To stay agile, CIOs consume themselves with investigating new paradigms, solutions, features and technologies that can drive innovation and keep their organization on top. Whether it\u2019s cloud computing, blockchain, AI, big data or machine learning, CIOs are always considering what\u2019s possible and how the adoption of emerging technologies can transform and improve business operations.\nBut with so much focus on the future, it\u2019s easy to steer development effort towards new projects and lose sight of what matters in the long-run, and more importantly, today: keeping IT risk low, maintaining the systems you have and ensuring those systems can support continuous change and transformation over time.\u00a0\nMake software maintenance a priority to lower your risk exposure \u00a0\nIt\u2019s easy and efficient to add new capabilities as new features to pre-existing applications and doing so makes practical sense. For example, it reduces development effort and speeds time-to-market. But to accelerate the pace of change, teams are more frequently adding entirely new systems and new technology stacks to fulfil new requirements, adding to existing complexities with limited knowledge of how these updates will impact the whole.\nParticularly in environments where the majority of effort has been shifted to new development, this becomes increasingly problematic.\nAnd what\u2019s more, when teams begin building a new system, they typically cease to maintain the old because it will eventually go away. In most cases indeed, the older system won\u2019t be fully retired for several years, or longer if there\u2019s new functionality being layered on top of it. While new development effort is in progress, the legacy system is still running business operations \u2013 storing customer data and providing vital services. By shifting the focus away from these systems and reducing available maintenance spend, CIOs and their business counterparts forget that these older systems, too, require constant care to avoid outages, downtime and service disruption. As a result, end-stage legacy applications are regularly forgotten, lost or undocumented, making it even harder to ensure they are reliable and can support new development.\nHere rests the dilemma for CIOs \u2013 how can he or she afford to devote even more time and money to maintain legacy apps while the business is wholly focused on staying competitive to leapfrog competition?\nFrom my own experience, I\u2019ve learned that it\u2019s all about striking a healthy balance between maintenance and innovation. Not preserving current systems to focus on delivering new capabilities is simply not sustainable. In fact, CIOs who don\u2019t pay enough attention to the stability of their current systems don\u2019t stand a chance to prove their value to the business. They don\u2019t get to test new solutions, they don\u2019t get to propose new technologies and they\u2019re not considered to be a reliable team player.\u00a0\nOnce a CIO has established his or her credibility by proving they can support the status-quo, they can leverage that trust for the benefit of IT. This is not always easy - it often requires a bit of spunk and stubbornness to persuade business stakeholders that a more modest approach may be the best way. But if it\u2019s going to protect the business and enable more productive innovation down the road, it\u2019s always worth the fight.\n6 little pains that translate to great gains\nAs CIOs, if we can accept a few small pains in the pursuit of achieving many great gains, we will land on top. Below is my list of six principles to live by to keep risk low and solidify your success.\n1. Make staying healthy a daily priority\nEvery year, a sizable part of your budget should be reserved for a technology refresh and upgrades. Whether you approach this spend as part of your base or discretionary budget doesn\u2019t matter, as long as you are explicit about the budget you set aside for maintenance activity and the scope you will address. Typically, you will not get all the budget you need to fix everything, so be prepared to prioritize and accept some risk for what you cannot upgrade this time around.\nReducing IT costs by short-changing this type of necessary spend is a sure recipe for disaster, and the business will pay for it later many times over. Don\u2019t let your business colleagues forget about the impact of this spend! Reviewing this portion of your budget in a collaborative way with the business will increase transparency and increase the success of your projects. As part of this, risk should be assessed and measured regularly so everyone understands where progress is being made, where more investment is needed and where a complete overhaul may be required.\nGartner has a recommended model for conducting periodic application portfolio assessments to identify cost reduction capabilities and increase agility.\n2. Forget about uptime!\nWhy do we continue to report uptime metrics, when they tend to hover north of the \u201cthree nines\u201d (99.9%)? Downtime is a much more telling and is an important measure of impact. Consider if you lose power for a few hours at home. Most of the time, it resolves itself within moments, and it\u2019s not an issue. However, there are times when outages are more critical, like in a big storm or natural disaster, and backup power becomes more essential.\nBeing aware of when downtime can happen and its impact to the business helps determine the criticality of that downtime. A great example of this is Cyber Monday. In 2018, Americans spent $7.9 billion on Cyber Monday, making it the largest shopping day ever in the U.S. Imagine if one of your e-commerce platforms experienced a critical outage on this day. Your company could stand to lose millions, and that can be if just one of your applications goes down.\nToday\u2019s large enterprise runs hundreds if not thousands of applications, most of which are highly dependent on one another to operate. Even with 99.9% uptime, this means there\u2019s almost always an outage somewhere. In order to know what\u2019s actually in that 0.10%, we have to look more closely at downtime trends to protect the business according to the right level of risk appetite.