Home > News & Events > Financial Institution Letters
Financial Institution Letters
|Tools to Manage Technology Providers
Performance Risk: Service Level Agreements|
|Introduction||This document is intended to serve as a resource for banks in addressing specific challenges relating to technology outsourcing. The content was prepared not as examination procedures or official guidance but as an informational tool for community bankers.|
|As community banks outsource more of their mission critical applications, properly managing the relationships between financial institutions and technology service providers1 becomes increasingly important. This brochure discusses the Service Level Agreement (SLA) as an effective tool for managing the risks associated with technology outsourcing and describes practices for measuring and monitoring service providers performance.|
|What Are Service Level Agreements?|
|Service Level Agreements (SLAs) are contractually binding clauses documenting the
performance standard and service quality agreed to by the bank and service provider. The
SLA is a key component in structuring a successful outsourcing contract. The SLA ensures
that the institution receives the services it wants at the expected performance standard
and price. As such, the SLA is a key component in managing the financial and operational
risk involved with outsourcing contracts. It also can be one way to help mitigate risk. By
specifying the measurement unit and service range for the selected category, the risk of
poor service may be diminished because it becomes an area of focus and is designated as
the service providers responsibility.
The SLAs primary purpose is to specify and clarify performance expectations, as well as establish accountability. Therefore, balancing the need for precise measurement standards with sufficient flexibility is important. A common pitfall is excessive oversight or "micro-management" of the provider responsible for the service, which can also burden the bank employees charged with supervising the service provider relationship and monitoring the SLAs.
A well-designed SLA will recognize and reward, or at least acknowledge, good service. It will also provide the measurement structure -- or performance metric -- to identify substandard service and trigger correction or cancellation provisions as warranted. In todays outsourcing environment, incentives or penalties in the SLA can be an effective tool for managing service. If services received do not measure up to expectations, direct consequences, such as reduced levels of compensation or a credit on future services, would result.
|Structuring and Developing SLAs|
|A typical SLA includes
the following components and is tailored to fit the nature of the outsourced service or
Before an SLA is signed, the service provider and the institution should clarify and establish expectations. Unless these expectations are clearly measurable, the service category will be difficult to manage due to the banks and the vendors differing goals and perspectives.
|Developing a Successful SLA Involves Four Steps|
|The SLA development
process and each of the four steps are discussed in further detail in Appendix 1. A sample
SLA is provided in Appendix 2.
Representatives from the institution (management, legal counsel, and information technology staff) and the service provider typically meet to ensure that performance metrics and targets are properly addressed when developing SLAs. Bank management may also consider interviewing some of the system users to help identify important criteria to incorporate into the SLAs.
Reaching agreement on specific SLAs may involve significant discussion and negotiation between the bank and the service provider. The bank may wish to consult with peer institutions and trade associations about useful benchmarks for performance standards. This information may be helpful in the contract negotiation process and assist the bank in determining if the service levels offered by the provider are reasonable and standard.
|Drafting Successful Service Level Agreements|
|Sufficient time and resources should be devoted to preparing SLAs. The agreement will be the primary document governing the procurer and vendor of services that may have a significant impact on the banks performance. The following items are important reminders for institutions drafting SLAs and selecting the metric(s) to be used to measure vendor performance:|
|It is worthwhile for the institution to provide for ongoing management of the agreement when a SLA is established. The SLA management process usually goes beyond performance measurement to ensure success. Generally, the measurement process should be kept as simple as possible, emphasizing timely identification of deviations from agreed upon performance metrics. Ongoing communication between the bank and the service provider is also important. The following four-phase methodology is based on observed industry practices that can help banks manage SLAs effectively:|
|Before signing an
outsourcing contract, the bank may find it beneficial to verify that important performance
requirements have been addressed, risks have been identified, and each service level is
defined. Each measurement should be defined clearly and concisely. This will provide the
foundation for effectively managing service levels throughout the four phases of the SLA
SLA management is an ongoing process, and is viewed as an integral component of the outsourcing relationship. A suggested practice is to include periodic review and change provisions in the SLA to ensure that service level goals and performance measurements can meet the changing business and technology needs of the institution.
|Service Level Agreements are tools to measure, monitor, and control the operational and financial risks associated with outsourcing technology services. Essential to this process is establishing realistic performance metrics and continuous problem tracking and resolution. The bank should consider working closely with service providers to identify, verify, and correct problems; perform root-cause analysis; and make process modifications to prevent problems from recurring. As the outsourcing relationship progresses, SLAs should reflect the evolution of services provided. Accordingly, they should be updated to facilitate continued service improvement. Well-constructed SLAs are an effective tool for managing service provider performance and ensuring that the bank receives the quality of service that it needs and expects.|
|While many factors determine how the bank and its service provider will agree to manage the quality of service, the four-step process2 outlined below may be helpful in developing successful SLAs. This process facilitates identifying essential requirements for the outsourced service and translating the requirements into measurable and accountable performance standards.|
|The first step in creating an SLA is determining the standards the outsourced activity needs to meet in order to assist the bank in attaining its strategic goals. The bank should consider the criticality of the activity to the banks mission and weigh the impact success or failure will have on the banks operations or reputation. The institution also needs to consider the relationship of the outsourced activity to other systems, applications, and functions in the bank and take into account any critical interdependencies. Based on this analysis, the bank can identify the objectives that are critical in ensuring the success of the function. For each activity, function, and process, a clear objective is needed to understand what constitutes success.|
|In order to attain strategic goals, it is important to identify how the institution is going to achieve the objectives that have been set. To establish these requirements, the institution can break the objectives down into specific activities that must be undertaken to achieve the goal. While the objectives refer to broad statements geared toward attaining success, the performance requirements are targeted at the specific activities that the bank can require from the service provider to ensure the strategic objective is met.|
|In formulating an agreement, the bank can identify
specific measurements that indicate if the prescribed requirements are being met. The
measurements or metrics - that correspond to the performance requirements represent
tangible or quantifiable deliverables that bank management can monitor and discuss with
the service provider, as appropriate. Target metrics should be objective and clearly
linked to the banks business needs and risk management requirements. Metrics should
be established based on specific tolerance levels and the minimum acceptable levels of
service. A minimum acceptable level of service also should be set to define the point of
The following table provides two examples of strategic objectives and related performance requirements, along with target metrics. The first objective pertains to system security and may be appropriate for an outsourced activity involving sensitive data or applications. The second objective addresses certain reliability and availability needs that may be associated with an outsourced system that processes or stores information essential for bank employees or customers. The corresponding performance requirements and measurements provide the means to quantify and document service provider performance.
