Reduce Risk With Rock-Solid Service-Level Agreements

Reduce Risk With Rock-Solid Service-Level Agreements

Hold Service Providers more accountable to their contractual obligations with meaningful SLA components & remedies

EXECUTIVE BRIEF

Analyst Perspective

Reduce Risk With Rock-Solid Service-Level Agreements

Every year organizations outsource more and more IT infrastructure to the cloud, and IT operations to managed service providers. This increase in outsourcing presents an increase in risk to the CIO to save on IT spend through outsourcing while maintaining required and expected service levels to internal customers and the organization. Ensuring that the service provider constantly meets their obligations so that the CIO can meet their obligation to the organization can be a constant challenge. This brings forth the importance of the Service Level Agreement.

Research clearly indicates that there is a general lack of knowledge when comes to understanding the key elements of a Service Level Agreement (SLA). Even less understanding of the importance of the components of Service Levels and the Service Level Objectives (SLO) that service provider needs to meet so that the outsourced service consistently meets requirements of the organization. Most service providers are very good at providing the contracted service and they all are very good at presenting SLOs that are easy to meet with very few or no ramifications if they don’t meet their objectives. IT leaders need to be more resolute in only accepting SLOs that are meaningful to their requirements and have meaningful, proactive reporting and associated remedies to hold service providers accountable to their obligations.

Ted Walker

Principal Research Director, Vendor Practice

Info-Tech Research Group

Executive Brief

Vendors provide service level commitments to customers in contracts to show a level of trust, performance, availability, security, and responsiveness in an effort create a sense of confidence that their service or platform will meet your organization’s requirements and expectations. Sifting through these promises can be challenging for many IT Leaders. Customers struggle to understand and evaluate what’s in the SLA – are they meaningful and protect your investment? Not understanding the details of SLAs applicable to various types of Service (SaaS, MSP, Service Desk, DR, ISP) can lead to financial and compliance risk for the organization as well as poor customer satisfaction.

This project will provide IT leadership the knowledge & tools that will allow them to:

• Understand what SLAs are and why they need them.
• Develop standard SLAs that meet the organization’s requirements.
• Negotiate meaningful remedies aligned to Service Levels metrics or KPIs.
• Create SLA monitoring & reporting and remedies requirements to hold the provider accountable.

This research:

1. Is designed for:

• The CIO or CFO who needs to better understand their provider’s SLAs.
• The CIO or BU that could benefit from improved service levels.
• Vendor management who needs to standardize SLAs for the organization IT leadership that needs consistent service levels to the business
• The contract manager who needs a better understanding of contact SLAs

• Understand what a Service Level Agreement is and what it’s for
• Learn what the components are of an SLA and why you need them
• Create a checklist of required SLA elements for your organization
• Develop standard SLA template requirements for various service types
• Learn the importance of SLA management to hold providers accountable

Reduce Risk With Rock-Solid Service-Level Agreements (SLAs)

Hold service providers more accountable to their contractual obligations with meaningful SLA components and remedies

The Problem

IT Leadership doesn't know how to evaluate an SLA.

Misunderstanding of obligations given the type of service provided (SAAS, IAAS, DR/BCP, Service Desk)

Expectations not being met, leading to poor service from the provider.

No way to hold provider accountable.

Why it matters

SLAS are designed to ensure that outsourced IT services meet the requirements and expectations of the organization. Well-written SLAs with all the required elements, metrics, and remedies will allow IT departments to provide the service levels to their customer and avoid financial and contractual risk to the organization.

The Solution

1. Understand the key service elements within an SLA

• Develop a solid understanding of the key elements within an SLA and why they're important.

• Prioritize contractual services and establish concise SLA checklists and performance metrics.

Service types

• Availability/Uptime
• Response Times
• Resolution Time
• Accuracy
• First-Call Resolution

Agreement Types

• SaaS/IaaS
• Service Desk
• MSP
• Co-Location
• DR/BCP
• Security Ops

Performance Metrics

• Reporting
• Remedies & Credits
• Monitoring
• Exclusion

Example SaaS Provider

• Response Times ✓
• Availability/Uptime ✓
• Resolution Time ✓
• Update Times ✓
• Coverage Time ✓
• Monitoring ✓
• Reporting ✓
• Remedies/Credits ✓

SLA Management Framework

1. SLO Monitoring

• SLOs must be monitored by the provider, otherwise they can't be measured.

• This is the key element for the provider to validate their performance.

• Capturing SLO metric attainment provides performance trending for each provider.

• Tracking details provide input into overall vendor performance ratings.

Executive Summary

Your Challenge

To understand which SLAs are required for your organization and how they can differ depending on the service type. In addition, these other challenges can also cloud your knowledge of SLAs

• No standardized SLA documents, Service levels, or metrics
• Dealing with lost productivity & revenue due to persistent downtime
• Understanding SLA components and what service levels are requires for a particular service
• How to manage the SLA and hold the vendor accountable

Common Obstacles

There are several unknowns that SLA can present to different departments within the organization:

• Little knowledge of what service levels are required
• Not knowing SLO standards for a service type
• Lack of resources to manage vendor obligations
• Negotiating required metrics/KPIs with the provider
• Low understanding of the risk that poor SLAs can present to the organization

Info-Tech's Approach

Info-Tech has a three-step approach to effective SLAs

• Understand the elements of an SLA
• Create Requirements for your organization
• Manage the SLA obligations

There are some basic components that every SLA should have – most don’t have half of what is required

Info-Tech Insight

SLAs need to have clear, easy to measure objectives to meet your expectations and service level requirements, including meaningful reporting and remedies to hold the provider accountable to their obligations.

Your challenge

This research is designed to help organizations gain a better understanding of what an SLA is, understand the importance of SLAs in IT contracts, and ensure organizations are provided with rock-solid SLAs that meet their requirements and not just what the vendor wants to provide.

