Home > Articles > Programming

Risk-Managed Modernization of Legacy Systems

📄 Contents

  1. Risk Management
  2. Summary
Discover the risk-managed modernization (RMM) approach to update your legacy system. Review the topic of risk management and then go onto explore the use of portfolio analysis to select candidate systems for modernization and the activities involved in risk-managed modernization.
This chapter is from the book

First ponder, then dare.
—Helmuth von Moltke (1800–1891)

We are prepared to take risks, but intelligent risks. The policy of being too cautious is the greatest risk of all.
—Jawaharlal Nehru, Speech to Parliament New Delhi, 18 February 1953

The modernization approach described in this book integrates software engineering concepts with an organized understanding of the information systems technologies that both constrain and define the solution space. The objective of this approach is effective risk management and mitigation leading to the development of a modernization plan that minimizes the risk of the modernization effort.

This chapter introduces the risk-managed modernization (RMM) approach. This chapter briefly reviews the topic of risk management, recommends the use of portfolio analysis to select candidate systems for modernization, and introduces the activities involved in risk-managed modernization. The rest of the book expands on these activities and uses the case study introduced in Chapter 2 to illustrate this approach.

3.1 Risk Management

Risk management is a software engineering practice that continuously assesses what can go wrong (risks) determines what risks are important, and implements strategies to deal with those risks. Risk management is not a new idea; it is an integral element of the spiral development process developed by Barry Boehm [Boehm 88] and is documented in a large body of work [Boehm 91, Karolak 96, Higuera 96, Hall 98].

Figure 3-1 illustrates a UML activity diagram of the RMM approach. Ovals in the diagram represent activities. Arrows represent transition between activities. The horizontal synchronization bars require completion of the previous activities before starting new ones. The process starts with a modernization project that has been selected using portfolio analysis. The end state for the process is an integrated modernization plan.

Figure 3-1Figure 3-1 Risk-managed modernization approach

Portfolio Analysis

The portfolio analysis establishes measures of technical quality and business value for a set of systems and evaluates this set against the measures [Warren 99].

Technical quality is the measure of goodness of an application or system against a defined set of technical criteria. Example criteria for technical quality include frequency of new releases, ease of making changes, hardware and software reliability, organizational infrastructure, system performance, accuracy, ease of operation, availability of training, and number of vendor related tools and hardware.

Business value is a measure of importance of the system or application to the organization. Example criteria for business value include contribution to profit, level of usage, number of business goals satisfied, system value, user satisfaction and the value of the information that the system or application stores.

Legacy systems are evaluated against these measures and positioned on a portfolio analysis graph, such as the one shown in Figure 3-2. Positioning a system in one of these quadrants requires the establishment of criteria to measure technical quality as well as business value. The quadrant each system appears in can suggest an appropriate evolution strategy.

Figure 3-2Figure 3-2 Portfolio analysis graph

Quadrant 1: Systems having low business value and poor technical quality are logical candidates for replacement with commercial packages, for two reasons. First, because they have low technical quality, they need to be improved or replaced. Second, because they have low business value, they do not provide any critical services or support any core competencies. These systems may be used for payroll, human resources, or similar services that are not specific to the company's core business.

Quadrant 2: Systems with high technical quality and low business value should not require reengineering, modernization, or replacement efforts.

Quadrant 3: High-quality systems with high business value should be actively evolved, using the evolutionary development practices discussed in Chapter 1.

Quadrant 4: Systems with high business value and low technical quality are the best candidates for modernization or replacement.

After completing the preliminary portfolio analysis, you must take into account any organizational or resource issues. These issues can significantly increase risk to a modernization effort. Typical issues include politics, cost, schedule, available staff, technical skills required to perform the modernization effort, development staff, end user training, training personnel to use the modernized system, and user acceptance of the modernized system. Once you have performed the portfolio analysis and identified modernization issues, you can select and prioritize candidate systems and develop your overall modernization strategy.

