Series Recap:
When planning to outsource all or part of an organization's IT functions, it is important to perform active risk management throughout all stages of the outsourcing lifecycle. Active risk management is a process of continually identifying and monitoring potential failure points in a plan, determining the probability of occurrence, estimating the impact of each failure, and then developing ways to lessen or avoid those risks (i.e. Mitigation). The more unknowns your outsource provider faces, the greater the risk. Risk costs money, so the more risk that can be driven out of an IT outsourcing solution, the less a vendor will charge you and the greater the chance becomes for a successful outsource.

Now that you have executed a contract and established the overall legal framework within which your company and your chosen outsource provider will operate, it's time to define the delivery of the service itself. This is accomplished with the use of an SLA; and before someone makes the very old joke, no, SLA does not stand for the Symbionese Liberation Army (it's disturbing how often I hear that pun) but instead for Service Level Agreement.

As mentioned in previous articles, vague, optimistic promises of a happy life together may work for some personal relationships, but they do not work between two companies. Creating an SLA to define your organization's needs and expectations has many benefits:

• It provides a common understanding of exactly what service is being provided (how, when, where, by whom, how often, etc.)
• It sets everyone's expectations realistically
• It simplifies complex issues by focusing everyone on what is truly important
• Conversely, it reduces conflict by eliminating what's not important
• It makes clear the ramifications for either exceeding or failing to meet delivery requirements

In determining what service levels to measure, it's important to keep repeating the mantra "if you can't quantify it, don't measure it". SLA's typically assign penalties for missing targets like "number of errors per 1000 lines of code" or reward excellence like 99.99% up-time reliability. If you can't measure the service delivered, there is no way to prove whether or not it has been delivered. For example, since you can't empirically define "make our customers happy", no outsource vendor will accept a metric like that. If on the other hand, you know that slow help desk response is the biggest complaint your customers have, you could make a metric of reducing average hold time by 10%, thereby giving your partner a real target and making your customers happier, a double win!

A smart outsource provider will also ensure that SLA metrics recognize the responsibilities of the client organization in performance of that metric. For example, if the provider is going to step up to providing 24x7, 5-minute response times for remote support, then the agreement should also require that the client's firewalls must always be accessible or the metric is un-enforceable. If you will be using the services of multiple outsource providers (for example call centers in India and the Philippines), then you should also consider arranging the contract and SLA so that you have a prime vendor responsible for the subordinates.

The number of SLA metrics to be tracked is another important facet. If there are too many metrics, then focus is lost on the critical activities and more overhead than necessary is being used to support the additional data capture and analysis. If there are too few metrics, a provider risks being continually found in breach of the contract. For example, one client had a contract that stated the outsourcing provider could be considered to be in breach if more than 10% of the SLA metrics were missed each measurement period. However, only four metrics had been defined so missing just one caused an automatic breach. The client and the provider finally settled upon tracking 10 metrics.

Frequently, organizations seeking to outsource do not have reliable metrics on the service levels when those services were provided internally. Rather than engaging in a guessing game across the table from your provider (and likely agreeing to a metric guaranteed to make both of you unhappy) an effective risk management strategy is to establish a baseline period. During this period your organization and your provider agree to jointly monitor and document service delivery closely and then use that data as the starting point for setting SLA metric targets. The time to perform this base-lining is not immediately after service delivery has been turned over to your outsourcing partner; no matter how well planned or executed there will be a period of instability as kinks gets worked out of the system. A better approach is to define a transition period (for example, 60 days), followed by a baseline period (for example 90 days), and then allow for one month to negotiate ongoing metric levels. In this example, 6 months after the outsourcing services begin to be delivered, your organizations have concrete data, a working SLA with achievable metric goals, and are moving into routine operations with penalties and/or bonuses.

In considering penalties, it's important to set penalties that fall somewhere between the electric chair and a light slap on the wrist. Too drastic and your partner may balk at even offering service level commitments, too soft and they have no incentive to meet them.

Research is a good risk management tactic for this aspect; investigate industry standards and try to adhere to them as much as possible. There's no point in either setting levels below the those standards or setting them so high that the only way the provider will accept the risk of failure is to charge exorbitant fees to create a financial safety net. As repeated frequently throughout this series, there is no benefit in establishing an adversarial relationship, so make the development of the SLA a truly collaborative effort.

In addition to defining the services to be provided, document how the services are to be monitored:

• How will the data be captured?
• How will the data be reported (content and delivery method)?
• How often will it be reviewed?
• Who meets to review?

One final thought; your business and industry is in a constant state of change; allow for the ability to revise or add metrics for technological or other advances. Also allow for the fact that your company may grow or shrink, with corresponding impacts to service levels. The SLA should be considered a living document that both parties strive to make an accurate reflection of the current service requirements of the relationship, while providing the mechanism to adapt along with your organization and your industry.

Next month, Part VI of this series will deal with managing risks in ongoing outsourcing agreements.

Risk management and program management skills for IT outsourcing are specialized skills that many organizations have not had to previously develop an in-house expertise for. With experience on literally billions of dollars worth of these types of engagements, Alsbridge is happy to provide the objective, experienced knowledge and insight your company requires in successfully navigating an IT Outsourcing effort.

About the Author

Stephen Reed is an established industry leader with a successful track record in Outsourcing, BPR, and Program Management in a wide variety of Industries. Receiving his PMP Certification in 1996 from the Project Management Institute, Stephen is a recognized expert in Risk Management, and was a contributing writer on the Project Management Body of Knowledge (PMBOK). The PMBOK is the standard used by over 100,000 professional project managers worldwide. To date, Stephen has successfully led the implementation of over $2 billion in outsourcing and technology solutions.

Stephen has a BA in Management from Loyola College and an MBA in International Business from the Sellinger School of Business.