Managing Service Level Agreement

Transcription

1 Managing Service Level Agreement Natasa Zabkar ¹Triglav Insurance Company Ltd Miklošičeva 19, 1000 Ljubljana, Slovenia Viljan Mahnic ²University of Ljubljana Faculty of Computer and Information Science Tržaška 25, 1000 Ljubljana, Slovenia Keywords: Control Objectives for Information and Related Technology (COBIT), IT governance, IT management, maturity model, internal service level agreement (SLA) Abstract: In this paper service level agreement (SLA) management is presented. SLA defines minimum acceptable performance measures for IT unit and its users. In the first part of this paper the role of SLA in IT governance is introduced. Then the definition of SLA is given, followed by an example. In the third part SLA management is presented using COBIT (Control Objectives for Information and Related Technology). The COBIT process DS1: Define and Manage Service Levels is discussed including management guidelines. After that, advantages and disadvantages of SLA are described. Finally, SLA is recommended as a possible solution for controlling internal IT units. 1. Introduction Corporate governance is the system by which organizations are directed and controlled [ISACA- AG6]. Information technology (IT) governance is its important component. There are many definitions of IT governance. According to [COBIT3-CO, pg. 5], IT governance is a structure of relationships and processes to direct and control the enterprise in order to achieve the enterprise s goals by adding value while balancing risk versus return over IT and its processes [COBIT3-CO, pg. 5]. IT governance deals with guidelines and politics, organization structures and (in)formal processes, developed and/or implemented by management, in order to guide and monitor actions of people and organization units that relate to IT, with purpose of achieving the enterprise s goals [Susnjar, pg ]. IT governance seeks for answers to the following three questions [Grembergen, pg. 40]: (1) How does top management ensure that IT unit returns business value? (2) How does top management ensure that IT unit does not abuse company s resources? (3) How does top management control IT unit?. In this paper only the third question will be addressed. SYSTEMS INTEGRATION

2 NATASA ZABKAR, VILJAN MAHNIC IT control is closely related to IT evaluation, which can be performed through IT balanced scorecard, service level agreement (SLA) or user satisfaction monitoring [Martin, pg. 625]. In this paper only SLA will be considered, as a key element in implementing IT governance [Ceulemanc]. Users criteria for evaluating IT may differ from corporate owners criteria. For example, it is in the interest of the corporate owners to secure access to corporate data. A possible security measure is periodical changing of passwords. This can be annoying for some users, so their satisfaction with the IT service level may be low. Users may employ subjective criteria for evaluation of IT. This means that one user can describe IT service as satisfactory while another can describe it as unsatisfactory, even though they have both been given the same service level. Therefore, some companies have decided to make an agreement that defines acceptable service levels. This agreement is called a service level agreement (SLA). In this paper we shall give an overview on how SLA can be used for evaluation and control of internal IT unit. 2. Service Level Agreement In [Umbaugh, pg. 125] the following definition of SLA can be found: "SLA is a formal written contract developed jointly by the provider of services and its customers which clearly defines the relationships, responsibilities, and expected performance of the organization s information systems and services for its users. According to [ISACA-AG12], SLA is defined minimum performance measures at or above which the service delivered is considered acceptable". In this paper we shall refer to the first type of SLA as external SLA, and to the second type as internal SLA. External SLA is more formal than internal SLA. The purpose of external SLA is to control an outsourced activity. Even though the outsourced activity is not performed in the company, the company s management is still responsible for the quality of the service. Therefore, service providers are often differentiated primarily through their SLAs. However, SLA proved to be beneficial for internal IT units as well, especially if credibility of IT unit is low [Umbaugh, pg. 125]. The low credibility of IT unit is often caused by lack of standards and communication between IT unit and users and by misunderstanding of data ownership concept. These problems cause users complaints that may or may not be justified. SLA enables factual assessment, instead of emotional one [Umbaugh, pg. 228]. The priority and degree of IT problems should not depend only on user judgement. For example it can often be heard that the system is too slow. For one user, slow means ten seconds, for another it is two seconds. Therefore, it should be defined what is slow. One possible solution would be: the highest acceptable response time is less than 1 second 95 percent of the time or less than 4 seconds 98 percent of the time [Martin, pg. 365]. According to [COBIT3-AG, pg. 126; Ridler, pg. 298; Umbaugh, pg ], SLA should include: (1) signature page (identification of the participants, signature block for key personnel); (2) synopsis of the services (job scheduling, access control, contingency planning, problem tracking, change management, ); (3) service measurement criteria, turnaround time, exclusions to SLA; (4) service charges; (5) change procedures; (6) penalties for non-achievement (such as free service or reduced cost); (7) levels of service: availability; 680 SYSTEMS INTEGRATION 2001