Identify Stakeholders

Developers, testers, maintainers, system administrator, customers, vendors, sponsors, end users, architects, and representatives of interacting systems are stakeholders: people who have a vested interest in a project. These people will ultimately judge the outcome and impact of the modernization project. As a result, it is important to obtain their agreement and support. This can often be a challenge because stakeholders from different groups have different interests and view risks in different ways.

Understand Requirements

Requirements definition may be the most difficult task in software development and modernization. In general, requirements can be divided into the following four categories:

  1. User. User requirements are capabilities that must be provided by the system. These requirements are often expressed as tasks or activities that must be supported by the system.

  2. System. System requirements describe the capabilities of the system and the system itself.

  3. Constraints. Constraints include decisions that have already been made, such as interactions with other systems, development standards, and cost.

  4. Nonfunctional. Nonfunctional requirements include behavioral properties, such as performance, usability, and security, that the system must have.

Accurate software requirements clarify what is expected of the system, therefore reducing risk. Many software projects fail because of lack of rigor in the requirements process or an inadequate definition of requirements. As in any software project, requirements must be complete, consistent, understood, and valid. Using stakeholders to verify and validate requirements helps ensure that the system will ultimately perform as expected.

Create the Business Case

A business case is a document that supports decision making and planning. Because software modernization projects require substantial labor and financial resources, a business case can help convince management that the project is financially viable. Therefore, it is often key in obtaining project funding and approval.

As an essential part of the management decision process, a business case should not be viewed simply as a way to justify a particular effort. Rather, it should help the decision maker decide which approaches, if any, should be evaluated further. Therefore, a good business case considers several modernization approaches and contingencies, along with the technical and economical justification for selecting a particular approach. In general, a good business case should provide information about the project purpose and objectives, a description of the current system and current business process, a description of the future system and future business process, a cost estimate, a cost-benefit analysis, a risk assessment, a change analysis, and measures of performance. Change analysis includes changes to personnel, equipment, software, hardware, and support. Measures of performance are used to assess achievements, effectiveness, and efficiency.

It is crucial to understand stakeholder requirements to build an accurate business case. Chapter 4 provides more details on identifying stakeholders, understanding requirements, and creating the business case.

Understand the Legacy System

Understanding both the legacy system and its context are essential to the success of any modernization effort. The challenge is developing this competency in an efficient, cost-effective, and timely manner. Techniques available to meet this challenge include reverse engineering, program understanding, and architecture reconstruction. Chapter 5 describes these techniques in detail.

Reverse engineering and program understanding were briefly introduced in Chapter 1. Architecture reconstruction is the process of determining the as-built architecture of an implemented legacy system [Kazman 01]. This is done through a detailed analysis of the system, often using tool support. The tools extract information about the system and help build and aggregate successive levels of abstraction. If successful, the end result is an architectural representation that helps reason about the system.

When the Best and the Brightest Fail

Several years ago, we were involved in a legacy system modernization effort at a trucking company. The project was initially attempted by the internal IT department, which failed because of the team's lack of knowledge of the target J2EE technologies and because of organizational problems. Wishing to avoid repeating this failure, the trucking company hired professional services from one of the companies instrumental in developing the J2EE technologies being used. In fact, nothing negative could be said about this organization's understanding of J2EE technology and its ability to apply the technology in the construction of software systems.

Surprising many, this second effort also failed. The root cause of this failure was a lack of understanding by the professional services organization of the legacy system. Of course, what we mean by "legacy system" here goes well beyond simply understanding the source code and the hardware platforms. In this case, the professional services organizations had failed to

  • Understand the organization of the trucking company

  • Properly identify the stakeholders and quantify stakeholder needs

  • Understand the operating policies and procedures of the trucking company

  • Understand the modernization goals

  • Properly elicit, understand, and negotiate system requirements

Despite the fact that this professional service organization consisted of intelligent, highly qualified software engineers, it was not able to succeed in this modernization effort. The cause was a failure to understand the legacy system.


from reality. The reality of these practitioners is like reality anywhere: It is messy and lacks identifiable features that can be abstracted into a repeatable process. Instead of evaluating similar software development efforts and looking for common features, many software engineers simply create idealized processes that maximize one variable, such as quality, while ignoring numerous other variables, such as cost, schedule, and technology.

