Technology Obsolescence Risk Statuses and Views in Reports

Obsolescence Risk Statuses and Views Aggregation

Obsolescence Risk Statuses of IT Component

The following order, from highest to lowest, indicates the severity of the risk status of IT components:

• Unaddressed End Of Life
• Unaddressed Phase Out
• Missing Lifecycle Information
• Risk Accepted
• Risk Addressed
• No Risk

Unaddressed End Of Life: An IT component is marked with the unaddressed end-of-life status if either one of the internal or vendor-provided end-of-life dates is in the past. Example:

Unaddressed Phase Out: If the phase-out date is in the past, then the IT component will always have an unaddressed phase-out status, except when it also qualifies for unaddressed end-of-life status, then unaddressed end-of-life status takes precedence, as it represents a higher risk. Example:

Missing Lifecycle Information: Despite having a vendor-provided end-of-life date in the future, if the internal end-of-life information is not documented, the IT component is marked as having missing lifecycle information, provided it doesn’t also qualify for a higher risk status. Lack of vendor-provided end-of-life data is not considered as missing lifecycle information, as it means it is still active. Example:

Risk Accepted: If you mark the Obsolescence Risk Status field on the relation between the IT component and application fact sheet as risk accepted, it overrides all other logic, and the IT component is assigned the risk accepted status.

Risk Addressed: If you mark the Obsolescence Risk Status field on the relation between the IT component and application fact sheet as risk addressed, it overrides all other logic, and the IT component is assigned the risk-addressed status.

No Risk: If the vendor-provided end-of-life date is either in the future or not provided, implying the component is still active, and the internal end-of-life date is also in the future, then the IT component is marked as having no risk. Likewise, if you have not documented internal end-of-life and the vendor hasn't provided one—implying it’s still active—then it is assigned the no-risk status. Example:

Obsolescence Risk View Aggregation at the Application Level

The aggregated obsolescence risk is calculated based on the lifecycle status of the underlying IT components that support your applications. The calculation for aggregated obsolescence risk considers all IT components related to an application in the following ways:

• Directly linked IT components: IT components that are directly linked to the application via the relApplicationToITComponent relation and are active are considered. Inactive relations are excluded; the 'active from/until' field in the relation between IT components and applications determines the active or inactive status.
• Indirectly linked IT components: These are IT components indirectly connected to an application either through hierarchical relations relToChild between IT components or as required/required by relations relToRequires between IT components.

  📘

  Note

  relToRequires relations directly between IT components and applications are not considered.

• Indirectly linked via other applications: IT components indirectly connected to the application through another application with an active hierarchical relation relToChild are also included in the risk assessment.

The following order, from highest to lowest, indicates the severity of the risk status of applications:

• Unaddressed End Of Life
• Unaddressed Phase Out
• Missing Lifecycle Information
• Missing IT Component Information
• Risk Accepted
• Risk Addressed
• No Risk

Obsolescence Risk Views

Technology Risk and Compliance offers additional obsolescence views in reports to help analyze and monitor obsolescence risks better.

• Obsolescence: Missing Data Percentage
• Obsolescence: Mitigated Risk Percentage
• Obsolescence: Unaddressed Risk Percentage View

Leveraging these views and other powerful reporting features, organizations can comprehensively analyze technology obsolescence risks, prioritize them, and manage them effectively.

📘

These views are available in landscape, matrix, roadmap, and radar reports. Additionally, they can be used in portfolio reports as axis definitions and not as a view.

Missing Data Percentage

The missing data percentage view analyzes applications lacking lifecycle information, displaying the percentage of IT components supporting each application without such data. It helps you identify gaps in available information critical for risk evaluation, enabling data completion efforts.

Mitigated Risk Percentage

The mitigated risk percentage view lets you track your progress in mitigating risks at the application level. It shows the percentage of IT components supporting each application with Risk Accepted or Risk Addressed statuses in the Obsolescence Risk Status field of the fact sheet. It helps you assess to what extent you have addressed and reduced risks.

• Risk Accepted status indicates situations where you acknowledge the risks of outdated software or hardware as low and acceptable despite their persistence. This could apply to certain environments, such as testing or legacy systems.

• Risk Addressed status indicates that the obsolescence risk was deemed unacceptable, and you are taking required actions, such as technology upgrades, migrating to another application or IT component, sunsetting the application, and so on.

  

As a best practice, you would aim for 100% coverage of risk accepted or risk addressed to comprehensively manage risk across your application portfolio.

Unaddressed Risk Percentage

The unaddressed risk percentage view helps prioritize and tackle risks that still require attention. This view visualizes the percentage of IT components supporting each application with lifecycle information in Phase Out or End Of Life.