• Vendors can make SLAs weak and difficult to understand; sometimes the metrics are meaningless. Not fully understanding what makes up a good SLA can bring unknown risks to the organization.
• Managing vendor SLA obligations effectively is important. Are adequate resources available? Does the vendor provide manual vs. automated processes and which do you need? Is the process proactive from the vendor or reactive from the customer?

SLAs come in many variations and for many service types. Understanding what needs to be in them is one of the keys to reducing risk to your organization.

“One of the biggest mistakes an IT leader can make is ignoring the ‘A’ in SLA,” adds Wendy M. Pfeiffer, CIO at Nutanix. “

An agreement isn’t a one-sided declaration of IT capabilities, nor is it a one-sided demand of business requirements,” she says. “An agreement involves creating a shared understanding of desired service delivery and quality, calculating costs related to expectations, and then agreeing to outcomes in exchange for investment.” (15 SLA mistakes IT leaders still make | CIO)

Common obstacles

There are typically a lot of unknowns when it comes to SLAs and how to manage them.

Most organizations don’t have a full understanding of what SLAs they require and how to ensure they are met by the vendor. Other obstacles that SLAs can present are:

• Inadequate resources to create and manage SLAs
• Poor awareness of standard or required SLA metrics/KPIs
• Lack of knowledge about each provider’s commitment as well as your obligations
• Low vendor willingness to provide or negotiate meaningful SLAs and credits
• The know-how or resources to effectively monitor and manage the SLA’s performance

SLAs need to address your requirements

55% of businesses do not find all of their service desk metrics useful or valuable (Freshservice.com)

27% of businesses spend four to seven hours a month collating metric reports (Freshservice.com)

Executive Summary

Info-Tech’s Approach

• Understand the elements of an SLA
  • Availability
  • Monitoring
  • Response Times
  • SLO Calculation
  • Resolution Time
  • Reporting
  • Milestones
  • Exclusions
  • Accuracy
  • Remedies & Credits
• Create standard SLA requirements and criteria
  • SLA Element Checklist
  • Corporate Requirements and Standards
  • SLA Templates and Policy
• Effectively Manage the SLA Obligations
  • SLA Management Framework
    • SLO Monitoring
    • Concise Reporting
    • Attainment Tracking
    • Score Carding
    • Remedy Reconciliation

Info-Tech’s three phase approach

Reduce Risk With Rock-Solid Service-Level Agreements

Phase 1

Understand SLA Elements

Phase Content:

• 1.1 What are SLAs, types of SLAs, and why are they needed?
• 1.2 Elements of an SLA
• 1.3 Obligation management monitoring, Reporting requirements
• 1.4 Exclusions
• 1.5 SLAs vs. SLOs vs. SLIs

Outcome:

This phase will present you with an understanding of the elements of an SLA: What they are, why you need them, and how to validate them.

Phase 2

Create Requirements

Phase Content:

• 2.1 Create a list of your SLA criteria
• 2.2 Develop SLA policy & templates
• 2.3 Create a negotiation strategy
• 2.4 SLA Overachieving discussion

Outcome:

This phase will leverage knowledge gained in Phase 1 and guide you through the creation of SLA requirements, criteria, and templates to ensure that providers meet the service level obligations needed for various service types to meet your organization’s service expectations.

Phase 3

Manage Obligations

Phase Content:

• 3.1 SLA Monitoring, Tracking
• 3.2 Reporting
• 3.3 Vendor SLA Reviews & Optimizing
• 3.4 Performance management

Outcome:

This phase will provide you with an SLA management framework and the best practices that will allow you to effectively manage service providers and their SLA obligations.

Insight summary

Overarching insight

SLAs need to have clear, easy-to-measure objectives to meet your expectations and service level requirements, including meaningful reporting and remedies to hold the provider accountable to their obligations.

Phase 1 insight

Not understanding the required elements of an SLA and not having meaningful remedies to hold service providers accountable to their obligations can present several risk factors to your organization.

Phase 2 insight

Creating standard SLA criteria for your organization’s service providers will ensure consistent service levels for your business units and customers.

Phase 3 insight

SLAs can have appropriate SLOs and remedies but without effective management processes they could become meaningless.

Tactical insight

Be sure to set SLAs that are easily measurable from regularly accessible data and that are straight forward to interpret.

Tactical insight

Beware of low, easy to attain service levels and metrics/KPIs. Service levels need to meet your expectations and needs not the vendor’s.

Blueprint deliverables

Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

SLA Tracker & Trending Tool

Track the provider’s SLO attainment and see how their performance is trending over time

SLA Evaluation Tool

Evaluate SLA service levels, metrics, credit values, reporting, and other elements

SLA Template & Metrics Reference Guide

Reference guide for typical SLA metrics with a generic SLA Template

Service-Level Agreement Checklist

Complete SLA component checklist for core SLA and contractual elements.

Key deliverable:

Service-Level Agreement Evaluation Tool

Evaluate each component of the SLA , including service levels, metrics, credit values, reporting, and processes to meet your requirements

Blueprint objectives

Understand the components of an SLA and effectively manage their obligations

• To provide an understanding of different types of SLAs, their required elements, and what they mean to your organization. How to identify meaningful service levels based on service types. We will break down the elements of the SLA such as service types and define service levels such as response times, availability, accuracy, and associated metrics or KPIs to ensure they are concise and easy to measure.
• To show how important it is that all metrics have remedies to hold the service provider accountable to their SLA obligations.

Once you have this knowledge you will be able to create and negotiate SLA requirements to meet your organization’s needs and then manage them effectively throughout the term of the agreement.

InfoTech Insight:

Right-size your requirements and create your SLO criteria based on risk mitigation and create measurements that motivate the desired behavior from the SLA.

