Managing Risk in Outsourcing: A Guide To Setting SLAs

Now that you've executed a contract and established the overall legal framework within which your company and your chosen service provider will operate, it’s time to define the delivery of the service itself. This is accomplished with the use of an SLA. No, SLA does not stand for the Symbionese Liberation Army — it’s disturbing how often I hear that pun — but for Service Level Agreement.

Vague, optimistic promises of a happy life together may work for some personal relationships, but they don't work between two companies. Creating an SLA to define your organization’s needs and expectations has many benefits:

  • It provides a common understanding of exactly what service is being provided (how, when, where, by whom, how often, etc.).
  • It sets everyone’s expectations realistically.
  • It simplifies complex issues by focusing everyone on what is truly important.
  • Conversely, it reduces conflict by eliminating what’s not important.
  • It makes clear the ramifications for either exceeding or failing to meet delivery requirements.

In determining what service levels to measure, it’s important to keep repeating the mantra, “If you can’t quantify it, don’t measure it.” SLAs typically assign penalties for missing targets like “number of errors per 1,000 lines of code” or reward excellence like 99.99% up-time reliability. If you can’t measure the service delivered, there's no way to prove whether or not it has been delivered. For example, since you can’t empirically define, “Make our customers happy,” no outsource vendor will accept a metric like that. If on the other hand, you know that slow help desk response is the biggest complaint your customers have, you could make a metric of reducing average hold time by 10%, thereby giving your partner a real target and making your customers happier, a double win!

A smart service provider will also ensure that SLA metrics recognize the responsibilities of the client organization in performance of that metric. For example, if the provider is going to step up to providing 24×7, 5-minute response times for remote support, then the agreement should also require that the client’s firewalls must always be accessible or the metric is un-enforceable. If you will be using the services of multiple service providers (for example call centers in India and the Philippines), then you should also consider arranging the contract and SLA so that you have a prime vendor responsible for the subordinates.

The number of SLA metrics to be tracked is another important facet. If there are too many metrics, then focus is lost on the critical activities and more overhead than necessary is being used to support the additional data capture and analysis. If there are too few metrics, a provider risks being continually found in breach of the contract. For example, one client had a contract that stated the outsourcing provider could be considered to be in breach if more than 10% of the SLA metrics were missed each measurement period. However, only four metrics had been defined, so missing just one caused an automatic breach. The client and the provider finally settled upon tracking 10 metrics.

Frequently, organizations seeking to outsource lack reliable metrics on the service levels when those services were provided internally. Rather than engaging in a guessing game across the table from your provider (and likely agreeing to a metric guaranteed to make both of you unhappy), an effective risk management strategy is to establish a baseline period. During this period your organization and your provider agree to jointly monitor and document service delivery closely and then use that data as the starting point for setting SLA metric targets.

The time to perform this base-lining is not immediately after service delivery has been turned over to your service provider. No matter how well planned or executed, there will be a period of instability as kinks get worked out of the system. A better approach is to define a transition period (for example, 60 days), followed by a baseline period (for example 90 days), and then allow for one month to negotiate ongoing metric levels. In this example, six months after the outsourcing services begin to be delivered, your organizations have concrete data, a working SLA with achievable metric goals, and are moving into routine operations with penalties and/or bonuses.

In considering penalties, it’s important to set penalties that fall somewhere between the electric chair and a light slap on the wrist. Too drastic and your partner may balk at even offering service level commitments. Too soft and they have no incentive to meet them.

Research is a good risk management tactic for this aspect. Investigate industry standards and try to adhere to them as much as possible. There’s no point in either setting levels below the standards or setting them so high that the only way the provider will accept the risk of failure is to charge exorbitant fees to create a financial safety net. As I frequently remind clients, there's no benefit in establishing an adversarial relationship, so make the development of the SLA a collaborative effort.

In addition to defining the services to be provided, document how the services are to be monitored:

  • How will the data be captured?
  • How will the data be reported (content and delivery method)?
  • How often will it be reviewed?
  • Who meets to review?

One final thought: Your business and industry is in a constant state of change; allow for the ability to revise or add metrics for technological or other advances. Also allow for the fact that your company may grow or shrink, with corresponding impacts to service levels. The SLA should be considered a living document that both parties strive to make an accurate reflection of the current service requirements of the relationship, while providing the mechanism to adapt along with your organization and your industry.

Useful Links:


Read Part 1, doing risk assessment in your outsourcing endeavors:

Read Part 2, selecting service providers to bid:

Read Part 3, evaluating service provider proposals:

Read Part 4, covering disputes in the contract

Read Part 6, managing outsourcing after the contract is signed