3 MANAGING SERVICE LEVEL AGREEMENT reliability; performance; capacity for growth; levels of support provided to users; continuity planning; security; minimum acceptable level of satisfactory delivered system functionality etc. We shall use SLA for Help Desk as an example, since Help Desk provides systematic means for logging and monitoring problems and requests [Ridler, pg. 296]. The example shown in Frame 1 is modified from [Umbaugh, pg. 133]. Frame 1 SLA for Help Desk IT unit provides user help desk for users who have IT problems. The working hours are Monday to Friday from 7:30 am to 4:00 pm. can be used at any time. The staff will do their best to immediately solve problems reported during working hours. If this is not possible then the problem will be given incident number and escalated accordingly. User needs to evaluate the priority of problem solving time as: (1) high (1-3 hours); (2) medium (more than 3 hours, less than 2 days) or (3) low (more than 2 days). User needs to explain his problem by stating version of the program, time and date of the incident and Print Screen (if possible). User should consider user manual before contacting Help Desk. User can trace the problem solution process through appropriate application. After the problem is solved, user is notified through and he needs to confirm that incident has been solved. There are financial penalties for users ( for initiating problems without considering user manuals first or for incorrect definition of priority) and for IT unit (for not achieving agreed service level). 3. Managing Service Level Agreement The key issues of managing SLA are [Ridley, pg. 298]: (1) problem management (monitoring, reporting, procedures for escalating and managing problems); (2) performance (service level reviews, scorecarding for less tangible aspects of satisfaction, service improvement plan, feasibility, cost/benefit analysis); (3) flexibility (changes). Problem management has the highest priority because of its influence on performance. A useful tool for SLA management is a framework for control over information technology, known as Control Objectives for Information and Related Technology (COBIT) 1. According to ISACA 1 COBIT is an open standard that provides clear policy and good practices for IT governance and can be downloaded without charge from SYSTEMS INTEGRATION

4 NATASA ZABKAR, VILJAN MAHNIC Auditing Guideline on IT Governance [ISACA-AG6], IS auditor should, in the absence of any established framework of internal control, use COBIT as a minimum basis. The COBIT process "DS1: Define and Manage Service Levels satisfies the business requirement to establish a common understanding of the level of service required and is enabled by the establishment of SLA which formalizes the performance criteria against which the quantity and quality of service will be measured [COBIT-CO, pg. 90]. This definition could be classified as internal SLA. The process DS1 is closely related to the process DS8: Assist and Advise Customers. The process DS8 controls SLA between IT function and its users as well as user satisfaction level. Assessing user satisfaction is also one of the control objectives for the process M1: Monitor the Process. In this paper we shall deal only with the process DS1. There are three phases of SLA management: SLA planning (negotiating); SLA implementing and SLA control. According to [Radcliff], many SLAs are not successful because they have been defined with the purpose of getting users off the back of IT units, instead of involving the users in the planning phase on the equal basis. SLA implementation, as any other implementation, depends on human resources, business processes and organizational structure (formal and informal). Change management plays an important role in this phase. Key players should support SLA and act accordingly. Once SLA is implemented, it needs to be maintained. SLA is a living document and should be reviewed at regular intervals. Reporting makes basis for SLA control, so it should be carefully defined. SLA manager is responsible for monitoring, reporting and problem solving. For monitoring, the following indicators can be used: key performance indicators (KPI) for monitoring performance within DS1 process and key goal indicators (KGI) for monitoring achievement of DS1 goals. These indicators have to be reported and monitored. In [COBIT3-MG, pg. 62] the following indicators are recommended for DS1: KPI: frequency of customer satisfaction surveys; time lag to resolve a service level issue; number of times that root cause analysis is completed on time etc. KGI: alignment of service levels with key business objectives; customer satisfaction with SLA; percent of IT services which meet SLA etc. Monitoring these indicators makes possible for management to control DS1 and act in such a way to achieve as high maturity level as possible. Maturity model is a method of scoring (from 0 to 5) for strategic choice and benchmark comparison [COBIT3-MG, pg. 10]. It is derived from Software Engineering Institute capability maturity model (CMM) and helps in answering the question: How far should we go, and is the cost justified by the benefit?. The highest level of maturity model for DS1 ( optimized ) is characterized by the following actions: (1) service levels are continuously reevaluated; (2) service level processes are continuously improved; (3) criteria are based on business criticality; (4) customer satisfaction levels are monitored and enforced; (5) expected service levels are monitored and enforced; (6) IT management has the necessary resources and accountability. This is the target level for management to achieve by monitoring KPIs and KGIs and taking preventive and corrective actions. 682 SYSTEMS INTEGRATION 2001