Blueprint benefits

IT Benefits

• An understanding of standard SLA service levels and metrics
• Reduced financial risk through clear and concise easy-to-measure metrics and KPIs
• Improved SLA commitments from the service provider
• Meaningful reporting and remedies to hold the provider accountable
• Service levels and metrics that meet your requirements to support your customers

Business Benefits

• Better understanding of an SLA framework and required SLA elements
• Improved vendor performance
• Standardized service levels and metrics aligned to your organization’s requirements
• Reduced time in reviewing and comprehending vendor SLAs
• Consistent performance from your service providers

Measure the value of this blueprint

1. Dollars Saved

• Improved performance from your service provider
• Reduced financial risk through meaningful service levels & remedies
• Dollars gained through:
  • Reconciled credits from obligation tracking and management
  • Savings due to automated processes

• Reduced time in creating effective SLAs through requirement templates
• Time spent tracking and managing SLA obligations
• Reduced negotiation time
• Time spent tracking and reconciling credits

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit

"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

Guided Implementation

"Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way wound help keep us on track."

Workshop

"We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

Consulting

"Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

Diagnostics and consistent frameworks are used throughout all four options.

Guided Implementation

What does a typical GI on this topic look like?

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

A typical GI is between three to six calls over the course of two to three months.

Phase 1 - Understand

• Call #1: Scope requirements, objectives, and your specific SLA challenges

Phase 2 - Create Requirements

• Call #2: Review key SLA and how to identify them
• Call #3: Deep dive into SLA elements and why you need them
• Call #4: Review your service types and SLA criteria
• Call #5: Create internal SLA requirements and templates

Phase 3 - Management

• Call #6: Review SLA Management Framework
• Call #7: Review and create SLA Reporting and Tracking

Workshop Overview

Contact your account representative for more information.

workshops@infotech.com 1-888-670-8889

Reduce Risk With Rock-Solid Service-Level Agreements

Phase 1

Phase 1

Understand SLA Elements

Phase Steps

• 1.1 What are SLAs, the types of SLAs, and why are they needed?
• 1.2 Elements of an SLA
• 1.3 Obligation management monitoring, Reporting requirements
• 1.4 Exclusions and exceptions
• 1.5 SLAs vs. SLOs vs. SLIs

Create Requirements

Manage Obligations

1.1 What are SLAs, the types of SLAs, and why are they needed?

SLA Overview

What is a Service Level Agreement?

An SLA is an overarching contractual agreement between a service provider and a customer (can be external or internal) that describes the services that will be delivered by the provider. It describes the service levels and associated performance metrics and expectations, how the provider will show it has attained the SLAs, and defines any remedies or credits that would apply if the provider fails to meet its commitments. Some SLAs also include a change or revision process.

SLAs come in a few forms. Some are unique, separate, standalone documents that define the service types and levels in more detail and is customized to your needs. Some are separate documents that apply to a service and are web posted or linked to an MSA or SSA. The most common is to have them embedded in, or as an appendix to an MSA or SSA. When negotiating an MSA it’s generally more effective to negotiate better service levels and metrics at the same time.

Objectives of an SLA

To be effective, SLAs need to have clearly described objectives that define the service type(s) that the service provider will perform, along with commitment to associated measurable metrics or KPIs that are sufficient to meet your expectations. The goal of these service levels and metrics is to ensure that the service provider is committed to providing the service that you require, and to allow you to maintain service levels to your customers whether internal or external.

1.1 What are SLAs, the types of SLAs, and why are they needed?

Key Elements of an SLA

Principle service elements of an SLA

There are several more common service-related elements of an SLA. These generally include:

• The Agreement – the document that defines service levels and commitments.
• The service types – the type of service being provided by the vendor. These can include SaaS, MSP, Service Desk, Telecom/network, PaaS, Co-Lo, BCP, etc.
• The service levels – these are the measurable performance objectives of the SLA. They include availability (uptime), response times, restore times, priority level, accuracy level, resolution times, event prevention, completion time, etc.
• Metrics/KPIs – These are the targets or commitments associated to the service level that the service provider is obligated to meet.
• Other elements – Reporting requirements, monitoring, remedies/credit values and process.

Contractual Construct Elements

These are construct components of an SLA that outline their roles and responsibilities, T&Cs, escalation process, etc.

In addition, there are several contractual-type elements including, but not limited to:

• A statement regarding the purpose of the SLA.
• A list of services being supplied (service types).
• An in-depth description of how services will be provided and when.
• Vendor and customer requirements.
• Vendor and customer obligations.
• Acknowledgment/acceptance of the SLA.
• They also list each party’s responsibilities and how issues will be escalated and resolved.

Common types of SLAs explained

Service-level SLA

• This service-level agreement construct is the Service-based SLA. This SLA covers an identified service for all customers in general (for example, if an IT service provider offers customer response times for a service to several customers). In a service-based agreement, the response times would be the same and apply to all customers using the service. Any customer using the service would be provided the same SLA – in this case the same defined response time.

Customer-based SLA

• A customer-based SLA is a unique agreement with one customer. The entire agreement is defined for one or all service levels provided to a particular customer (for example, you may use several services from one telecom vendor). The SLAs for these services would be covered in one contract between you and the vendor, creating a unique customer-based vendor agreement. Another scenario could be where a vendor offers general SLAs for its services but you negotiate a specific SLA for a particular service that is unique or exclusive to you. This would be a customer-based SLA as well.

Multi-level SLA

• This service-level agreement construct is the multi-level SLA. In a multi-level SLA, components are defined to the organizational levels of the customer with cascading coverage to sublevels of the organization. The SLA typically entails all services and is designed to the cover each sub-level or department within the organization. Sometimes the multi-level SLA is known as a master organization SLA as it cascades to several levels of the organization.