Table 1 - Examples of Objectives, Requirements, and Measurements
|Clear definitions of accountability are important to ensure that both the bank and the service provider understand their roles and responsibilities for each service level requirement. However, beyond simply designating a role or activity, accountability should also be established by specifying the consequences if a given service level is not met. Incentives and penalties can play a key role in establishing accountability. Incentives can be used to motivate a service provider to meet or exceed specified service levels by offering a reward. Rewards should generally be attractive enough to motivate the provider, but less than the actual financial value provided by the service. Penalty clauses also should be considered and bank management should have the right to exercise these penalties for any defined service delivery failures.|
|When negotiating incentives and penalties into
an SLA, it is helpful to consider:
|(Note: This SLA is for illustration purposes only, and not to be relied upon as a model contract for any specific service agreement. Actual SLAs will vary widely depending on the services contracted. Additional provisions or an increase in the scope of this SLA will be necessary to govern other aspects of the relationship, such as security. Consult with bank legal counsel for specifics of contract clauses and formation advice.)|
This agreement is between Buyer and Vendor. This document outlines the service level roles, responsibilities, and objectives of Buyer and Vendor in support of the given functional area.
Scope of Services
Vendor will house, manage, and operate all hardware and software necessary to provide Internet banking applications to Buyer.
This SLA addresses application availability.
Acceptable Range of Service Quality
The Internet banking application shall be available at least 99.5% of each week.
Definition of What is Being Measured
"Availability" will be measured as the percentage of minutes each day that the Internet banking application will be able to receive and respond to messages from the Internet. The servers ability to receive messages will be ascertained using time-check availability software.
Formula for Calculating the Measurement
System availability shall be measured as the number of minutes per day that the Buyers Internet banking application is capable of receiving and responding to messages from the Internet divided by 1,440 (the total number of minutes in a day).
A 30-minute period from 2:00 AM to 2:30 AM shall be excluded from the calculation because Vendor will be performing system maintenance at this time each day.
Relevant Credits/Penalties for Achieving/Failing Performance Targets
If Vendor is unable to provide this service level to Buyer, Vendor will provide priority support to Buyer until performance levels are met. Service below the prescribed level will result in a rebate of 50% of the monthly fee for the month in which the exception takes place.
If Vendor fails to provide the agreed upon service level for more than two consecutive months, Buyer shall have the right to renegotiate the contract and/or terminate this agreement.
Frequency and Interval of Measurement
The systems availability shall be measured daily by Vendor using time-check availability software. Vendor shall submit monitoring reports generated by this program to Buyer on a weekly basis.
Buyer shall review all monitoring reports and advise Vendor of any deviations from this agreement in a timely manner.
(Include any other items that Buyer will need to do so that Vendor may perform its tasks.)
Vendor shall assume responsibility for customer communications at the point that customer messages leave the Internet service provider.
Vendor shall ensure that all messages are processed in a timely fashion. (Be sure to define the specifics of "timely" standards.)
Vendor shall ensure that the system shall be able to accept and respond to 1,200 inquiries per minute.
(Include any other items that Vendor will need to do to provide the prescribed level of service to Buyer.)
In the event that Vendor is unable to meet the terms of this agreement, the CIO of Buyer and IT Manager of Vendor shall discuss resolution of the situation. If Vendor will be unable to provide service for more than two hours, Vendors contingency operating plan shall be invoked.
Authorized representatives of Buyer and Vendor must mutually agree upon changes to this SLA.
All changes must be made and agreed to in writing.
Either party may request review of this SLA at any time. Each party will review the SLA annually and advise the other party of any desired changes.
|1Technology service providers encompass a broad range of entities including but not limited to affiliated entities, nonaffiliated entities, and alliances of companies providing products and services. This may include but is not limited to: core processing; information and transaction processing and settlement activities that support banking functions such as lending, deposit-taking, funds transfer, fiduciary, or trading activities; Internet-related services; security monitoring; systems development and maintenance; aggregation services; digital certification services, and call centers. Other terms used to describe Service Providers include vendors, subcontractors, external service provider (ESPs) and outsourcers.|
|Last Updated firstname.lastname@example.org|