You outsource your IT help desk, your email services and your website but do you know what protection you have and what you get for your money in the contract? I have many conversations with clients about the risk profile of their outsourced IT service contracts that offer critical business dependency. In some cases the discussion happens before a problem but in many cases it is after some unplanned downtime when their Service Level Agreement (SLA) contract was found to be wanting. In this article I will discuss some common problems that I find and what you can do to protect yourself and this is targeted to customers and service providers alike.
The SLA is the contract that is signed at the start of an engagement with a supplier for the delivery of services. That is if there is a contract at all as many a small business will outsource critical IT services without a contract. This shows either a lack of understanding or major trust on the part of the customer and the service provider does not adequately outline the service and responsibilities for the contract. We have all been in the position where we skim over the 16 page agreement document and look at the headline figures of price, response time, fix time, downtime and compensation if it goes wrong but do we really read the contract and see what we get in detail? In addition to not really understanding the contract, businesses of all sizes do not check that the supplier is meeting the terms of the contract by carrying out regular reviews. We have found businesses that, whilst initially understanding the contract, they have implemented major change in their business through expansion, consolidation or new application services but have not updated the contract such that they are paying for a service that they do not use or in the worst case offers little or no protection for the new business position.
So what are these services that are outsourced and not understood? They include:
- IT Support
- Security Protection
- Cloud Services
- Website hosting
- Application Support
I appreciate that the above list is not exhaustive, may be overlapping to some readers and could be too general for others but these are what my clients ask to be reviewed.
In the main I find that the client will typically have clicked through a contract as it is delivered electronically at the point of service provision if bought online. This agreement is that ‘I agree with the terms and conditions’ check box when you signed up, you are one of the 10% that reads them aren’t you? In other cases the client will have signed up through a third party provider and in a lot of cases without seeing or signing a contract with that service provider as they offer a service wrapper around it. The impact of this overall arrangement with contracts is that the client does not know what services they have signed up for and are paying for.
The problem is partly down to the way that the IT industry operates, particularly when dealing with online services or with smaller businesses. The client needs to take some responsibility in the services and their associated contract as much as suppliers do. There are examples where I have found that clients have agreed to a regular payment for, say, backup and server monitoring and there is no definition of what this service entails. I would suggest that the lack of a contract, signed or unsigned, makes it very hard for either side to fight its case during a dispute so I urge both sides to ensure that there is contract issued prior to services being delivered and that both parties read it. In addition to getting a contract signed at the start, they should be reviewed at appropriate periods to ensure that the services are still aligned to meet the business requirements as these may have changed.
Getting back to the SLA, let’s talk about response time, recovery time and compensation in the context of Internet connections but this can be true of any SLA regardless of the type of service. I will choose one ISP, sorry BT, to review their standard SLA for their business grade Infinity broadband service. This subject is normally brought up in discussion when a client complains about downtime, irregular speeds or poor response to problems and affects all ISP data services but there will be some subtle changes with each ISP so check your contract.
The BT terms and conditions can be read at http://www2.bt.com/static/i/btretail/panretail/terms/index.html#broadband but you will need to follow many links to get to the detail.
You will find that the engineering service cover starts at 5 days a week (Monday to Friday 0800-1800) with a 2 working day fix time, but that is actually until the end of the day after the 2 days so it is really 3 days before they pay a service credit of £25 if it is not resolved. Now please do not get me wrong Mr\Mrs\Miss BT Laywer, you have been very open about this in your terms and conditions but with all due respect, nobody really reads them until they are complaining and this is true of all contracts, besides I would not need to write this article if everything was fine.
This detailed discussion comes about with a client as they do not wish to pay the higher price for a leased line for their business critical application after the outages. Generally when the client is introduced to the SLA for the broadband and for a leased line their view does change on why they may want to pay for the leased line service or accept the service that they get on commodity broadband as the old adage of ‘you get what you pay for’ comes to mind. Giving BT another chance, their leased line SLA offers 100% uptime and will pay 1 day of service credit for every hour of unplanned downtime so is very simple to understand but this is capped at 10 days per quarter. When reviewing other ISP SLAs, they offer, say, a 99.96% uptime per year with sliding scales of service credit based on the level of breach for each incident once the annual availability target has been exceeded which you claim annually against next year’s service fees. You will see that the service credit terms are more complex and can be subject to staying with the supplier so you should understand this process as there will probably also be a timing issue in claiming a service credit.
Let’s go back a bit to that 99.96% annual SLA, what does that mean in real terms to the customer? The 99.96% equates to 3.5 hours of unplanned downtime a year before service credits start. You will notice the use of unplanned downtime as the SLA will typically allow a period of planned downtime for scheduled maintenance to be carried out with this usually coming with a notice period or a designated time period every day, week or month as appropriate for the service. What I hope that this shows is that the service credit is relatively small, regardless of the service type. I would therefore suggest that the level of service availability demanded by the business should be the driver for choosing one service type and provider over another in addition to their availability and quality of customer support as the impact of downtime to their business and customers will cost them much more than the level of compensation that is on offer.
The main bone of contention in an SLA is usually failure to meet response times with this usually meaning the initial response following the fault being reported. It should be noted that these are typically affected by the operating hours. This first response, in the worst case, could be the fault tracking notification email but thankfully service providers are moving away from this to the next communication that they have with you being their call back. I find that some SLAs go further than this initial response and provide an SLA for follow up activities and even fix times where this can be controlled. I have seen some contracts that have 24 or 48 hour responses to an ongoing problem without the possibility of escalating the issue until this has been breached on 2 or 3 consecutive occasions? In this area, I believe that the service providers need to update their SLAs to be more responsive, customers will appreciate a responsive support system, but also make them appropriate for the situation and service. Customers need to understand the SLA response times and the escalation routes within their contracts but recognise the cost implications of having faster response support services.
Whilst the above was introduced in the context of Internet connections it will apply to all other forms of contract in respect to the response time, recovery time, hours of response and any service credit for failing to meet the SLA. Where service contracts differ to this example is in respect to the actual scope and type of service offered, how service performance is measured and where responsibilities fall. In my experience, the more complex the service, the simpler the definition is and that usually leaves things open to being ambiguous but this is not always the case. Contracts are normally read and signed at the start of the contract, at a renewal review or when things are going wrong and it is in this last situation that ambiguity does not help either party.
Taking a Cloud application SLA that I have reviewed for a client that stated ‘We operate continuous data backups to our secondary data centre at XXX with a 15 minute maximum write delay’. Whilst this could be taken as offering high levels of availability and rapid recovery, is the level of data loss acceptable should the secondary data centre need to be activated? The SLA did not state that there were additional recovery points available beyond this 15 minute point. When looking into the SLA and the service delivery process in more detail, it was found that this was the only available recovery point as there were no secondary backup processes to allow recovery of older data points. In addition to the lack of any additional data backup processes, the secondary data centre activation process was found to be inadequately tested and placed a very high dependency upon this one recovery point working.
So what can you do about the Service Level Agreement:
- Not a lot in many cases but review the standard SLA terms and conditions and speak with the service provider about enhanced services once you understand what you are actually paying for, as there may be options if you need more.
- If you are a business that operates 24×7, I would suggest that you need access to support 24×7 for business critical services so ensure that your agreement includes cover at a level appropriate for your business, if your current provider is not able to offer this, change to one that can.
- Periodically review the SLA to ensure that it is still meeting the business requirements.
- Put in place internal controls that review the performance of the service provider.
- Plan for failure, it makes recovery easier.
- Include outsourced services in your business continuity planning so your business impact is managed if your service provider fails.