This document is intended to
serve as a resource for banks in addressing specific challenges relating to technology
outsourcing. The content was prepared not as examination procedures or official guidance
but as an informational tool for community bankers.
As community banks outsource more of their mission
critical applications, properly managing the relationships between financial institutions
and technology service providers1 becomes
increasingly important. This brochure discusses the Service Level Agreement (SLA) as an
effective tool for managing the risks associated with technology outsourcing and describes
practices for measuring and monitoring service providers performance.
Service Level Agreements (SLAs) are contractually binding clauses documenting the
performance standard and service quality agreed to by the bank and service provider. The
SLA is a key component in structuring a successful outsourcing contract. The SLA ensures
that the institution receives the services it wants at the expected performance standard
and price. As such, the SLA is a key component in managing the financial and operational
risk involved with outsourcing contracts. It also can be one way to help mitigate risk. By
specifying the measurement unit and service range for the selected category, the risk of
poor service may be diminished because it becomes an area of focus and is designated as
the service providers responsibility.
The SLAs primary purpose is to specify and clarify performance
expectations, as well as establish accountability. Therefore, balancing the need for
precise measurement standards with sufficient flexibility is important. A common pitfall
is excessive oversight or "micro-management" of the provider responsible for the
service, which can also burden the bank employees charged with supervising the service
provider relationship and monitoring the SLAs.
A well-designed SLA will recognize and reward, or
at least acknowledge, good service. It will also provide the measurement structure -- or
performance metric -- to identify substandard service and trigger correction or
cancellation provisions as warranted. In todays outsourcing environment, incentives
or penalties in the SLA can be an effective tool for managing service. If services
received do not measure up to expectations, direct consequences, such as reduced levels of
compensation or a credit on future services, would result.
A typical SLA includes
the following components and is tailored to fit the nature of the outsourced service or
Service category (e.g., system availability or
Acceptable range of service quality.
Definition of what is being measured.
Formula for calculating the measurement.
Relevant credits/penalties for achieving/failing
Frequency and interval of measurement.
Before an SLA is signed, the service provider and
the institution should clarify and establish expectations. Unless these expectations are
clearly measurable, the service category will be difficult to manage due to the
banks and the vendors differing goals and perspectives.
Determining objectives - Reviewing the strategic
business needs of the financial institution includes evaluating its day-to-day operating
environment, risk factors, and market conditions. Consideration should be given to how the
outsourced service fits into the banks overall strategic plan.
Defining requirements - Identifying the
operational objectives (e.g., the need to improve operating efficiency, reduce costs, or
enhance security) will help the institution to define performance requirements. It will
also help identify the levels of service the bank needs from the service provider to meet
its strategic goals and objectives for the outsourced activity.
Setting measurements - Clear and impartial
measurements or metrics - can be developed once the strategic needs and operating
objectives have been defined. The metrics are used to measure and confirm that the
necessary service levels have been achieved and the objectives and strategic intent have
Establishing accountability - It is useful to
develop and adopt a framework that ensures accountability after the measurement units
(i.e., the metrics) have been clearly defined. The service provider rarely owns
accountability and responsibility for all tasks. Establishing this accountability usually
includes a clear statement of the outcome if the level of service is exceeded or if the
expected service fails to meet the stated standard.
The SLA development
process and each of the four steps are discussed in further detail in Appendix 1. A sample
SLA is provided in Appendix 2.
from the institution (management, legal counsel, and information technology staff) and the
service provider typically meet to ensure that performance metrics and targets are
properly addressed when developing SLAs. Bank management may also consider interviewing
some of the system users to help identify important criteria to incorporate into the SLAs.
Reaching agreement on specific SLAs may involve
significant discussion and negotiation between the bank and the service provider. The bank
may wish to consult with peer institutions and trade associations about useful benchmarks
for performance standards. This information may be helpful in the contract negotiation
process and assist the bank in determining if the service levels offered by the provider
are reasonable and standard.
Sufficient time and
resources should be devoted to preparing SLAs. The agreement will be the primary document
governing the procurer and vendor of services that may have a significant impact on the
banks performance. The following items are important reminders for institutions
drafting SLAs and selecting the metric(s) to be used to measure vendor performance:
Focus on the most important areas. Financial
institutions should identify the performance and risk factors that are most crucial to the
success of the outsourced function. The institution should invest its time drafting strong
SLAs for these areas. Areas with minimal effect on the process will be of less importance
and, accordingly, should have less prominence in the contracting process.
Make sure that performance metrics measure what
the bank wants them to measure. Verify that the metrics used to govern the SLA
appropriately represent the functions that the bank intends to measure.
The metrics should measure the performance the
service provider is giving the bank, and not be based on the performance the vendor is
delivering in aggregate to all its customers.