InfoTech Insight: Beware of low, easy to attain Service levels and metrics/KPIs. Service levels need to meet your requirements, expectations, and needs not the vendor’s.

1.2 Elements of SLA-objectives, service types, and service levels

Objectives of Service Levels

The objective of the service levels and service credits are to:

• Ensure that the services are of a consistently high quality and meet the requirements of the customer
• Provide a mechanism whereby the customer can attain meaningful recognition of the vendors failure to deliver the level of service for which it was contracted to deliver
• Incentivize the vendor or service provider to comply with and to expeditiously provide a remedy for any failure to attain the service levels committed to in the SLA
• To ensure that the service provider fulfills the defined objectives of the outsourced service

Service types

There are several service types that can be part of an SLA. Service types are the different nature of services associated with the SLA that the provider is performing and being measured against. These can include:

Service Desk, SaaS, PaaS, IaaS, ISP/Telecom/Network MSP, DR & BCP, Co-location security ops, SOW.

Each service type should have standard service level targets or obligations that can vary depending on your requirements and reliance on the service being provided.

Service levels

Service levels are measurable targets, metrics, or KPIs that the service provider has committed to for the particular service type. Service levels are the key element of SLAs – they are the performance expectations set between you and the provider. The service performance of the provider is measured against the service level commitments. The ability of the provider to consistently meet these metrics will allow your organization to fully benefit from the objectives of the service and associated SLAs. Most service levels are time related but not all are.

Common service levels are:

Response times, resolution times per percent, restore/recovery times, accuracy, availability/uptime, completion/milestones, updating/communication, latency.

Each service level has standard or minimum metrics for the provider. The metrics, or KPIs, should be relatively easy to measure and report against on a regular basis. Service levels are generally negotiable to meet your requirements.

1.2.1 Activity SLA Checklist Tool

1-2 hours

Input

• SLA content, Service elements
• Contract terms & exclusions
• Service metrices/KPIs

Output

• A concise list of SLA components
• A list of missing SLA elements
• Evaluation of the SLA

Materials

• Comprehensive checklist
• Service provider SLA
• Internal templates or policies

Participants

• Vendor or contract manager
• IT or business unit manager
• Legal
• Finance

Using this checklist will help you review a provider’s SLA to ensure it contains adequate service levels and remedies as well as contract-type elements.

Instructions:

Use the checklist to identify the principal service level elements as well as the contractual-type elements within the SLA.

Review the SLA and use the dropdowns in the checklist to verify if the element is in the SLA and whether it is within acceptable parameters as well the page or section for reference.

The checklist contains a list of service types that can be used for reference of what SLA elements you should expect to see in that service type SLA.

Download the SLA Checklist Tool

1.3 Monitoring, reporting requirements, remedies/credit process

Monitoring & Reporting

As mentioned, well-defined service levels are key to the success of the SLA. Validating that the metrics/KPIs are being met on a consistent basis requires regular monitoring and reporting. These elements of the SLA are how you hold the provider accountable to the SLA commitments and obligations. To achieve the service level, the service must be monitored to validate that timelines are met and accuracy is achieved.

• Data or details from monitoring must then be presented in a report and delivered to the customer in an agreed-upon format. These formats can be in a dashboard, portal, spreadsheet, or csv file, and they must have sufficient criteria to validate the service-level metric. Reports should be kept for future review and to create historical trending.
• Monitoring and reporting should be the responsibility of the service provider. This is the only way that they can validate to the customer that a service level has been achieved.
• Reporting criteria and delivery timelines should be defined in the SLA and can even have a service level associated with it, such as a scheduled report delivery on the fifth day of the following month.
• Reports need to be checked and balanced. When defining report criteria, be sure to define data source(s) that can be easily validated by both parties.
• Report criteria should include compliance requirements, target metric/KPIs, and whether they were attained.
• The report should identify any attainment shortfall or missed KPIs.

Too many SLAs do not have these elements as often the provider tries to put the onus on the customer to monitor their performance of the service levels. .

1.3.1 Monitoring, reporting requirements, remedies/credit process

Remedies and Credits

Service-level reports validate the performance of the service provider to the SLA metrics or KPIs. If the metrics are met, then by rights, the service provider is doing its job and performing up to expectations of the SLA and your organization.

• What if the metrics are not being met either periodically or consistently? Solving this is the goal of remedies. Remedies are typically monetary costs (in some form) to the provider that they must pay for not meeting a service-level commitment. Credits can vary significantly and should be aligned to the severity of the missed service level. Sometimes there no credits offered by the vendor. This is a red flag in an SLA.
• Typically expressed as a monetary credit, the SLA will have service levels and associated credits if the service-level metric/KPI is not met during the reporting period. Credits can be expressed in a dollar format, often defined as a percentage of a monthly fee or prorated annual fee. Although less common, some SLAs offer non-financial credits. These could include: an extension to service term, additional modules, training credits, access to a higher support level, etc.
• Regardless of how the credit is presented, this is typically the only way to hold your provider accountable to their commitments and to ensure they perform consistently to expectations. You must do a rough calculation to validate the potential monetary value and if the credit is meaningful enough to the provider.

Research shows that credit values that equate to just a few dollars, when you are paying the provider tens of thousands of dollars a month for a service or product, the credit is insignificant and therefore doesn’t incent the provider to achieve or maintain a service level.

1.3.2 Monitoring, reporting requirements, remedies/credit process

Credit Process

Along with meaningful credit values, there must be a defined credit calculation method and credit redemption process in the SLA.

Credit calculation. The credit calculation should be simple and straight forward. Many times, we see providers define complicated methods of calculating the credit value. In some cases complicated service levels require higher effort to monitor and report on, but this shouldn’t mean that the credit for missing the service level needs to require the same effort to calculate. Do a sample credit calculation to validate if the potential credit value is meaningful enough or meets your requirements.

