TechTarget.com/searchcio

https://www.techtarget.com/searchcio/tip/Why-SLA-compliance-should-be-top-of-mind-for-IT-leaders

12 best practices to keep in mind for SLA compliance

By Paul Kirvan

One of the most important contractual agreements that an organization can execute with a partner is a service-level agreement, or SLA. IT leaders should make sure that their organization is following some best practices to ensure that their partner is compliant with the SLA.

An SLA documents the products or services that the service provider will furnish and defines the service standards that the provider is obligated to meet. Creating an SLA helps organizations avoid potential issues in the future, including subpar service from the provider.

Learn more about some best practices for ensuring SLA compliance.

Why are SLAs important?

Service providers of all kinds, including managed service providers, use SLAs to ensure that their customers are satisfied. SLAs also define the circumstances in which a provider could be penalized for unsatisfactory performance.

Companies that work with service providers benefit from SLAs because the contract outlines the criteria for acceptable provider performance and specifies how to address service delivery issues.

SLAs are external if they are established with a third-party organization and internal if they are established with another department within an organization. The former is very common, and the contents of an SLA can be an important deciding factor for companies when evaluating prospective service providers. SLAs have become increasingly important as cloud vendors and MSPs, which might support some or all of an organization's IT operations, have grown in popularity.

Meanwhile, a company might use an internal SLA if, for example, an IT department develops a product for the customer service department. The SLA would lay out the customer service department's expectations for the IT department.

Service providers might establish two service agreements with companies. One is a master service agreement that defines the general terms and conditions for the working relationship. The second is the SLA, which goes into greater detail on specific provider activities, defines required performance levels and discusses the penalties for failing to achieve the desired results.

What is SLA compliance?

SLA compliance is achieved when service providers satisfy SLA requirements. SLAs must be clearly written and provide sufficient detail to avoid any uncertainty about expectations.

SLAs are often linked with an organization's KPIs. Here are some examples of SLA performance metrics that are based on a company's KPIs:

• Achieve four-nines, or 99.99%, uptime and availability for a particular system.
• Reduce mean time to repair, or MTTR, of a particular system by 75%.
• Increase contact center first-call connections to service representatives to 95%.
• Reduce carbon footprint readings by 50%.
• Reduce network latency by 80%.
• Reduce system response times by 50%.

Achieving compliance is a two-way street. The provider and the company receiving the services both have a vested interest in achieving compliance with SLA metrics.

The company's employees must carefully monitor the systems and resources that the provider is working on. While doing so is relatively easy if a company uses on-site systems and data centers, monitoring the provider is more challenging if the provider manages systems and resources. Providers might not want customers looking over their shoulders.

Providers should make every effort to achieve SLA compliance, as doing so ensures that they will get paid for their work and avoid costly litigation. SLA compliance is also key for maintaining good customer relations and renewing contracts.

Types of SLAs

There are three types of service-level agreements: customer, internal and multilevel.

1. Customer SLA

A customer SLA is also referred to as an external SLA and is established between a service provider and its customers. A customer SLA involves both parties negotiating an agreement about the services that the service provider will supply as well as penalties for nonperformance or poor performance.

Components of a customer SLA typically include the following:

• A concise description of the service expected by the customer.
• Details about the service.
• Required performance levels for the service.
• The roles and responsibilities of each party.
• The procedures for reporting and escalating performance issues.
• Penalties for lack of compliance with SLA metrics.
• Terms and procedures for canceling the SLA.

2. Internal SLA

As discussed above, this agreement is typically used within an organization. An internal SLA would be created if an IT department and its internal customer establish an agreement for delivery of a specific product or service.

Companies might have multiple SLAs in progress. For example, an IT department could be working on projects for the customer service department and the finance department.

3. Multilevel SLA

A multilevel SLA is used when a provider is supplying different service performance levels to a series of customers using the same service.

For example, a software-as-a-service provider might deliver a package of basic services and support to all of its customers, but offer different price ranges for different service levels.

Components of SLAs

SLAs are legal contracts and should include some specific elements, such as the following.

Overview of the contract

This section discusses the basics of the agreement, including the parties involved and the date it will become effective, and gives a general introduction of the services that the provider will deliver.

Product and service description

This section describes every service that the provider would potentially offer, along with performance completion dates and times, and delivery dates and times.

The section also discusses the method of service delivery, availability of maintenance service, provider hours of operation and service locations, and a detailed list of all hardware, software and network services.

Exclusions

This section is a list of services that the provider does not offer. Discussing the services that are not available helps avoid confusion.

Service performance

This section discusses the specific performance metrics that both parties have agreed to, as well as the methods that will be used for monitoring and measuring them, and a description of unacceptable performance.

Penalties

This section spells out the compensation or payment that the customer will receive if a provider does not achieve SLA compliance.

All parties and stakeholders

This section defines the parties that are involved with the SLA as well as their responsibilities.

Provision of security

Defining the security measures that the provider must carry out is important for ensuring the continued operation of the contracted resources.

This section might include details on specific agreements about IT security and nondisclosure agreements.

Disaster recovery and risk management

Outlining disaster recovery and risk management requirements is also important for ensuring that the contracted services are not disrupted by an unplanned event.

This section can discuss any risk management activities that the provider will carry out as well as a technology disaster recovery plan.

Monitoring, tracking and reporting

This section defines the methods for monitoring service performance, as well as the mechanisms for tracking and reporting issues.

It also identifies who will receive this information.

Testing, performance review, change processes and continuous improvement

The SLA should be regularly reviewed and improved in terms of quality, accuracy and legal language.

This section should also include discussion of how changes to the SLA should be carried out, including approved change management processes.

Agreement termination

The next-to-last part of an SLA should define the criteria for terminating the agreement or indicate an expiration date.

Establishing a notice period for such activities can help avoid any confusion.

Authorized signatures

The final part of the SLA should consist of the signatures of all authorized parties and stakeholders.

12 best practices for SLA compliance

Here are some best practices that CIOs and IT leaders should follow when creating an SLA with a service provider:

• Establish an understanding of the necessary elements to include in an SLA, including KPIs to track and SLA-business goal alignment.
• Establish measurable SLA performance metrics.
• Identify the parties that will be involved in the services provided for both the provider and the company receiving the services.
• Decide who will serve as the daily contact on both the provider's side and the side of the company receiving the services.
• Secure approval from the company's legal department for the SLA as well as any future updates.
• Add an indemnification provision to the agreement so that the company receiving the services is protected.
• Establish who is responsible for monitoring and analyzing performance to confirm SLA compliance.
• Establish a step-by-step procedure for reporting any SLA-related performance issues.
• Establish a step-by-step procedure for presenting any SLA compliance violations to the provider and negotiating penalties.
• Review and update SLA performance criteria when company operations change.
• Establish a process for reporting SLA performance to senior management and stakeholders.
• Set up a schedule of meetings for reviewing SLA performance. SLA performance discussion can be part of a weekly IT staff meeting or a separate meeting that specifically covers SLAs.

Paul Kirvan, FBCI, CISA, is an independent consultant and technical writer with more than 35 years of experience in business continuity, disaster recovery, resilience, cybersecurity, GRC, telecom and technical writing.