\n3. Take an inclusive, design-first approach\nSafe and sound systems must be planned and designed that way from the beginning. Bolted-on security, after-the-fact and manual controls, non-scalable architectures and clumsy designs will ultimately fail in production.\nThinking about your end-user is natural and should be a primary focus. However, we also need to incorporate user stories where the user is the individual responsible for maintaining the health of these systems. This maintenance should be as automated as possible, but we also need to provide administrative functionality in case intervention is necessary. This should be incorporated in the plan from the beginning to ultimately be more effective and ensure systems are healthy in the long run.\nNot all conditions can be foreseen, but the more \u201cwhat if\u201d scenarios the project team considers in design, the more success they will have in delivering apps that serve both the needs of today and tomorrow. To do this, software quality and robustness must be approached in an agile way, with proper prioritization and a forward-looking plan that supports ongoing maintenance efforts.\n4. Tool-up\nThe now clich\u00e9 saying that technologists are challenged to \u201cbuild the plane while we\u2019re flying it,\u201d couldn\u2019t ring truer than in maintenance vs. modernization decisions. CIOs must make critical updates to systems at the same time they\u2019re relied upon to drive business value and revenues. The only way to do this effectively is to give your team modern tools that support your unique challenges.\nThomas Klinect, a senior analyst at Gartner, suggests that \u201cwith more complex transformations taking place, vendors are forced to provide application leaders with more-intelligent software packages aimed at modernizing existing complex systems.\u201d This is good news for CIOs and their teams, who now have more flexibility and freedom in the tools they choose to put in their belt.\nNow, the challenge is to select solutions that are complementary with one another and help you demonstrate continuous improvement with minimal disruption. In my experience, this presents another hurdle with the business. CIOs must not only justify the number of tools required for maintenance but must also demonstrate why further investment in the customization of those tools is essential to success.\nWhen selecting which and how many tools you need, consider a few points:\n\nHow efficient and effective is the tool?\nCan the tool be integrated with others to align low-level technical data with top-level business information?\nDoes the tool lend visibility into software health and root cause analysis?\nDoes the tool help you identify and fix issues quickly?\n\n5. Get regular, real-time measures of software health\nDashboards and reports that you can take to your business partners are a big value-add when trying to prove that you\u2019re making progress. These reports should look beyond downtime and incidents to showcase the overall health of the inner-workings of your system. A new category of solutions in this market called Software Intelligence can help you consolidate the most important data about the safety and soundness of your systems, including the structural robustness, efficiency, security and maintainability of your software at design time.\nFor instance, this can help you assess your level of compliance in terms of various controls and enforce architectural principles for the organization. All these characteristics contribute to your overall risk profile. The lower your risk profile is, the better. Not only from a stability standpoint but also in your ability to build new features and capabilities at scale.\nThe key to success here is remaining focused on using the data to make consistently informed decisions and monitor progress over time. These should be the facts that drive conversations between IT and business leaders and inform IT investment decisions.\nDevOps and Agile methodologies can also have a positive impact on overall risk exposure. Combining structural quality measures with defect ratio, dollar spend, cycle release time, build count and other data ensures maximum transparency and alerts teams to high-risk areas.\n6. Make safety and soundness a priority for everyone\nCIOs must be evangelists. It\u2019s not just about keeping IT\u2019s eye on the ball - the CIO must be the key player who keeps everyone else on-task and equally aware of processes and technologies that may put the organization at risk. It requires educating everyone about the potential risks, what could go wrong, what needs to be fixed and the level of priority for each.\nSafety and soundness should be everybody\u2019s business - from management to business to architects to developers - it takes a village. With timely and up-to-date data, fast decisions can be made with all teams on the same page for the best outcome.\nAchieve great gains\nMore stable systems are obviously a good thing for the business, but more importantly they set us (the CIO) up for long-term success. Stable systems help us maintain that tricky balance between maintenance and innovation while giving us more time to invest in and control more strategic enhancements that map directly to business outcomes. They also help us drive teams to implement changes faster because we can trust that our systems are safe, secure and dependable.\nIt\u2019s like a race car. NASCAR racers can drive at dangerously fast speeds because they know they have reliable brakes and a precise handling system that is checked and measured daily and is associated with constant training and practice, to allow for a more aggressive drive. Without such brakes or quality checks, there\u2019s no opportunity for trust. Drivers would have to take every turn tentatively to minimize the risk of an accident.\nFor IT organizations, this is equivalent to losing control over the quality of application releases. It forces us to add layers upon layers of controls and tests, slowing down projects while keeping us vulnerable to nine-digit defects.\nEstablishing a disciplined approach to properly maintaining current systems frees us from the firefighting chaos associated with unstable applications so we can design and implement new and innovative solutions. It makes that search for the right balance between old and new much more natural and straightforward. And at the end of the day the business will come out stronger.