TL;DR
Legacy systems are not an IT problem – they are a balance sheet liability. In M&A due diligence, we see it regularly: a 15-year-old ERP running on an unsupported operating system can reduce a company’s valuation by millions. If you book legacy system costs only as maintenance expense, you overlook the real damage potential: lost opportunities, personnel risk, security liability, and valuation discount. This article shows how to assess legacy systems financially – and when it’s time to act.

The scene we won’t forget

Imagine this: A private equity firm evaluates a Swiss manufacturing company. The revenue checks out. The margins check out. The management is convincing. Everything is green.

Then comes the IT audit.

The core business software – an ERP that has been running for 15 years – operates the company on Windows Server 2008 R2. Microsoft ended support years ago. There are no more patches. The system is configured so specifically that only one person fully understands it: a 61-year-old employee who will retire in four years.

The due diligence recommendation: a valuation discount of CHF 2 million. Reason: unplanned modernization costs, security risk, and key-person dependency.

This is not rare. This is standard.

What we experience in such moments: the seller is genuinely surprised. He knew the system was old. But he had never calculated what "old" actually costs.

"It still works" – the most expensive sentence in IT

It’s a phrase we hear regularly. And it’s not wrong. Most legacy systems do work. That’s the problem.

They work well enough that no one pulls the emergency brake. They cause regular small disruptions that the team somehow resolves. They run. And they run. And the costs quietly accumulate – in maintenance effort, in lost revenue, in risk exposure that never appears on a balance sheet.

Until someone calculates them.

That’s exactly what we do when companies come to us and say: "We know we should modernize – but we need a business case." What we then uncover is almost always surprising. Not because the numbers are so large. But because no one has ever added them up.

The 5 liabilities that no accounting system captures

When we analyze legacy system costs, we look at five categories. None of them appears by default on a cost center.

1. Maintenance cost escalation

Support for end-of-life systems typically costs three to five times as much as a current system. Not because vendors are greedy – but because the market allows it and expertise is scarce.

We have seen customers pay CHF 250 per hour for a specialist who knows their old AS/400 system. For current systems, the market rate is a third of that. Add to that custom patches for gaps the vendor no longer closes, proprietary interfaces that no one except that one provider can integrate, and support contracts with clauses that actively make switching harder.

That is not maintenance effort. That is a structural cost overrun.

2. Opportunity costs

This is the category that is hardest to grasp – and often the largest.

A legacy system cannot connect modern APIs. It does not work with current e-commerce platforms. It makes data analysis cumbersome or impossible. It slows down every process that should be digital.

What that means: your company cannot do things that competitors have long been doing. You do not lose one big, visible decision. You lose a hundred small opportunities that no one counts.

We supported a Swiss retail company that spent three years planning a customer loyalty program that its ERP simply did not support. Three years. In the meantime, the competition had rolled out its program and gained 18% repeat customer share. That is the price of waiting – not in hours, but in market share.

3. Personnel risk – the "Bus Factor"

In software development, there is the term "bus factor": How many people would have to be hit by a bus tomorrow for a system or process to become uncontrollable?

In many legacy systems, that factor is one.

That is not an accusation against the person. It is a structural risk that has grown over years. The system was configured, customized, patched at some point – by people who still understand it today. The only question is: how many of them are still with the company?

We have seen companies realize only after an employee retired which institutional knowledge left with them. The system still ran. But no one knew why certain fields were configured that way. Recruiting costs for rare specialists quickly run into six figures. And often you can no longer find anyone.

4. Security liability

This is the category with the greatest damage potential – and the least attention.

A system that no longer receives security updates is not a secure system. Full stop. Known vulnerabilities remain open. Attackers know these vulnerabilities. And companies running on end-of-life systems are documented targets.

What a security incident costs is hard to generalize – but we have seen figures from our own engagements. Ransomware cases with downtime of two to three weeks. Production outages in manufacturing companies. In none of these cases would modernizing the legacy system have cost more than the damage.

In addition, many cyber insurance policies now include clauses for end-of-life systems. Anyone running a system no longer supported by the manufacturer may find themselves without coverage in the event of a loss.

5. M&A value erosion

Back to our opening scene.

Private equity and strategic buyers have learned to price IT debt. What flew under the radar ten years ago is now a standard part of every due diligence process. IT auditors explicitly look at the age and support status of core systems, documentation quality and key-person risk, security patch status and open vulnerabilities, as well as integration architecture and replacement effort.

What they find is directly reflected in the valuation. Modernization costs are estimated, adjusted for risk, and deducted from the purchase price. Anyone who wants to sell the company in three to seven years or make it attractive to investors miscalculates legacy system costs if they view them only as an ongoing expense.

How to calculate legacy system costs properly

We recommend a simple, three-step approach. No complicated formula – but one that can stand up in front of the CFO and the board.

Step 1: Document direct costs. Add up all costs directly related to the system: support contracts, external specialists, internal maintenance hours, license fees, manual workarounds.

Step 2: Estimate indirect costs. How many features or projects were not implemented over the last two years because of the legacy system? What was their estimated value? A rough estimate is better than none.

Step 3: Assess risk exposure. What would the damage potential be from a security incident or system failure? How long would a realistic recovery period be? Multiply that by a conservative probability.

Add all three. Then compare it with what a modernization would cost.

Often the result looks like this: the legacy system "costs" more per year than a migration project accumulates over three years. It’s just never presented that way.

When to modernize, when to maintain, when to build a wrapper

Not every legacy system needs to be replaced immediately. That would be just as wrong as never modernizing.

We use three decision paths: Maintain when the system is stable, the costs are manageable and a foreseeable end-of-life with a successor project is planned. Wrap when the system handles core functions that are difficult to replace, but needs better integration. An API layer around it enables modern connections without touching the legacy system itself. Replace when at least two of the five liabilities in this article are acute and the system blocks strategic progress.

The decision on which path is right does not belong to the IT team alone. It belongs in executive management – with full financial transparency over all costs.

What particularly affects Swiss mid-sized companies

We work primarily with Swiss SMEs and mid-market companies. And we see a clear pattern: many of these companies introduced their core systems in the 2000s to early 2010s – and have not fundamentally modernized them since.

That is historically understandable. The systems were good. The implementations were expensive. And they ran. Why touch what works?

The challenge in 2026: the market has accelerated. Integrations that used to be optional are now essential – whether for e-commerce, automated accounting, or regulatory reporting requirements. Systems that were modern ten years ago can now be a structural disadvantage.

More on how AI capabilities are blocked by legacy systems can be found in our post on technical debt as a strategic concept.

Tomorrow morning

Before you cancel the next budget round for IT modernization – or push the topic back another year – ask yourself a question:

Have you ever calculated what your legacy system costs annually when you add up all five cost categories?

Not just the support contract. Not just the licenses. But also the lost projects, personnel risk, security exposure and the valuation effect on your company?

Most companies we support have not done this before we came in. The result is almost always surprising.

If you want to run that calculation – together, in a structured way, with a clear output for the board or CFO – that is exactly what we offer through IT modernization strategy consulting. No project pitch, no vendor recommendation. Just the numbers – and a clear basis for decision-making.

Related articles: How long do old systems still work? – The technical perspective on legacy system lifespan | The invisible mortgage: understanding and managing technical debt | Why your IT projects always end up more expensive than planned