAM

4CONTAINMENT

5OBSOLESCENCE

HIG

HB

USI

NES

S VA

LUE

RISK AN

D CO

ST

Risk to Value Gap

HIG

HLO

W

LOW

TIME



Three Steps to Develop a Unified View of Technology RiskTechnology risk management is a broad, complex process, which neither business leaders nor IT leaders can execute without the other. Working in partnership, the business can provide IT with greater understanding of how the business processes work and the value they derive from them, and IT can provide the business with transparency into the multitude of applications, systems, servers, and other technology components necessary to support the business processes. For example, at the food processing company, KPMG facilitated the dialog between business and IT to complete a three step process that:

1. Analyzed and mapped all components supporting a business process to provide a truer view of end-to-end system performance and cost

2. Framed technical obsolescence by its operational and financial impacts

3. Used a common language to communicate the risk.

These activities should be seen as examples, as each organization is unique, but they are representative of the things that business and technology leaders need to consider when developing a unified view of technology risk.

By assessing the end-to-end risk of technology solutions, and not just applications, businesses can work with IT to extract greater value: streamlining business processes, altering upgrade life cycles, and facilitating innovation. Technology fails in many ways and for many reasons; for example, aging hardware and software or overly complex architectures and management support models. At the food processing company the assessment looked for several technology attributes that have been identified as having the highest likelihood of causing potential business interruption, including:

• Refresh cycles for hardware to validate that the refresh is being done on a timely basis and vendor support is still provided.

• Incident data for software and hardware providing insights about how the current technology works, as well as trend information.

• Identification of older hardware, which is more likely to fail and contain components that are more difficult to source, making replacement costly or even impossible.

• Adequacy of the technical architecture to accommodate the current and future needs for capacity, redundant and high-availability components, as well as to estimate the effort required to implement changes.

• Availability of trained staff, external expertise, vendor warranties, and appropriate service level agreements (SLA) to understand how support is provided now and in the future.

• Performance data and feedback from business users to validate whether the technology meets expectations.

• Existence and validation of documented and tested disaster recovery plans, which can minimize the duration and impact of an outage.

• Maturity levels of IT processes to understand how IT is managing the applications and technologies that support business processes.

Step 1: Provide a Complete End-to-End View of Systems Performance and Cost



The primary output of a technology risk assessment is a risk profile and summary for each application in scope. At the food processing company, the CIO agreed with the business stakeholders to profile the risks of twelve business critical applications that were within the scope of the ERP transformation.

The technology risk profile of an application is predicated based on two assumptions (see Figure 3). The first assumption is that technology will fail, and the failure directly impacts business

operations that in turn have immediate and long-term financial impact. The second assumption is that technology operates “normally” but it is inadequately designed and implemented and is robbing the company of opportunities to enhance its operational or financial capabilities. In this case the impact on business operations and financial impacts are calculated as opportunity costs of “normal” activities.

Figure 3: Basic Assumptions, Operational and Financial Impacts Used to Develop Technology Risk Profiles

Step 2: Frame Technical Risk by its Operational and Financial Impacts

Assumption Operational Impact Financial Impact

Technology does not work because of outage or unavailability

• Inability to conduct business

• Loss of resource productivity

• Impacts to up- and down-stream processes

• Loss of synchronization of key data stores

• End-user or customer impact

• Loss of revenue in up and down-stream processes

• Loss of revenue due to inability to conduct business as usual

• Cost of idle workforce

• Cost of incident and issue resolution

• Cost of retroactive data synchronization between systems and data stores

• Regulatory or compliance penalties

Technology works normally but is inadequate to meet business needs

• Inability to meet current business needs

• Inability to meet needs for future business growth

• Lost competitive advantage opportunities

• Greater time spent on change management

• Greater time spent on training

• Poor speed to production

• Unplanned development, maintenance, and support of “shadow” systems

• Inability to quickly access new revenue streams

• Inability to increase competitive advantage

• Inability to focus on value-add activities due to burden of “keeping-the-lights-on”

• Cost of extended or third-party support

• Poor resource efficacy due to training required for changes

• Poor resource efficacy due to effort spent on “shadow” systems



The broad-reaching implications of technology obsolescence make it paramount that the executive, business users and technical staff build a common understanding of the risks associated with the technologies supporting their business. Most typically, using a standard template ensures that all relevant facts and findings are captured in one place and the different audiences develop a common understanding of how the organization needs to address its technology risks.

