In traditional asset management, deferred maintenance (DM) is a well-established concept under Generally Accepted Accounting Principles (GAAP). It represents the cost of postponed repairs or replacements for physical assets such as elevators, lighting, and HVAC systems. Neglecting scheduled maintenance can reduce an asset’s value and utility, impacting critical financial metrics like Operating Efficiency, Return on Assets (ROA), and Liquidity Ratios. Organizations often disclose deferred maintenance costs in financial statements, highlighting the estimated costs, affected assets, and risks of further deferral, such as operational disruptions or compliance violations.
An Overlooked Opportunity
Deferred maintenance also poses significant risks to IT systems, where the stakes are even higher due to rapid obsolescence, intricate interdependencies, and regulatory pressures. Unlike physical assets like buildings or HVAC systems, IT assets can quickly become obsolete or non-compliant, leading to severe consequences such as cyber breaches, system downtime, or regulatory fines. Despite these complexities, organizations can calculate deferred maintenance for IT systems through a structured approach tailored to their unique characteristics.
Figure 1: Effect of Deferred maintenance on Asset Service
To assess an IT system deferred maintenance, organizations can use their existing asset inventory (CMDB) and combined with procurement & contract data to create a model that calculates an IT System Condition Index as well as Current Replacement Values (CRV). Estimating deferred maintenance costs for IT systems involves evaluating asset condition, estimating required resources for updates or repairs, and calculating the cost of delayed maintenance actions. The resulting Deferred Maintenance Cost (DMC) includes postponed tasks like hardware upgrades, software patches, and security updates. Note this data can change frequently, and regular reviews and data verification are essential to maintain accuracy and support the integrity of the assessment.
Unique Challenges of Deferred Maintenance in IT Systems
Calculating deferred maintenance for IT systems is inherently more complex than for traditional physical assets. The interconnected nature of IT systems means deferred maintenance in one layer (e.g., infrastructure) can cascade into failures across other layers (e.g., platforms or applications). Additionally, IT systems often become obsolete within a few years, requiring continuous updates and replacements. Unlike physical assets with predictable maintenance, IT maintenance costs grow logarithmically with scale (e.g. the cost of patching ten servers is less than 10x the cost of patching one server due to economies of scale & automation). As the need for maintenance on these systems expands, the costs of managing dependencies and addressing cascading issues increase significantly. Deferred maintenance can also lead to non-compliance with regulations like SOX, PCI DSS, or HIPAA, resulting in fines, legal liabilities, and reputational harm which should also be factored into the assessment.
Further complicating matters, IT operates in diverse environments—including cloud, on-premises, hybrid, and SaaS setups—each with unique deferred maintenance challenges shaped by shared responsibility models. Accurately tracking deferred maintenance costs requires accounting for overlapping responsibilities between cloud providers and third-party hosted applications.
The Business Case for Calculating Deferred Maintenance in IT
Despite these challenges, quantifying deferred maintenance for IT systems yields substantial benefits. It enables organizations to estimate future IT costs, prioritize investments, and mitigate risks related to asset impairment and regulatory non-compliance. Accurate calculations inform both operational (OPEX) and capital (CAPEX) budget forecasts. Metrics like the Replacement Value can support informed decision-making. Proactively addressing deferred maintenance reduces the likelihood of asset impairment, compliance violations, and cascading failures, protecting both financial performance and operational stability.
The unique challenges of assessing deferred maintenance in IT (e.g. rapid obsolescence, complex interdependencies, etc.) demand a tailored approach. Organizations can mitigate these challenges by implementing a program which includes processes to calculate fields. Ultimately having this data will provide organizations additional reference points to assist in prioritizing investments, navigating regulatory requirements, and maintaining a more secure, compliant, and efficient IT infrastructure.
About the Author
John Kupcinski is the Chief Information Security Officer (CISO) of the PSEG Long Island. He is a recognized cybersecurity executive and trusted leader in highly regulated industries with over 2 decades of experience designing and executing enterprise-wide information security programs.
John’s expertise spans incident response, Security Operations, vulnerability management, identity and access management, and cloud security, with a proven track record of aligning cyber initiatives with organizational objectives. Throughout his career, John has held leadership roles at FreddieMac, KPMG, and IMF where he supported complex cybersecurity programs. He is passionate about advancing the cybersecurity field through strategic leadership, innovation, and workforce development. John can be reached online at https://www.linkedin.com/in/john-kupcinski-17985618