5 MANAGING SERVICE LEVEL AGREEMENT We shall use Help Desk again to demonstrate a possible design of an SLA reports. Frame 2 SLA report (example) Date: 1 st of March, 2000 Number of all problems: 5; Number of exceptions: 1; Agreed Service Level Category A-I: Number of problems: 3; Average problem resolution time: 15 min; Category A-II: Number of problems: 1; Average problem resolution time: 1 day; Exceptions Category E-I: Number of problems: 1; Average problem resolution time: 3 days. In the example, shown in Frame 2, there are the following three problem categories: category A-I: problems that were solved without escalating; category A-II: problems that were solved with escalating within agreed service level; category E-I: problems that violated agreed service level. In the example, five problems were reported and two of them escalated to incidents. Average problem resolution time for immediate solutions (3 problems) was 15 minutes. One of the incidents has been solved in 1 day, the other has not yet been solved and the user has been informed on estimated time of solution (3 days). This incident is presented in the Exception report in more detail (Frame 3). Frame 3 Exception report (example) Date: 1 st of March, 2000 Incident: 293; Category: E-I Priority: Medium (more than 3 hours, less than 2 days) Estimated problem resolution time: 3 days Description: In report Y, generated by program X, format of total figures is too small. Corrective action: Correction of program X. Person responsible: XY; Status: Working The incident number 293 has been caused by the inappropriate format of total. Since priority is medium (Figure 1: more than 3 hours, less than 2 days), estimated time (3 days) is not acceptable. Status of incident is working, which means that it is in the process of correction. IT manager should decide which corrective action to take: whether priority should be changed or program correction should be done faster. When performing root cause analysis IT manager would determine the causes for the format change and, if appropriate, determine preventive action. SYSTEMS INTEGRATION

6 NATASA ZABKAR, VILJAN MAHNIC 4. Advantages and Disadvantages The advantages and disadvantages of using SLA depend not only on general conditions but also on conditions that are specific for each company. We shall describe few of them in order to make SLA decision process easier. Major benefits of SLA are clear definitions of [Umbaugh, pg ]: (1) accountabilities and responsibilities of IT unit and its users; (2) performance standards for IT unit and (3) user requirements and expectations. SLA makes basis for objective evaluation, transparent processing and control, as well as IT unit auditing. Another advantage of SLA is controllability. It makes basis for independent evaluation and audit. Auditing SLA is important for IT governance audit [ISACA-AG6]. When reviewing Board activities, IS auditor should consider whether minutes from Board meetings and Board committee meetings include monitoring of performance against service level agreements. IS auditor should also review the information received by business process owners (such as reports on performance against agreed service levels) and assess its reliability, integrity and potential for management override. SLA makes IT audit easier. The benefits of internal SLA can be of great importance for IT units with low credibility. SLA is also a communication tool. In time, the customer perception of the delivered IT service should improve and credibility should increase. On the other hand, IT specialists understanding of what is expected of them should improve as well. SLA defines common language for problem resolution. SLA is a two-way process which formalizes relationships between IT unit and its users, making it transparent and controllable. However, there are some disadvantages of SLA. There might be companies where informal agreement can be as effective and efficient as SLA, since the informal nature of organizations can be very powerful [Earl, pg. 497]. In this type of companies, SLA would not get sufficient support from management. But, for smaller companies SLA might really not be necessary, since control is easily maintained through informal process. Another disadvantage of SLA is that it can be costly to negotiate and maintain [Umbaugh, pg. 476]. Therefore, some companies made decision to define only service level objectives (SLO) instead of SLA. Some SLA management tools (for example internet SLA tools) automatically measure performance level and produce SLA compliance reports for business and IT management, as well as reports. Even though SLA is closely related to user satisfaction, it might not indicate the level of this satisfaction. In order to improve this, user satisfaction surveys should be a complementary part of SLA reports [CIPFA, pg. 379]. Another solution would be to regularly review SLA, as part of SLA management process and adjust its measures according to users expectations. This again means additional costs, but also additional benefits. According to [Liebmann], SLA is not the appropriate solution since: users want 100% service level and they do not feel they should pay more for achieving this level; it is difficult to provide reasonable sanctions for not achieving SLA. 684 SYSTEMS INTEGRATION 2001