Credit redemption process. The SLA should define the process of how a credit is provided to the customer. Ideally the process should be fairly automated by the service provider. If the report shows a missed service level, that should trigger a credit calculation and credit value posted to account followed by notification. In many SLAs that we review, the credit process is either poorly defined or not defined at all. When it is defined, the process typically requires the customer to follow an onerous process and submit a credit request that must then be validated by the provider and then, if approved, posted to your account to be applied at year end as long as you are in complete compliance with the agreement and up-to-date on your account etc. This is what we need to avoid in provider-written SLAs. You need a proactive process where the service provider takes responsibility for missing an SLA and automatically assigns an accurate credit to your account with an email notice.

Secondary level remedies. These are remedies for partial performance. For example, the platform is accessible but some major modules are not working (i.e.: the payroll platform is up and running and accessible but the tax table is not working properly so you can’t complete your payroll run on-time). Consider the requirement of a service level, metric, and remedy for critical components of a service and not just the platform availability.

Info-Tech Insight SLA’s without adequate remedies to hold the vendor accountable to their commitments make the SLAs essentially meaningless.

1.4 Exclusions indemnification, force majeure, scheduled maintenance

Contract-Related Exclusions

Attaining service-level commitments by the provider within an SLA can depend on other factors that could greatly influence their performance to service levels. Most of these other factors are common and should be defined in the SLA as exclusions or exceptions. Exceptions/exclusions can typically apply to credit calculations as well. Typical exceptions to attaining service levels are:

• Denial of Service (DoS) attacks
• Communication/ISP outage
• Outages of third-party hosting
• Actions or inactions of the client or third parties
• Scheduled maintenance but not emergency maintenance
• Force majeure events which can cover several different scenarios

Attention should be taken to review the exceptions to ensure they are in fact not within the reasonable control of the provider. Many times the provider will list several exclusions. Often these are not reasonable or can be avoided, and in most cases, they allow the service provider the opportunity to show unjustified service-level achievements. These should be negotiated out of the SLA.

1.5 Activity SLA Evaluation Tool

1-2 hours

Input

• SLA content
• SLA elements
• SLA objectives
• SLO calculation methods

Output

• Rating of the SLA service levels and objectives
• Overall rating of the SLA content
• Targeted list of required improvements

Materials

• SLA comprehensive checklist
• Service provider SLA

Participants

• Vendor or contract manager
• IT manager or leadership
• Application or business unit manager

The SLA Evaluation Tool will allow you evaluate an SLA for content. Enter details into the tool and evaluate the service levels and SLA elements and components to ensure the agreement contains adequate SLOs to meet your organization’s service requirements.

Instructions:

Review and identify SLA elements within the service provider’s SLA.

Enter service-level details into the tool and rate the SLOs.

Enter service elements details, validate that all required elements are in the SLA, and rate them accordingly.

Capture and evaluate service-level SLO calculations.

Review the overall rating for the SLA and create a targeted list for improvements with the service provider.

Download the SLA Evaluation Tool

1.5 Clarification: SLAs vs. SLOs vs. SLIs

SLA – Service-Level Agreement The promise or commitment

• This is the formal agreement between you and your service provider that contains their service levels and obligations with measurable metrics/KPIs and associated remedies. SLAs can be a separate or unique document, but are most commonly embedded within an MSA, SOW, SaaS, etc. as an addendum or exhibit.

SLO – Service-Level Objective The goals or targets

• This service-level agreement construct is the customer-based SLA. A Customer-based SLA is a unique agreement with one customer. The entire agreement is defined for one or all service levels provided to a particular customer. For example, you may use several services from one telecom vendor. The SLAs for these services would be covered in one contract between you and the Telco vendor, creating a unique customer-based to vendor agreement. Another scenario: a vendor offers general SLAs for its services and you negotiate a specific SLA for a particular service that is unique or exclusive to you. This would be a customer-based SLA as well.

Other common names are Metrics and Key Performance Indicators (KPIs )

SLI – Service-Level Indicator How did we do? Did we achieve the objectives?

• An SLI is the actual metric attained after the measurement period. SLI measures compliance with an SLO (service level objective). So, for example, if your SLA specifies that your systems will be available 99.95% of the time, your SLO is 99.95% uptime and your SLI is the actual measurement of your uptime. Maybe it’s 99.96%. maybe 99.99% or even 99.75% For the vendor to be compliant to the SLA, the SLI(s) must meet or exceed the SLOs within the SLA document.

Other common names: attainment, results, actual

Info-Tech Insight:

Web-posted SLAs that are not embedded within a signed MSA, can present uncertainty and risk as they can change at any time and typically without direct notice to the customer

Reduce Risk With Rock-Solid Service-Level Agreements

Phase 2

Understand SLA Elements

Phase 2

Create Requirements

Phase Steps

• 2.1 Create a list of your SLA criteria
• 2.2 Develop SLA policy & templates
• 2.3 Create a negotiation strategy
• 2.4 SLA overachieving discussion

Manage Obligations

2.1 Create a list of your SLA criteria

Principle Service Elements

With your understanding of the types of SLAs and the elements that comprise a well-written agreement

• The next step is to start to create a set of SLA criteria for service types that your organization outsources or may require in the future.
• This criteria should define the elements of the SLA with tolerance levels that will require the provider to meet your service expectations.
• Service levels, metrics/KPIs, associated remedies and reporting criteria. This criteria could be captured into table-like templates that can be referenced or inserted into service provider SLAs.
• Once you have defined minimum service-level criteria, we recommend that you do a deeper review of the various service provider types that your organization has in place. The goal of the review is to understand the objective of the service type and associated service levels and then compare them to your requirements for the service to meet your expectations. Service levels and KPIs should be no less than if your IT department was providing the service with its own resources and infrastructure.
• Most IT departments have service levels that they are required to meet with their infrastructure to the business units or organization, whether it’s App delivery, issue or problem resolution, availability etc. When any of these services are outsourced to an external service provider, you need to make all efforts to ensure that the service levels are equal to or better than the previous or existing internal expectations.
• Additionally, the goal is to identify service levels and metrics that don’t meet your requirements or expectations and/or service levels that are missing.