Of these variables, only technology is fixed; cost, quality, and schedule can be traded off. As a result, it is important to understand both the technologies used in the legacy system development and those that can be used in the modernization effort. The reason for this is simple: It is necessary to understand the fixed constraints in the problem space before considering how to bind values to the variables.1

In general, three classes of information system technology are of interest in legacy system modernization:

  1. Technologies used to construct the legacy systems, including the languages and database systems.

  2. Modern technologies, which often represent nirvana to those mired in decades-old technology and which hold (the often unfulfilled) promise of powerful, effective, easily maintained enterprise information systems.

  3. Technologies offered by the legacy system vendors. These technologies provide an upgrade path for those too timid or wise to jump head-first into the latest wave of IT offerings. Legacy system vendors offer these technologies for one simple reason: to provide an upgrade path for system modernization that does not necessitate leaving the comfort of the "mainframe womb." Although these technologies can provide a smoother road toward a modern system, they often result in an acceptable solution that falls short of the ideal.

This book discusses all three classes of information system technologies. In Chapter 7, we describe the COBOL and Java programming languages, which figure prominently in the case study. We also discuss various forms of data repositories, including database management systems (DBMS) and data warehouses. Finally, Chapter 7 includes a discussion of data representations for information exchange, including electronic data interchange (EDI) and the eXtensible Markup Language (XML).

We further explore information system technologies relevant to our case study in Chapters 8 and 9. Chapter 8 discusses distributed transactions, providing background information on both distributed communication and transaction technologies. Chapter 9 describes middleware technologies and standards that may be used to develop a modernized enterprise information system (EIS) including Enterprise JavaBeans (EJB), message-oriented middleware (MOM), Java 2 Enterprise Edition (J2EE), and XML Messaging. We also identify products that implement these technologies, particularly in the Unisys ClearPath 2200 and Sun Solaris operating system environments, because these two environments primarily frame the case study.

Evaluate Technology

Once we understand available technologies and their capabilities, we can compare and contrast them. If their capabilities overlap, we must see whether these technologies solve the same problem with a different quality of service (QoS). We might include multiple technologies that serve the same purpose but provide different QoS in a modernization effort, as long as boundary conditions for each of them are clearly understood and communicated.

Technology evaluation is one of the first steps of building a component ensemble. An ensemble defines the collection of components that evolve into the architecture for the system. The book Building Systems from Commercial Components [Wallnau 01] describes the use of component ensembles, model problems, and other techniques for generating just-in-time competencies in components and component integration. For now, we will simply state that this evaluation is necessary to formulate the eventual architecture and design of the system.

In Chapter 10, we evaluate the feasibility of transactions that span over legacy and modernized components, on two different platforms, by constructing a model problem. In Chapter 11, we evaluate, contrast, and compare two approaches for component integration: a synchronous approach based on J2EE technologies and an asynchronous approach based on a business-to-business integration model. Each approach offers advantages over the other in particular areas. An understanding of the advantages and disadvantages of each approach is crucial in defining the target architecture.

Define Target Architecture

A target architecture represents the as-desired architecture of the system, providing the technical vision for a modernization effort. Thus, the target architecture must be described in a manner that supports adequate communication among the stakeholders. This usually requires descriptions using different views with different levels of granularity and specificity.

In an incremental modernization effort, the target architecture will likely evolve as the boundaries, constraints, and functionality of the legacy system become better understood and the underlying technology used to build the modernized system matures. Therefore, it is important to reevaluate and update the target architecture throughout the modernization effort.

In Chapter 12, we describe a generic enterprise information system architecture for a data-driven system as a collection of architectural patterns. Each of these architectural patterns illustrates common operations and how they are implemented in a compliant system.

Define Modernization Strategy

Legacy system modernization is often a large, multiyear project. Because these legacy systems are often critical in the operations of most enterprises, deploying the modernized system all at once introduces an unacceptable level of operational risk. As a result, legacy systems are typically modernized incrementally. Initially, the system consists completely of legacy code. As each increment is completed, the percentage of legacy code decreases. Eventually, the system is completely modernized. A migration strategy must ensure that the system remains fully functional during the modernization effort.

