What is an SLA?
A service level agreement (SLA) is a specific type of contract between a vendor and a business. It defines performance measures and compensation options for the times when a vendor can't hold up their end of the bargain. Let's dive into some specifics about what this looks like and what you (as a vendor manager who cares about information security) need to do about it.
Why is an SLA important?
An SLA is a legally binding document. The primary benefits of SLAs to vendor managers are to ensure security, resilience, and accountability. You can't hold someone responsible for standards that don't exist. The SLA turns expectations into reality.
What does regulatory guidance say about SLAs?
Definition
If you are looking for the full definition of an SLA, the FFIEC Glossary defines it as:
"A formal agreement between two parties that records a common understanding about products or services to be delivered, priorities, responsibilities, guarantees, and warranties between the parties. In addition, the agreement describes the nature, quality, security, availability, scope, and timeliness of delivery and response of the parties, the point(s) of contact for end-user problems, and the metrics by which the effectiveness of the process is monitored and approved, and may include other measurable objectives. The agreement should cover not only expected day-to-day situations, but also unexpected or adverse events, as the need for the service may vary."
Additional Resources
If you'd like to learn more about what the agencies want to see from your vendor SLAs, search for "service level agreement" in these documents.
- FFIEC Outsourcing Technology Services Booklet: Service Level Agreements (SLAs)
- FDIC, FRB, & OCC Third-Party Risk Management: A Guide for Community Banks
- FDIC Information Technology Risk Examination (InTREx) Program
- NCUA SL 07-01 Evaluating Third Party Relationships
- NCUA Information Security toExamination (ISE)
(Tl;dr – The agencies primarily want to know that you're aware of what an SLA is and that you're negotiating good ones, which is what we're going to cover in the rest of this blog.)
When do I need an SLA?
While it's always a good idea to get an SLA from your vendors, if your business cannot perform certain functions without the vendor's service, that's your first sign you need (like, really need) one.
Here are the two big categories to look at:
- Start with your technology service providers (think: managed service providers (MSPs), cloud service providers (CSPs), Software-as-a-Service (SaaS) providers, etc.).
- Then, get SLAs from any other vendors whose services support critical business functions (think: vendors who directly communicate with your customers/members, etc.).
What should an SLA include?
At the very minimum, an SLA should include four things:
- Covered Services
- Performance Metrics
- Compensation Arrangements
- Points of Contact
Covered Services
Not all SLAs are equal. If a vendor provides multiple types of services, make sure the SLA explicitly states that it applies to the services being provided to you. In other words, if you think you're getting an SLA for your software, make sure it talks about your software and not about something unrelated, like board games or t-shirts.
Performance Metrics
An SLA should specify measurable performance metrics. For technology service providers, here are some common types of performance metrics defined in SLAs.
Metric |
Description |
Recovery Time Objective (RTO) |
An RTO defines the amount of time it could take for the vendor to restore services in the event of a business disruption. For example, if a vendor agrees to a 24-hour RTO, this means that if a disruption happens, the service would be available (at some capacity) within 24 hours. |
Recovery Point Objective (RPO) |
An RPO defines the amount of data that could be lost in the event of a business disruption. For example, if the vendor agrees to a 24-hour RPO, this means that if a disruption happens, the vendor can restore your data from a backup that occurred in the last 24 hours. |
Uptime |
Uptime defines the amount of time the vendor service will be available, excluding scheduled maintenance windows. For example, if the vendor agrees to 99.9% uptime, this means the vendor service will be available at least 99.9% of the time. |
Continuous Availability |
Similar to uptime, continuous availability defines the amount of time the service will be operational and accessible, regardless of scheduled maintenance windows. For example, if a vendor agrees to 24/7/365 availability, this means the vendor service will always be available. |
Response Time |
Response time defines the maximum amount of time it will take for the vendor to respond to you. For example, a 24-hour response time means that if you contact the vendor, the vendor will respond within 24 hours. |
Satisfaction Score |
A satisfaction score defines the level of satisfaction the vendor must achieve based on some kind of report card system (e.g., net promoter score (NPS), customer satisfaction (CSAT) score, five-star rating system, etc.). For example, if a vendor agrees to maintain a 4-star score, this means they must maintain a 4-star score. |
For more information check out this blog on The Difference Between RPO, RTO, and MTD.
Compensation Arrangements
An SLA should define penalties or remedies for the vendor's failure to meet the service levels expressed in their performance metrics. Compensation often comes in the form of financial reimbursement or service credits.
For example, think about the last time your home internet went out. If it was out for an extended period of time, your internet service provider may have provided you with a "credit" towards your next bill to compensate for the downtime.
Points of Contact
An SLA should include the contact information for a person or group of people that you can contact if you have questions or wish to seek compensation.
How can I know if the SLA is adequate?
There is no objective standard for "adequacy." The best way to know if an SLA is truly adequate is to take the metrics and compare them with your own.
For example, imagine you have a critical business process. It has a 12-hour maximum tolerable downtime (MTD). If this process is supported by a vendor, you'd want to make sure the vendor's RTO is equal to or less than 12 hours. If the SLA says the vendor's RTO is any more than that, then you've got a gap.
Would your operations be able to continue with that gap?
- If so, your MTD may not be 12 hours and you can adjust your own recovery expectations.
- If not, you will need to consider your options.
What are my options if the SLA is inadequate?
If the SLA is inadequate, you have three options.
- Negotiate. You have the right and the responsibility to ask the vendor for changes. Of course, the vendor has the right to say "no," but if you don't ask, the answer is always no.
- Compensate. If you can't come to an agreement, determine if there's another way to mitigate the risk. This is often called "compensating controls."
- Evaluate. Sometimes, when you've done everything you can do, you're stuck. When this happens, you have to make some tough decisions. If you can live with things as they are, you can accept the risk. If you can't, it is time to consider other options (like other vendors).
If your vendor's SLA does not align with your business needs, not doing anything is not an option. Be sure to document any emails, conversations, or decisions about how you plan to manage this risk, so you can show your work, if need be.
How often should I review the SLA?
If the SLA is part of the primary vendor contract, review it whenever you reassess the contract (e.g., when you have business changes, when the vendor has changes, before renewal dates, because the contract has a long duration, etc.).
If the SLA is a standalone document, we recommend reviewing it on a regular basis, like every year or two based on things like the vendor's risk or the criticality of the services the SLA supports.
What else do I need to know?
SLAs are one part of a much bigger picture in the third-party risk management lifecycle. For more information about what it takes to manage a vendor relationship effectively, download our free Vendor Management Workbook. This workbook introduces the fundamentals of third-party risk management and teaches you the things you need to know about SLAs and beyond.
Ready to take your SLA game to the next level? Check out Tandem Vendor Management. Use Tandem to help you review your contracts and agreements, track relevant SLA details, and get notified when it's time to check for an SLA update. Learn more about how Tandem can help you at Tandem.App/Vendor-Management-Software.