2.2 Develop SLA policies and templates

Contract-type Elements

After creating templates for minimum-service metrics & KPIs, reporting criteria templates, process, and timing, the next step should be to work on contract-type elements and additional service-level components. These elements should include:

• Reporting format, criteria, and timelines
• Monitoring requirements
• Minimum acceptable remedy or credits process; proactive by provider vs. reactive by customer
• Roles & responsibilities
• Acceptable exclusion details
• Termination language for persistent failure to meet SLOs

These templates or criteria minimums can be used as guidelines or policy when creating or negotiating SLAs with a service provider.

Start your initial element templates for your strategic vendors and most common service types: SaaS, IaaS, Service Desk, SecOps, etc. The goal of SLA templates is to create simple minimum guidelines for service levels that will allow you to meet your internal SLAs and expectations. Having SLA templates will show the service provider that you understand your requirements and may put you in a better negotiating position when reviewing with the provider.

When considering SLO metrics or KPIs consider the SMART guidance:

Simple: A KPI should be easy to measure. It should not be complicated, and the purpose behind recording it must be documented and communicated.

Measurable: A KPI that cannot be measured will not help in the decision-making process. The selected KPIs must be measurable, whether qualitatively or quantitatively. The procedure for measuring the KPIs must be consistent and well-defined.

Actionable: KPIs should contribute to the decision-making process of your organization. A KPI that does not make any such contributions serves no purpose.

Relevant: KPIs must be related to operations or functions that a security team seeks to assess.

Time-based: KPIs should be flexible enough to demonstrate changes over time. In a practical sense, an ideal KPI can be grouped together by different time intervals.

(Guide for Security Operations Metrics)

2.2.1 Activity: Review SLA Template & Metrics Reference Guide

1-2 hours

Input

• Service level metrics
• List of who is accountable for PPM decisions

Output

• SLO templates for service types
• SLA criteria that meets your organization’s requirements

Materials

• SLA Checklist
• SLA criteria list with SLO & credit values
• PPM Decision Review Workbook

Participants

• Vendor manager
• IT leadership
• Procurement or contract manager

1. Review the SLA Template and Metrics Reference Guide for common metrics & KPIs for the various service types. Each Service Type tab has SLA elements and SLO metrics typically associated with the type of service.
2. Some service levels have common or standard credits* that are typically associated with the service level or metric.
3. Use the SLA Template to enter service levels, metrics, and credits that meet your organization’s criteria or requirements for a given service type.

Download the SLA Template & Metrics Reference Guide

*Credit values are not standard values, rather general ranges that our research shows to be the typical ranges that credit values should be for a given missed service level

2.3 Create a negotiation strategy

Once you have created service-level element criteria templates for your organization’s requirements, it’s time to document a negotiation position or strategy to use when negotiating with service providers. Not all providers are flexible with their SLA commitments, in fact most are reluctant to change or create “unique” SLOs for individual customers. Particularly cloud vendors providing IaaS, SaaS, or PaaS, SLAs. ISP/Telcom, Co-Lo and DR/BU providers also have standard SLOs that they don’t like to stray far from. On the other hand, security ops (SIEM), service desk, hardware, and SOW/PS providers who are generally contracted to provide variable services are somewhat more flexible with their SLAs and more willing to meet your requirements.

• Service providers want to avoid being held accountable to SLOs, and their SLAs are typically written to reflect that.

The goal of creating internal SLA templates and policies is to set a minimum baseline of service levels that your organization is willing to accept, and that will meet their requirements and expectations for the outsourced service. Using these templated SLOs will set the basis for negotiating the entire SLA with the provider. You can set the SLA purpose, objectives, roles, and responsibilities and then achieve these from the service provider with solid SLOs and associated reporting and remedies.

Info-Tech Insight

Web-posted SLAs that are not embedded within a signed MSA can present uncertainty and risk as they can change at any time and typically without direct notice to the customer

2.3.1 Negotiating strategy guidance

• Be prepared. Create a negotiating plan and put together a team that understands your organization’s requirements for SLA.
• Stay informed. Request provider’s recent performance data and negotiate SLOs to the provider’s average performance.
• Know what you need. Corporate SLA templates or policies should be positioned to service providers as baseline minimums.
• Show some flexibility. Be willing to give up some ground on one SLO in exchange for acceptance of SLOs that may be more important to your organization.
• Re-group. Have a fallback position or Plan B. What if the provider can’t or won’t meet your key SLOs? Do you walk?
• Do your homework. Understand what the typical standard SLOs are for the type of service level.

2.4 SLO overachieving incentive discussion

Monitoring & Reporting

• SLO overachieving metrics are seen in some SLAs where there is a high priority for a service provider to meet and or exceed the SLOs within the SLA. These are not common terms but can be used to improve the overall service levels of a provider. In these scenarios the provider is sometimes rewarded for overachieving on the SLOs, either consistently or on a monthly or quarterly basis. In some cases, it can make financial sense to incent the service provider to overachieve on their commitments. Incentives can drive behaviors and improved performance by the provider that can intern improve the benefits to your organization and therefore justify an incent of some type.
• Example: You could have an SLO for invoice accuracy. If not achieved, it could cost the vendor if they don’t meet the accuracy metric, however if they were to consistently overachieve the metric it could save accounts payable hours of time in validation and therefore you could pass on some of these measurable savings to the provider.
• Overachieving incentives can add complexity to the SLA so they need to be easily measurable and simple to manage.
• Overachieving incentives can also be used in provider performance improvement plans, where a provider might have poor trending attainment and you need to have them improve their performance in a short period of time. Incentives typically will motivate provider improvement and generally will cost much less than replacing the provider.
• There is another school of thought that you shouldn’t have to pay a provider for doing their job; however, others are of the opinion that incentives or bonuses improve the overall performance of individuals or teams and are therefore worth consideration if both parties benefit from the over performance.