Ensure that SLAs are focused on institutional
goals. Avoid the trap of creating agreements that are focused on the success of the
individual process without regard for the how the process addresses a corporate goal. Each
measurement should logically support a requirement that is linked to a strategic goal.
Be specific. Ensure that all parties involved in
the SLA understand the terms spelled out in the agreement. Terms should be clearly defined
to avoid different interpretations. Spending extra time defining terms when creating an
agreement can prevent misunderstandings and loss of time and money caused by differing
interpretations of the intent of the SLA.
It is worthwhile for
the institution to provide for ongoing management of the agreement when a SLA is
established. The SLA management process usually goes beyond performance measurement to
ensure success. Generally, the measurement process should be kept as simple as possible,
emphasizing timely identification of deviations from agreed upon performance metrics.
Ongoing communication between the bank and the service provider is also important. The
following four-phase methodology is based on observed industry practices that can help
banks manage SLAs effectively:
Measure service activity results against defined
Examine measured results to identify problems and
Take appropriate action to correct failed
activities, functions, and/or processes.
Continuously guide service providers through
feedback sessions based on objectively measured performance metrics.
Before signing an
outsourcing contract, the bank may find it beneficial to verify that important performance
requirements have been addressed, risks have been identified, and each service level is
defined. Each measurement should be defined clearly and concisely. This will provide the
foundation for effectively managing service levels throughout the four phases of the SLA
SLA management is an
ongoing process, and is viewed as an integral component of the outsourcing relationship. A
suggested practice is to include periodic review and change provisions in the SLA to
ensure that service level goals and performance measurements can meet the changing
business and technology needs of the institution.
Agreements are tools to measure, monitor, and control the operational and financial risks
associated with outsourcing technology services. Essential to this process is establishing
realistic performance metrics and continuous problem tracking and resolution. The bank
should consider working closely with service providers to identify, verify, and correct
problems; perform root-cause analysis; and make process modifications to prevent problems
from recurring. As the outsourcing relationship progresses, SLAs should reflect the
evolution of services provided. Accordingly, they should be updated to facilitate
continued service improvement. Well-constructed SLAs are an effective tool for managing
service provider performance and ensuring that the bank receives the quality of service
that it needs and expects.
While many factors
determine how the bank and its service provider will agree to manage the quality of
service, the four-step process2 outlined below may
be helpful in developing successful SLAs. This process facilitates identifying essential
requirements for the outsourced service and translating the requirements into measurable
and accountable performance standards.
The first step in
creating an SLA is determining the standards the outsourced activity needs to meet in
order to assist the bank in attaining its strategic goals. The bank should consider the
criticality of the activity to the banks mission and weigh the impact success or
failure will have on the banks operations or reputation. The institution also needs
to consider the relationship of the outsourced activity to other systems, applications,
and functions in the bank and take into account any critical interdependencies. Based on
this analysis, the bank can identify the objectives that are critical in ensuring the
success of the function.For each activity, function, and process, a clear
objective is needed to understand what constitutes success.
In order to attain
strategic goals, it is important to identify how the institution is going to achieve the
objectives that have been set. To establish these requirements, the institution can break
the objectives down into specific activities that must be undertaken to achieve the goal.
While the objectives refer to broad statements geared toward attaining success, the
performance requirements are targeted at the specific activities that the bank can require
from the service provider to ensure the strategic objective is met.
In formulating an agreement, the bank can identify
specific measurements that indicate if the prescribed requirements are being met. The
measurements or metrics - that correspond to the performance requirements represent
tangible or quantifiable deliverables that bank management can monitor and discuss with
the service provider, as appropriate. Target metrics should be objective and clearly
linked to the banks business needs and risk management requirements. Metrics should
be established based on specific tolerance levels and the minimum acceptable levels of
service. A minimum acceptable level of service also should be set to define the point of
The following table
provides two examples of strategic objectives and related performance requirements, along
with target metrics. The first objective pertains to system security and may be
appropriate for an outsourced activity involving sensitive data or applications. The
second objective addresses certain reliability and availability needs that may be
associated with an outsourced system that processes or stores information essential for
bank employees or customers. The corresponding performance requirements and measurements
provide the means to quantify and document service provider performance.
Table 1 - Examples of Objectives,
Requirements, and Measurements
system and bank/customer data must be protected with strong security.
Regular checks for intrusions or
other security breaches.
Copies of intrusion scan reports to
be sent at pre-determined frequency.
Periodic security assessments,
tests, or reviews.
Copies of independent security
assessment reports to be provided at pre-determined frequency.
Timely reporting of incidents
and follow up to bank management.
Regular incident reports (frequency
will depend upon system criticality).
critical systems must be reliable and available.
System downtime must be minimal.
