Dr. Knapton is the founder of Rocky Mountain CIO, a company providing fractional CIO services to small and medium sized businesses.
getty
Since publishing my article last year on measuring and managing tech debt, I have had many people contact me to discuss technical debt and to share how it has affected their organizations. In this article, I want to address the connection between tech debt and systemic risk.
The concept of systemic risk entered the common vernacular during the financial crisis and was initially focused primarily on the global financial system. Systemic risk is “the potential for a failure or crisis in one or more parts of the financial system to spread and cause widespread disruption to the entire system.” The concept is easily applied to enterprise IT systems, specifically in cybersecurity and overall stability, both of which are directly attributable to high tech debt leverage.
We are currently witnessing a significant shift as boardrooms are being forced to address systemic risk. The recent changes announced by the SEC regarding cybersecurity expertise on boards are part of that shift, and boards and executive teams are being tasked with directly addressing systemic risk within their organizations. Systemic risk is one of the biggest challenges facing most organizations today, and tech debt is one of the primary drivers of systemic risk. And most executive teams don’t pay attention to either one. Yet.
I was once brought in to help a company that had started its digital transformation but had made several key mistakes launching its transformation, and it was struggling to gain traction. By the time they brought me in, they were two years and $10 million into their transformation, yet they had nothing running in production on their new platform. They had taken a “build it and they will come” approach, which equates to a “big bang” rollout. While the new platform was being built on cloud services, the old platform was running on unpatched on-prem servers that were over a decade old, and using code libraries that were four major revisions behind. No one was worried about upgrading any of these systems because the new platform was going live “any day.”
To make matters worse, their top-line revenue was diminishing quickly due to a perfect storm of business factors, including bleak macroeconomic conditions and poor executive decisions that led to regulatory scrutiny related to their core business. Time was not on their side, and the transformation was in serious jeopardy. To say that it was a very challenging time for this company would be a significant understatement.
At first, we made significant progress in setting up the new platform and building out the functionality to accept production workflows. We connected the data pipelines and replaced key workflows as we introduced the new platform to the lines of business. But the progress wasn’t fast enough, as the revenues dropped off faster than anyone had predicted. The business could no longer sustain the cost of maintaining both production platforms, and we arrived at a key inflection point; we needed to either go all in on the new platform or we needed to halt the transformation and revert to the old system completely. But we now had a foot on both sides of the fence; there were active production workflows running through both systems, so either way would mean some immediate changes to someone’s business processes. The hard costs were about the same for either solution, as migrating to the new platform would remove around $5 million in duplicative capabilities from old systems, and removing the new platform from the budget would have a similar effect on the budget, not counting the sunk cost of the implementation to date.
To continue with the transformation meant making some difficult decisions around existing solutions. We would need to accelerate the move to the new platform and remove duplication across the enterprise by moving workflows into the new platform and retiring old systems faster than initially planned. Giving up on the transformation would mean trying to extract another year or two out of the old systems and writing off the over $10 million in sunk costs of the new platform. The CEO decided on the latter. In his opinion, we needed to stop throwing good money after bad. The old systems were comfortable, and he felt confident that his team could make all the needed upgrades to just keep it running for another year or so until the revenues supported taking another run at a transformation. In his words, we were going to “kick the can.”
What was missed in this decision was an evaluation of the systemic risk involved. Remaining on the old system brought with it a risk of downtime, risk of a security breach and risk of losing key data and systems. The new platform had better backup/recovery, better security and significantly greater overall stability. But the old systems were comfortable, like an old pair of boots that have served them well for 20 years.
This is the significant challenge that tech debt brings to an organization. It hides under the cover of “working systems” in the background. The byproduct of tech debt is systemic risk. These aging platforms carry with them the risk of failing due to aging infrastructure and unreliable hardware, and even more importantly they have the chance of being unable to support new workflows due to poor data structures and limited connectivity options for new data pipelines. So the systemic risk builds quietly, behind the scenes, while businesses function seemingly smoothly. Unless the impact of tech debt leverage is understood, funding will be diverted and transformational activities will be delayed. And systemic risk will continue to build up undetected.
It is only by quantifying your tech debt that you can understand its effect on systemic risk, and then you can have a basis for discussion with the executive team around risk reduction by managing tech debt. Without the qualification of tech debt, business decisions will be made based on the old, comfortable, current status quo. And systemic risk will increase.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