Reduce Risk With Rock-Solid Service-Level Agreements

Phase 3

Understand SLA Elements

Create Requirements

Phase 3

Manage Obligations

Phase Steps

• 3.1 SLA monitoring and tracking
• 3.2 Reporting
• 3.3 Vendor SLA reviews & optimizing
• 3.4 Performance management

3.1 SLA monitoring, tracking, and remedy reconciliation

The next step to effective SLAs is the management component. It could be fruitless if you were to spend your time and efforts negotiating your required service levels and metrics and don’t have some level of managing the SLA. In that situation you would have no way of knowing if the service provider is attaining their SLOs.

There are several key elements to effective SLA management:

• SLO monitoring
• Simple, concise reporting
• SLO attainment tracking
• Score carding & trending
• Remedy reconciliation

SLA Management framework

SLA Monitoring → Concise Reporting → Attainment Tracking → Score Carding →Remedy Reconciliation

“A shift we’re beginning to see is an increased use of data and process discovery tools to measure SLAs,” says Borowski of West Monroe. “While not pervasive yet, these tools represent an opportunity to identify the most meaningful metrics and objectively measure performance (e.g., cycle time, quality, compliance). When provided by the client, it also eliminates the dependency on provider tools as the source-of-truth for performance data.” – Stephanie Overby

3.1 SLA management framework

SLA Performance Management

• SLA monitoring provides data for SLO reports or dashboards. Reports provide attainment data for tacking over time. Attainment data feeds scorecards and allows for trending analysis. Missed attainment data triggers remedies.
• All service providers monitor their systems, platforms, tickets, agents, sensors etc. to be able to do their jobs. Therefore, monitoring is readily available from your service provider in some form.
• One of the key purposes of monitoring is to generate data into internal reports or dashboards that capture the performance metrics of the various services. Therefore, service-level and metric reports are readily available for all of the service levels that a service provider is contracted or engaged to provide.
• Monitoring and reporting are the key elements that validate how your service provider is meeting its SLA obligations and thus are very important elements of an SLA. SLO report data becomes attainment data once the metric or KPI has been captured.
• As a component of effective SLA management, this attainment data needs to be tracked/recorded in an easy-to-read format or table over a period of time. Attainment data can then be used to generate scorecards and trending reports for your review both internally and with the provider as required.
• If attainment data shows that the service provider is meeting their SLA obligations, then the SLA is meeting your requirements and expectations. If on the other hand, attainment data shows that obligations are not being met, then actions must be taken to hold the service provider accountable. The most common method is through remedies that are typically in the form of a credit through a defined process (see Sec. 1.3). Any credits due for missed SLOs should also be tracked and reported to stakeholders and accounting for validation, reconciliation, and collection.

3.2 Reporting

Monitoring & Reporting

• Many SLAs are silent on monitoring and reporting elements and require that the customer, if aware or able, to monitor the providers service levels and attainment and create their own KPI and reports. Then if SLOs are not met there is an arduous process that the customer must go through to request their rightful credit. This manual and reactive method creates all kinds of risk and cost to the customer and they should make all attempts to ensure that the service provider proactively provides SLO/KPI attainment reports on a regular basis.
• Automated monitoring and reporting is a common task for many IT departments. There is no reason that a service provider can’t send reports proactively in a format that can be easily interpreted by the customer. The ideal state would be to capture KPI report data into a customer’s internal service provider scorecard.
• Automated or automatic credit posting is another key element that service providers tend to ignore, primarily in hopes that the customer won’t request or go through the trouble of the process. This needs to change. Some large cloud vendors already have automated processes that automatically post a credit to your account if they miss an SLO. This proactive credit process should be at the top of your negotiation checklist. Service providers are avoiding thousands of credit dollars every year based on the design of their credit process. As more customers push back and negotiate more efficient credit processes, vendors will soon start to change and may use it as a differentiator with their service.

3.2.1 Performance tracking and trending

What gets measured gets done

SLO Attainment Tracking

A primary goal of proactive and automated reporting and credit process is to capture the provider’s attainment data into a tracker or vendor scorecard. These tracking scorecards can easily create status reports and performance trending of service providers, to IT leadership as well as feed QBR agenda content.

Remedy Reconciliation

Regardless of how a credit is processed it should be tracked and reconciled with internal stakeholders and accounting to ensure credits are duly applied or received from the provider and in a timely manner. Tracking and reconciliation must also align with your payment terms, whether monthly or annually.

“While the adage, ‘You can't manage what you don't measure,’ continues to be true, the downside for organizations using metrics is that the provider will change their behavior to maximize their scores on performance benchmarks.” – Rob Lemos

3.2.1 Activity SLA Tracker and Trending Tool

1-2 hours setup

Input

• SLO metrics/KPIs from the SLA
• Credit values associated with SLO

Output

• Monthly SLO attainment data
• Credit tracking
• SLO trending graphs

Materials

• Service provider SLO reports
• Service provider SLA
• SLO Tracker & Trending Tool

Participants

• Contract or vendor managers
• Application or service managers
• Service provider

An important activity in the SLA management framework is to track the provider’s SLO attainment on a monthly or quarterly basis. In addition, if an SLO is missed, an associated credit needs to be tracked and captured. This activity allows you to capture the SLOs from the SLA and track them continually and provide data for trending and review at vendor performance meetings and executive updates.