Specified requirement for system
uptime (e.g., 99.9%).
The system must be able to
support certain volumes of activity at a given time.
Specified requirement or parameters
for capacity (e.g., 1,000 transactions processed per minute).
Clear definitions of accountability are
important to ensure that both the bank and the service provider understand their roles and
responsibilities for each service level requirement. However, beyond simply designating a
role or activity, accountability should also be established by specifying the consequences
if a given service level is not met. Incentives and penalties can play a key role in
establishing accountability. Incentives can be used to motivate a service provider to meet
or exceed specified service levels by offering a reward. Rewards should generally be
attractive enough to motivate the provider, but less than the actual financial value
provided by the service. Penalty clauses also should be considered and bank management
should have the right to exercise these penalties for any defined service delivery
When negotiating incentives and penalties into
an SLA, it is helpful to consider:
The importance of the performance measure to the
bank¾ This will help the bank determine how to weight the associated incentives/penalties
as well as the frequency for monitoring performance.
Each partys expectations for quality and
consistency¾ These factors, coupled with prior experiences, may help the bank determine
the best method for motivating the provider toward desired performance.
The severity of the consequences to the bank if
key performance measures are not met¾ The effect on the institution should be a
motivating factor for the institution when determining whether compensation clauses or
other remedies should be provided.
(Note: This SLA is for illustration purposes
only, and not to be relied upon as a model contract for any specific service agreement.
Actual SLAs will vary widely depending on the services contracted. Additional provisions
or an increase in the scope of this SLA will be necessary to govern other aspects of the
relationship, such as security. Consult with bank legal counsel for specifics of contract
clauses and formation advice.)
This agreement is between Buyer and Vendor. This document
outlines the service level roles, responsibilities, and objectives of Buyer and Vendor in
support of the given functional area.
Scope of Services
Vendor will house, manage, and operate all
hardware and software necessary to provide Internet banking applications to Buyer.
This SLA addresses application availability.
Acceptable Range of Service Quality
The Internet banking application shall be
available at least 99.5% of each week.
Definition of What is Being Measured
"Availability" will be measured as the
percentage of minutes each day that the Internet banking application will be able to
receive and respond to messages from the Internet. The servers ability to receive
messages will be ascertained using time-check availability software.
Formula for Calculating the Measurement
System availability shall be measured as the
number of minutes per day that the Buyers Internet banking application is capable of
receiving and responding to messages from the Internet divided by 1,440 (the total number
of minutes in a day).
A 30-minute period from 2:00 AM to 2:30 AM shall
be excluded from the calculation because Vendor will be performing system maintenance at
this time each day.
Relevant Credits/Penalties for
Achieving/Failing Performance Targets
If Vendor is unable to provide this service level
to Buyer, Vendor will provide priority support to Buyer until performance levels are met.
Service below the prescribed level will result in a rebate of 50% of the monthly fee for
the month in which the exception takes place.
If Vendor fails to provide the agreed upon
service level for more than two consecutive months, Buyer shall have the right to
renegotiate the contract and/or terminate this agreement.
Frequency and Interval of Measurement
The systems availability shall be measured
daily by Vendor using time-check availability software. Vendor shall submit monitoring
reports generated by this program to Buyer on a weekly basis.
Buyer shall review all monitoring reports and
advise Vendor of any deviations from this agreement in a timely manner.
(Include any other items that Buyer will need to
do so that Vendor may perform its tasks.)
Vendor shall assume responsibility for customer
communications at the point that customer messages leave the Internet service provider.
Vendor shall ensure that all messages are
processed in a timely fashion. (Be sure to define the specifics of "timely"
Vendor shall ensure that the system shall be able
to accept and respond to 1,200 inquiries per minute.
(Include any other items that Vendor will need to
do to provide the prescribed level of service to Buyer.)
In the event that Vendor is unable to meet the
terms of this agreement, the CIO of Buyer and IT Manager of Vendor shall discuss
resolution of the situation. If Vendor will be unable to provide service for more than two
hours, Vendors contingency operating plan shall be invoked.
Authorized representatives of Buyer and Vendor
must mutually agree upon changes to this SLA.
All changes must be made and agreed to in
Either party may request review of this SLA at
any time. Each party will review the SLA annually and advise the other party of any
service providers encompass a broad range of entities including but not limited to
affiliated entities, nonaffiliated entities, and alliances of companies providing products
and services. This may include but is not limited to: core processing; information and
transaction processing and settlement activities that support banking functions such as
lending, deposit-taking, funds transfer, fiduciary, or trading activities;
Internet-related services; security monitoring; systems development and maintenance;
aggregation services; digital certification services, and call centers. Other terms used
to describe Service Providers include vendors, subcontractors, external service provider
(ESPs) and outsourcers.