Service Level Agreements (SLAs)
Service level agreements are formal documents that outline the institution's pre-determined requirements for the service and establish incentives to meet, or penalties for failure to meet, the requirements. Financial institutions should link SLAs to provisions in the contract regarding incentives, penalties, and contract cancellation in order to protect themselves against service provider performance failures.
Management should develop SLAs by first identifying the significant elements of the service. The elements can be related to tasks (i.e., processing error rates, system up-time, etc.) or they can be organizational (i.e., employee turnover). Once it has identified the elements, management should devise ways to measure the performance of those elements objectively. Finally, institutions should determine the frequency of the measurements and an acceptable range of results to determine when a service provider violates the SLA benchmarks.
Although the specific performance standards may vary with the nature of the service delivered, management should consider SLAs to address the following issues:
- Availability and timeliness of services;
- Confidentiality and integrity of data;
- Change control;
- Security standards compliance, including vulnerability and penetration management;
- Business continuity compliance; and
- Help desk support.
SLAs addressing business continuity should measure the service provider's or vendor's contractual responsibility for backup, record retention, data protection, and the maintenance of disaster recovery and contingency plans. The SLAs can also test the contingency plan's provisions for business recovery timeframes or conducting periodic tests of the plan. Neither contracts nor SLAs should contain any extraordinary provisions that would excuse the vendor or service provider from implementing its contingency plans (outsourcing contracts should include clauses that discuss unforeseen events for which the institution would not be able to adequately prepare).