Instructions: Enter SLOs from the SLA as applicable.

Each month, from the provider’s reports or dashboards, enter the SLO metric attainment.

When an SLO is met, the cell will turn green. If the SLO is missed, the cell will turn red and a corresponding cell in the Credit Tracker will turn green, meaning that a credit needs to be reconciled.

Use the Trending tab to view trending graphs of key service levels and SLOs.

Download the SLO Tracker and Trending Tool

3.3 Vendor SLA reviews and optimizing

Regular reviews should be done with providers

Collecting attainment data with scorecards or tracking tools provides summary information on the performance of the service provider to their SLA obligations. This information should be used for regular reviews both internally and with the provider.

Regular attainment reviews should be used for:

• Performance trending upward or downward
• Identifying opportunities to revise or improve SLOs
• Optimizing SLO and processes
• Creating a Performance Improvement Plan (PIP) for the service provider

Some organizations choose to review SLA performance with providers at regular QBRs or at specific SLA review meetings

This should be determined based on the criticality, risk, and strategic importance of the provider’s service. Providers that provide essential services like ERP, payroll, CRM, HRIS, IaaS etc. should be reviewed much more regularly to ensure that any decline in service is identified early and addressed properly in accordance with the service provider. Negative trending performance should also be documented for consideration at renewal time.

3.4 Performance management

Dealing with persistent poor performance and termination

Service providers that consistently miss key service level metrics or KPIs present financial and security risk to the organization. Poor performance of a service provider reflects directly on the IT leadership and will affect many other business aspects of the organization including:

• Ability to conduct day-to-day business activities
• Meet internal obligations and expectations
• Employee productivity and satisfaction
• Maintain corporate policies or industry compliance
• Meet security requirements

Communication is key. Poor performance of a service provider needs to be dealt with in a timely manner in order to avoid more critical impact of the poor performance. Actions taken with the provider can also vary depending again on the criticality, risk, and strategic importance of the provider’s service.

Performance reviews should provide the actions required with the goal of:

• Making the performance problems into opportunities
• Working with the provider to create a PIP with aggressive timelines and ramifications if not attained
• Non-renewal or termination consideration, if feasible including provider replacement options, risk, costs, etc.
• SLA renegotiation or revisions
• Warning notifications to the service provider with concise issues and ramifications

To avoid the issues and challenges of dealing with chronic poor performance, consider a Persistent or Chronic Failure clause into the SLA contract language. These clauses can define chronic failure, scenarios, ramifications there of, and defined options for the client including increased credit values, non-monetary remedies, and termination options without liability.

Info-Tech Insight

It’s difficult to prevent chronic poor performance but you can certainly track it and deal with it in a way that reduces risk and cost to your organization.

SLA Hall of Shame

Crazy service provider SLA content collection

• Excessive list of unreasonable exclusions
• Subcontractors’ behavior could be excluded
• Downtime credit, equal to downtime percent x the MRC
• Controllable FM events (internal labor issues, health events)
• Difficult downtime or credit calculations that don’t make sense
• Credits are not valid if agreement is terminated early or not renewed
• Customer is not current on their account, SLA or credits do not count/apply
• Total downtime = to prorated credit value (down 3 hrs = 3/720hrs = 0.4% credit)
• SLOs don’t apply if customer fails to report the issue or request a trouble ticket
• Downtime during off hours (overnight) do not count towards availability metrics
• Different availability commitments based on different support-levels packages
• Extending the agreement term by the length of downtime as a form of a remedy

SLA Dos and Don’ts

Dos

• Do negotiate SLOs to vendor’s average performance
• Do strive for automated reporting and credit processes
• Do right-size and create your SLO criteria based on risk mitigation
• Do review SLA attainment results with strategic service providers on a regular basis
• Do ensure that all key elements and components of an SLA are present in the document or appendix

Don'ts

• Don’t accept the providers response that “we can’t change the SLOs for you because then we’d have to change them for everyone”
• Don’t leave SLA preparation to the last minute. Give it priority as you negotiate with the provider
• Don’t create complex SLAs with numerous service levels and SLOs that need to be reported and managed
• Don’t aim for absolute perfection. Rather, prioritize which service levels are most important to you for the service

Summary of Accomplishment

Problem Solved

Knowledge Gained

• Understanding of the elements and components of an SLA
• A list of SLO metrics aligned to service types that meet your organization’s criteria
• SLA metric/KPI templates
• SLA Management process for your provider’s service objectives
• Reporting and tracking process for performance trending

Deliverables Completed

• SLA component and contract element checklist
• Evaluation or service provider SLAs
• SLA templates for strategic service types
• SLA tracker for strategic service providers

If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

Contact your account representative for more information.

workshops@infotech.com

1-888-670-8889

Related Info-Tech Research

Improve IT-Business Alignment Through an Internal SLA

• Understand business requirements, clarify current capabilities, and enable strategies to close service-level gaps.

Data center Co-location SLA & Service Definition Template

• In essence, the SLA defines the “product” that is being purchased, permitting the provider to rationalize resources to best meet the needs of varied clients, and permits the buyer to ensure that business requirements are being met.

Ensure Cloud Security in IaaS, PaaS, and SaaS Environments

• Keep your information security risks manageable when leveraging the benefits of cloud computing.

Bibliography

Henderson, George. “3 Most Common Types of Service Level Agreement (SLA).” Master of Project Academy. N.d. Web.

“Guide to Security Operations Metrics.” Logsign. Oct 5, 2020. Web.

Lemos, Rob. “4 lessons from SOC metrics: What your SpecOps team needs to know.” TechBeacon. N.d. Web.

“Measuring and Making the Most of Service Desk Metrics.” Freshworks. N.d. Web.

Overby, Stephanie. “15 SLA Mistakes IT Leaders Still Make.” CIO. Jan 21, 2021.