An effective strategy defines the transformation from the legacy system architecture to the modernized system architecture. During the modernization effort, technologies may change, additional knowledge about the existing system may be acquired, and user requirements may change. A modernization strategy must accommodate these changes. In addition to meeting these requirements, a modernization strategy should minimize development and deployment costs, support an aggressive yet predictable schedule, maintain quality of interim and final products, minimize risk, meet system performance expectations, and maintain complexity at a manageable level.

Development of a modernization strategy is described in Chapters 13, 14, and 15. Chapter 13 describes getting from the as-built architecture to the as-desired architecture. This architectural transformation strategy includes code migration, database migration, and deployment approach. In our case study, this architectural transformation process is referred to as componentization because we are moving from a largely unstructured legacy system to a modern, component-based architecture. Chapter 13 also describes the use of data and logic adapters to support incremental development and deployment.

System preparation is an optional, potentially beneficial but often risky step that is implemented before architectural transformation. In system preparation, we evolve the legacy system to where it will be easier to perform the desired architectural transformation. The benefit is a reduction in overall modernization costs. The risk is that the system preparation does not go as planned and that the development team gets mired in the legacy code. Chapter 14 describes the analysis of alternatives that was performed as part of the system preparation work for RSS.

Chapter 15 describes the refinement of the selected modernization strategy. Refinement includes the development of a code migration plan and a data migration plan, so that the cost of the effort can be estimated and the strategy implemented effectively.

Reconcile Modernization strategy with Stakeholders

In modernizing any legacy system, stakeholders will have varying opinions on what is important and what is the best way to proceed. It is necessary to develop consensus before implementing a modernization plan.

In our modernization approach, the development team is responsible for producing the detailed modernization plan, primarily because that team will be responsible for implementing it. Also, the modernization plan is designed to minimize development costs and schedules while remaining technically feasible. This planning is best accomplished by the development team. Once this baseline modernization plan is in place, other business drivers can be reconciled with it.

Because the baseline plan seeks to minimize development costs, all other plans, in theory, will be more expensive to implement. However, the additional costs of implementing an alternative plan may be offset by other benefits to the business. Chapter 16 discusses a process for reconciling the modernization strategy with stakeholder needs.

Estimate Resources for Modernization Strategy

Estimating the costs of executing the modernization strategy is the final RMM step. Once this step is completed, you should have an understanding of the legacy system and modernization technologies, a target architecture, modernization strategy, cost estimate, and notional schedule. Based on this information, management must now determine whether the modernization strategy is feasible, given the available resources and constraints. If the strategy is adopted, the modernization plan is finalized and executed. If the strategy is not feasible, the question, Why not? must be answered.

Depending on the response to this answer, it may be necessary to repeat some RMM steps. For example, if the code migration plan does not result in functionality being deployed early enough in the schedule, you may need to revise the plan before the overall strategy is considered feasible. It is also possible that the target architecture was too ambitious and must be reconsidered or that the target technologies evaluated are too complex, expensive, or otherwise fail to satisfy the constraints of the modernization effort. In any of these cases, it is necessary to go back and revise the modernization strategy until a feasible approach can be identified or the modernization effort is determined to be infeasible, given current constraints, and terminated.

In many ways, application of the RMM approach described above can be thought of as a first-fit evaluation. We are developing and evaluating a modernization strategy to determine whether it is adequate and implementing the first plan that meets our minimum criteria. The RSS case study described in this book follows this approach. It is, however, also possible to apply RMM as a best-fit model. In this case, multiple modernization strategies—or contingencies in Building Systems from Commercial Components terminology—are evaluated simultaneously. Management can decide among these plans or, possibly, reject them all. In Chapter 17, we describe cost estimation approaches and how these can be applied in estimating costs for a legacy modernization effort.

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information

To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.


Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.


If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information

Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.


This site is not directed to children under the age of 13.


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information

If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information

Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents

California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure

Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact

Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice

We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020