7 MANAGING SERVICE LEVEL AGREEMENT The author recommends usage-based chargeback and insourcing, since they make business accountable for how it consumes technology. His advice is to force changes in business executives environment instead of focusing on IT environment. One possible solution would be IT governance, which responsibilizes business community [Ceulemanc]. 5. Conclusion Successful relationship between IT department and its users is important for successful IT management and for IT governance. One possible way of managing this relationship is by using SLA, which formalizes accountability and responsibility on both sides. Even though SLA is usually used for outsourced IT activities (external SLA), it can be beneficial for internal IT activities as well (internal SLA), especially if credibility of IT unit is low. The process of SLA management links IT services and business objectives by establishing common grounds for successful relationship. The best practices for SLA management are described in COBIT, as the process DS1: Define and Manage Service Levels. If management follows COBIT- Management guidelines, then credibility of IT unit should increase as well as the actual maturity level of the process DS1. The major benefits of SLA are transparency of IT processes and management s ability to control IT unit and take appropriate actions. These benefits should result in increased user satisfaction, improved efficiency and effectiveness of IT unit and better quality of IT governance. References CEULEMANC Hendrik: COBIT Workshop, notes ( ), Slovenian Institute of Auditors, Ljubljana, Slovenia. *** CIPFA: Computer Audit Guidelines. The Chartered Institute of Public Finance and Accountancy, London, 1998 *** COBIT3-AG: Control Objectives for Information and Related Technology - Audit Guidelines. 3rd edition, Rolling Meadows, Illinois, USA, ISACF, 2000 < *** COBIT3-CO: Control Objectives for Information and Related Technology Control Objectives. 3rd edition, Rolling Meadows, Illinois, USA, ISACF, 2000 < *** COBIT3-MG: Control Objectives for Information and Related Technology Management Guidelines. 3rd edition, Rolling Meadows, Illinois, USA, ISACF, 2000 < EARL Michael J.: Information Management, The Organizational Dimenzion. Oxford University Press, USA, GREMBERGEN Wim Van: The Balanced Scorecard for IT Governance. Information Systems Control Journal, Rolling Meadows, Illinois, USA, ISACF, Volume 2, 2000, pg *** ISACA-AG6: IS Auditing Guideline for Corporate Governance of IS < Effective 1 June 1998 *** ISACA-AG12: IS Auditing Guideline for Outsourcing of IS activities to other organizations < Effective 1 September 2000 SYSTEMS INTEGRATION

8 NATASA ZABKAR, VILJAN MAHNIC LIEBMANN Lenny: Treat users as customers? Now there s a bad idea.< > MARTIN E. Wainright et alter: Managing Information Technology (What Managers Need To Know). MacMillan Publishing Company, New York, USA, RADCLIFF Deborah: Building a better service-level agreement. < > RIDLER Richard: A Practical Guide to Outsourcing IS/IT. Systems Integration 2000, 8th International Conference, Prague, Czech Republic, June , Proceedings (pg ). SUSNJAR Goran: "Revizija upravljanja informacijske tehnologije" ( Auditing IT Governance ). University of Ljubljana, School of Economics, master s thesis. Ljubljana, UMBAUGH Robert E. (editor): Handbook of IS Management. 3rd edition, Auerbach Publications, Boston, USA, SYSTEMS INTEGRATION 2001

9 MANAGING SERVICE LEVEL AGREEMENT SYSTEMS INTEGRATION

10 NATASA ZABKAR, VILJAN MAHNIC 688 SYSTEMS INTEGRATION 2001

11 MANAGING SERVICE LEVEL AGREEMENT SYSTEMS INTEGRATION