Migrate legacy systems selectively. CIOs have multiple options for migration strategy. They can adopt a tactical approach that leaves core legacy functionality in place and just adds functionality by using newer tools and technologies. Or they can replace legacy functionality with modern technology by installing packages, replacing the legacy application with an external service, custom-coding a replacement, or a combination of these.

Don't forget that on the business side, change is always difficult, especially when generations of employees have used a legacy system to do their jobs — even when the system has obvious weaknesses and shortcomings. One technique, which proves very effective, is to make the new system look and behave as much like the old one as possible to business users, turning on new functionality over time only after people have got used to the change.

If migration from a high-value, high-risk legacy system is intended to get the business "out of a hole", then a key goal for CIOs is to avoid digging a new hole. In other words, migration should enhance business value while reducing risk.

Enterprise architecture standards reduce risk and ensure long-term value in a legacy migration. Regardless of which approach to migration an organization chooses — extending existing systems, package or service purchase, custom coding, or any combination of these approaches — aligning plans and designs with architecture standards helps to future-proof the new environment. The reverse is also true: In the absence of architecture standards, any approach is more likely to result in unnecessary complexity and higher risk.

With the current portfolio of high-value, high-risk legacy systems under control, the next step for the CIO is to put mechanisms in place to reduce the chances that high-risk systems will return to the portfolio.

Exclude new high-risk legacy systems. The process for business process and application portfolio review should be conducted annually — timed to follow business strategy discussions and architecture planning, and to precede budgeting and project planning. Assessing the business process and application portfolio annually allows the CIO to track changes in value and risk over time, build consensus for change gradually, and spot trends in value and risk early enough to avoid sudden surprises and disruptions to the business.

Moreover, periodic reviews generate momentum and quality in the refreshed portfolio. Some CIOs treat legacy migration as an ongoing activity, not an episodic or one-time event, with funding for ongoing, scheduled renewal of the technology portfolio. These CIOs treat hardware and software as assets to be depreciated and replaced regularly, thus providing regular upgrades. A best practice is to annually allocate as much as 20 percent of the overall IT budget for legacy renewal.

Another important consideration is that business executives and the business cases they create tend to focus on upfront costs and ignore total cost of ownership (TCO) over the lifetime of a system. However, the best time to discuss TCO is when the business case for a system is proposed. That's when TCO can be made most visible — before ongoing costs are submerged into the maintenance budget for IS. That's also when executives should consider a timeline for acquisition, operation and eventual retirement of the system, and build that timeline into the business case.

Ongoing change creates an essential, persistent need to manage and update the legacy portfolio based on business value and business risk. By focusing on high-value, high-risk systems, assessing the application portfolio regularly, migrating selectively to reduce risk and enhance value, and looking forward via architecture and ongoing reinvestment, CIOs can significantly reduce the burden of legacy systems.

The pay-off is twofold: a business that is less constrained by accidents and history, and a more satisfying role for the CIO and the IS team.

Andrew Rowsell-Jones is vice president and research director for Gartner's CIO Executive Programs