No one will forget the system failure in 2009 that led thousands of Air New Zealand customers stranded and unable to fly."In my 30-year working career, I am struggling to recall a time where I have seen a supplier so slow to react to a catastrophic system failure such as this, and so unwilling to accept responsibility and apologise to its client and its client's customers,” Air NZ CEO Rob Fyfe told IBM in an email after the mainframe supplier failed to react quickly to the outage.More recently, of course, the Christchurch earthquakes have inevitably left executives and CIOs wary and ready to point the finger if mission critical aspects of their Service Level Agreements (SLAs) are not met by their suppliers. Service providers are feeling the pressure, as tolerance for downtime or inaccessible data wanes.The changing face of the SLA"SLAs should be written and contracted to achieve evolving business outcomes. As the business changes, the SLA should have the flexibility to align with the changing business environment,” explains Ron Murray, Head of Outsourcing Integrated Solutions for Gen-i.SLAs must be measurable, but today many CIOs also expect them to identify areas in need of improvement, as well. Graham Barker, Service Manager for Fusion5, has seen growing instances of service providers and business clients working closely together, using SLAs to drive service improvement, for example."With more effective support tools available, such as IT service management tools, designed around service delivery and management, accurate measurement of SLAs is made easier,” he explains."Emerging in New Zealand is a trend toward a more balanced and realistic approach toward who is best placed to manage risk – the vendor or the client,” says barrister and solicitor Genevieve Gill, head of Genlaw, an Auckland-based IT specialist law firm."There must be an acknowledgement, she says, that there are frequently multiple suppliers involved in the provision of a single point solution, and that these supplier relationships may be "owned” by different stakeholders.”Visibility is, therefore, key. Often the people affected by an SLA are unaware of its contents or, in the extreme, unaware it existsat all."The customer must know what to expect from their service provider,” says Fusion5’s Barker, "while those providing the service – front line, supporting staff and service provider – need to fully understand the level of service the end user expects.”SLAs and the CloudAs the attractiveness (primarily cost and flexibility related) of cloud computing solutions grows in New Zealand, CIOs are looking carefully at how traditional SLAs may or may not apply to cloud-based solutions."It is important to differentiate between custom developed and standardised (i.e. SaaS) solutions,” says Genlaw’s Gill. "Custom developed solutions continue to have quite tailored SLAs against a range of KPIs, and tend to be heavily negotiated contracts. SLAs around SaaS, cloud computing and other standardised solutions, however, tend to be fixed, with little or no scope for negotiation.”Much of the discussion around cloud computing continues to centre around security and business risk. There is not yet a fully mature model to follow when it comes to SLAs. Cloud solutions typically operate on a standard SLA, as every client is serviced in the same way, effectively eliminating the need for individually tailored SLAs, unless a client has the need for a private cloud solution tailored to their specific business requirements."SLAs in their pure sense are service oriented, not technology oriented; however, movement to the cloud has prompted more attention to the SLA as the primary tool for accountability, data security and disaster recovery,” says Fusion5’s Barker."These concerns also affect delivery of on-premise services and applications, though, quite often, less rigorous internal SLAs are in place, if any, due to the more direct control the organisation assumes it has over its IT systems.”While there has been some avoidance of cloud adoption in New Zealand, acceptance is growing steadily. As it eliminates significant cost associated with hardware, networking, real estate, etc., it is likely to continue to gain foothold in New Zealand business as a genuine IT solution option.Gartner recommends nine areas of focus for cloud-based solution SLAs to mitigate excessive risk:

1. Uptime guarantees: Business critical applications must require uptime or performance-service-level guarantees. "Cloud contract negotiators must be aware of the performance service levels required and ensure that they are documented contractually, ideally with penalties, if the performance standards are not achieved.”
2. Penalties: Negotiate penalties and escalation clauses if agreements are not met. Money-back penalties are best, says Gartner.
3. Be wary of penalty exclusions: In particular, ensure that any downtime calculation begins exactly at the time the downtime commences.
4. Security: Negotiate SLAs for security and security breaches, says Gartner, and ask for immediate notification of any privacy or security breach.
5. Business continuity/Disaster recovery: Ensure the SLA contains provisions for DR and/or provides financially backed recovery time objectives.
6. Data privacy conditions: Contracts should unequivocally state that the cloud provider will not share personal data with anybody else. In many instances, this is complicated by the provider’s need to share data with a third party, such as a cloud infrastructure provider.
7. Suspension of service: Negotiate an agreement that payments in any current legitimate dispute should not lead to a suspension of service.
8. Termination: Negotiate for minimum of six months required notice should the provider wish to terminate (30 days is quite standard at this point), unless you, the customer, have materially breached the contract.
9. Liability: Negotiate for higher liability protections. "Leverage the fact that these providers would have liability insurance to achieve higher caps, and be prepared to walk away if this issue is not resolved,” says Gartner.

Outcomes-based"SLAs are changing to focus on business outcomes and measures, versus technology availability measures. The end-user experience and application performance are the key measures, not the individual technology requirements,” states Gen-i’s Murray.Last year Intellect, a UK technology industry trade association, released a report on the rise in outcomes-based SLA contracts. Outcomes-based agreements (OBAs) require the service provider to be directly responsible for certain specified business outcomes, rather than only the delivery of service, inputs or outputs.While this can be a scary proposition for the supplier, "the big idea is that there will be a more successful contractual relationship when there is a shared commitment to achieving agreed outcomes”, says a review of the report released by Wigley & Company Barristers and Solicitors. Rather than commit to improving shareholder value, the law firm recommends a focus on "intermediate outcomes, such as process performance, unit sales or other KPIs”."The SLA needs to drive the right behaviours and, most importantly, drive the right business outcomes,” agrees Gen-i’s Murray.As responsibility becomes more of an equal partnership, the customer must take responsibility for ensuring that the SLA sets realistic expectations of service delivery, while the supplier must take responsibility for providing services and support that benefit strategy, continuity and growth.At the end of the day, "IT strategies need to drive service improvement to the business, rather than merely providing a technology, infrastructure or applications. They, therefore, need to be aligned with the overall business strategy and constantly reviewed to make sure expectations are being met”, recommends Fusion5’s Barker.