Defra’s tech review reveals legacy IT issues across government


Buried in the PAC report is the fact that government digital services often rely on outdated and unsupported legacy IT systems. The report’s authors said that in December 2021, the PAC examined challenges in implementing digital change.

“We concluded that there was no clear plan to replace or modernise legacy systems and data that were critical to service provision but were often old, unsupportable, vulnerable and a constraint on transformation,” the report’s authors noted.

Challenges at Defra

According to the 2021 Spending review, Defra received £871m for digital investment for 2021–2025, of which £366m was to modernise its legacy IT, representing over 40% of the allocated digital investment budget, the PAC report said.

As part of its review of legacy applications, Defra told the PAC it had been able to migrate away from 30 legacy systems onto modern alternatives, which both improved efficiency and created cost savings. Defra told the PAC that it needs to spend £726m on modernising legacy services between 2021 and 2025, but there was scope for saving £20–25m per year if it modernised all its IT.

However, to determine a true return on investment in modernising IT, the PAC said Defra was unable to calculate the efficiency gains achievable through modernising IT. “It could not tell us how many additional people it employed because of the legacy systems it used,” the authors wrote.

Alex Case, public sector industry principal at Pegasystems, who previously worked at Number 10 on overseeing cross-Whitehall Brexit, said: “Many agricultural and environmental grants, subsidy and regulation programmes were linked to the EU that Defra have had to review and effectively recreate huge amounts of their core policies and operational processes.”

In Case’s experience, government IT suffers from being relatively short termist. While commercial organisations have short-term objectives, like quarterly earnings, Case said that they are still able to plan long-term IT infrastructure.

“Many years ago, I worked in the Treasury department and, more recently, the Cabinet office,” he said, adding that both tend to focus on what is going to happen tomorrow or next week, responding to immediate pressures, political pressures and service pressures. He said that funding tends to go where there are pressing needs.

In the Spending review 2021, the government committed to investing £2.6bn in cyber and legacy IT. At the time, the Central Digital & Data Office (CDDO) said it would aim to implement a framework across ministerial departments by the end of 2022.

The CDDO has identified departments’ existing operational structures as an impediment to achieving greater efficiencies.

In March 2023, the National Audit Office published Digital transformation in government: addressing the barriers to efficiency, which found that departments have insufficient information on their legacy services and it is often easier to bid for capital funding for new developments than to resource funding to maintain existing services and keep them up to date.

The idea of what to do with older IT systems is not something new. Many organisations faced the prospect of upgrading their enterprise software in the build-up to the millennium, due to the Y2K bug. The public sector and large commercial organisations realised the benefits of running commercial off-the-shelf enterprise systems.

But two decades on, these are now showing their age and need replacement. However, as Martin Biggs, managing director of EMEA at third-party support firm Spinnaker, points out, enterprise software publishers want their customers to upgrade on-premises legacy systems to new cloud-based offering.

“They are not providing comprehensive support,” he said, adding that patches for known risks not being provided for older software. With the currently supported version of legacy software, Biggs said that it takes months, sometimes over a year, to resolve support issues. “Enterprise software companies are not keen on helping their customers to keep older systems running.”

A different approach to rip out and replace

Third-party support has a role to play when a core system of record needs to be maintained long term, due the risk of failure if it were to be updated or replaced. In the past, public sector and commercial organisations have built fancy front ends that sit in front of the legacy IT, in what Case describes as “putting lipstick on a pig” because the underlying business process behind the front end is fundamentally out of date.

The PAC found that Defra has yet to calculate the efficiency gains achievable through modernising IT. As the CDDO rolls out its framework for modernising legacy systems in government departments, there are likely to be plenty of opportunities to reassess existing process flows. Case and other supporters of low-code tooling see a huge opportunity in government for such software to create greater efficiency without requiring the core system of record to be replaced.

There is a security benefit in using a low-code platform, to build access to back-end legacy IT services. When a system is citizen or customer facing, it has a far larger attack surface than if it is kept in a sandbox with only limited access to the services it provides. Low-code platforms offer the potential to put the legacy system in a sandbox. The services the legacy IT system provides are only surfaced via controls in the low-code tool.

There is inevitably a cost in keeping the legacy system running, but as more business processes are built around it, Case believes that the footprint of the legacy system – in terms of the data it holds and the business processes that are managed through it – gets smaller over time until it is no longer required.

In the short and mid term, Case might be right that low code offers a viable way to enable government departments to fix legacy IT. But CIOs who adopt a low-code strategy to replace a monolithic IT system may be building a legacy of low-code applications and data sprawl that will inevitably have its own IT headaches.



Source link