A well-documented risk profile begins with a summary of the application function, its current risk assessment, and the technology risk trend. The profile identifies the business owners of the applications, its users, as well as the IT functions responsible for it. The functionality of the application should be briefly summarized, including the application scope, functionality, and the technology footprint. Business growth plans and the ability of the technology to support that growth are also key inputs into the technology risk trend.

Each profile needs to address current state risks and risk trends. The current state risk needs to be quantified using consistent methodology to give a clearer comparative scale when making decisions about the overall application portfolio. The current state should also provide a brief narrative to justify accepting the current state risk if that is an option.

The assessment of technology risk trends is the most important element of the risk profile. This part requires a deep understanding of both technology and business factors. Some examples:

• A system that is not scalable would not be able to support a business with plans to double its revenues through acquisition.

• An application, where the current-state risk is low becomes obsolete when regulation changes and/or the organization decides to change the business process that the application supports.

• An application is running on an unsupported platform (hardware and/or software) no longer complies with internal policies for business continuity and disaster recovery.

Step 3: Use Common Language to Communicate the Risks



Next StepsCompleting a risk assessment of critical applications allows companies to plan both short-and long-term actions to understand and mitigate legitimate technology risks in the overall application portfolio. Actual next steps will vary and will depend on organizational strategic efforts, risk tolerance, and other factors.

For example, at the food processing company the assessment helped it develop the fact base and common understanding among the stakeholders in support of transitioning to a centralized ERP system when the risks of postponing the move were assessed and factored in. Activities that are likely to result from a robust application risk assessment include

• IT Services Policy and Category Normalization: review, update, and normalize current application life cycle categories, help desk incident criticality levels, and technology refresh policies

• Application Rationalization, Release Management, and Investment Planning: assess, plan, and conduct projects to increase the productivity and profitability of IT application operations

• Application Risk Assessment Tool Development: development of a common tool set to consistently and regularly assess application risks and life cycle stages, to consider along with total cost of ownership and support

• Application Mapping and Monitoring Tools Deployment: identify and deploy application mapping tools, and also enable and fully deploy global application monitoring tool sets to actively and regularly capture application stability data

• Knowledge Transfer: deployment of application risk assessment tools and processes to internal IT and application support teams to enable ongoing transparency of risk across the portfolio

• IT Service Delivery Charge-back Policy Review: review and update charge-back policies to allow for investment into continuous improvement of applications and reduce unplanned technology investments

How KPMG Can HelpOrganizations often find that an external perspective is necessary to reframe questions about technology risk, objectively assess an application’s life cycle state, and relate the implications of technology obsolescence to business users. Looking at technology risk across the technology stack associated with an application or solution, for example, gets to the risk profile that business users recognize (i.e., they don’t care if an issue is actually in the integration layer and not the application; they just know the system is down). KPMG’s role is to provide broad technology expertise as well as the ability to relate the application’s life cycle state to real business needs and consequences.

To that end, KPMG has developed a repeatable process to assess the overall risk of software portfolios including analysis of the identified applications’ existing software release levels and associated hardware within the context of the current and planned business strategy.


Contact us

Matt BishopPrincipal, CIO [email protected]

Bernard J. BrunsmanPrincipal, CIO [email protected]

Marc E. SnyderManaging Director, CIO Advisory – Global Centre of [email protected]

kpmg.com/us/IT

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.


assess the business impact of technology obsolescence · pdf file4 assess the business impact...

Documents