Outcome-based contracts: Be careful what you wish for
Outcome-based contracting has gained momentum in the IT services market, but Charles Weaver cautions against its use by managed service providers.
"What was once old is now new again."
That's the phrase that came to mind after recently reading an article about the growing popularity of outcome-based contracts, written by TechTarget senior feature writer John Moore. I'm not sure who coined that phrase, but it has a ring of truth to it here -- notably, that the notion of guaranteeing a contractual outcome in a managed services agreement is not a new concept.
MSPs have made much progress in the last few decades around contractual language best practices. These practices have come out of trial and error, negotiations with clients, and, in some cases, litigation. Today, we have a good picture of what a managed services agreement should contain. Should guaranteeing an outcome be included as one of those items? Let's discuss.
Outcome-based contract or SLA?
The idea of guaranteeing performance outcomes in IT services dates back many years to the emergence of the service-level agreement (SLA). SLAs became popular among hosting providers, particularly when it came to guaranteeing uptime performance of a hosted server, website and so forth.
You can see the benefit of having such a metric: The customer can accurately gauge providers' effectiveness based on whether they hit the metric. If the provider fails to achieve the outcome, a penalty typically kicks in, frequently in the form of service credits or financial refunds.
During the mid-1990s and early 2000s, SLAs inched their way into the managed services profession, often for no other reason than many MSPs borrowed service contracts from hosting providers. However, MSPs that did not offer hosting services found it challenging to guarantee specific outcomes, especially when the outcomes were tied to a financial penalty.
SLAs in managed services and SaaS environments
SLAs in the modern MSP marketplace are actually uncommon. Service guarantees persist in the hosting verticals and among software as a service (SaaS) providers. Still, these are the only places within the IT services family to maintain a service contract containing an SLA metric.
These business models do well with SLAs, chiefly because they can track their services accurately. You wouldn't go to a SaaS provider and expect the product to constantly go offline. Hence, the SLA metric holds the SaaS company accountable and gives reasonable assurance to the customer.
Generally speaking, I am not opposed to SLAs, provided they are accurately tracked and reasonable. The hosting and SaaS provider business models provide examples of SLAs that can serve a legitimate and vital function.
For MSPs, however, it may not be that simple.
An MSP is not a hosting provider or SaaS provider (in most cases). Remote management of a client's IT assets involves deep trust, competency from the MSP and active participation from the client. If any of these elements are absent in a managed services relationship, expect poor outcomes.
When an MSP delivers its services, they are not metered in the same fashion as a hosting or SaaS provider. The uptime of an IT asset under an MSP's management may represent only a fraction of the managed services the client consumes.
For example, what would be the outcome metric for an MSP working alongside internal IT departments? How would such a contract be written when the MSP is not solely responsible for administrator rights, third-party access and other factors that would directly affect the system's integrity or network?
Outcome-based contracts in cybersecurity
MSPs often must strike a delicate balance between doing what is right and what the customer wants -- which is not always the same thing. There are many examples of MSPs that advocate for a course of action, only to be told "no" by the client.
In the era of cybersecurity, clients may not want to sign outcome-based agreements. Seeing that MSPs must operate within the confines of a client's wishes, if the client says they don't want to pay for backup as a service, then the MSP won't perform daily backups. And yet, what happens if the client is hit by ransomware and demands the MSP "reset" the organization back to normal? What if the client asks to have such an "indemnification" placed within the service agreement?
If an MSP wants to include outcome-based requirements in a contract, both the MSP and client should proceed cautiously. An MSP may consider agreeing to outcome-based clauses in exchange for the client agreeing to take specific IT steps. For example, if the client doesn't want downtime due to ransomware attacks, the MSP could mandate the client turn on multifactor authentication and maintain regular backups.
As you hopefully can see, the issues involved are complicated and not easily resolved with simple outcome-based contracts. As our world steadily gets even more complex, codifying the complexities into an agreement creates a challenge. Simplicity should be the order of the day. Simplicity and reasonableness ought to prevail and inform every MSP service contract.
About the Author
Charles Weaver is the CEO and co-founder of the International Association of Managed Service Providers (MSPAlliance). Since its inception in 2000, the organization has grown to more than 30,000 members worldwide. Under Weaver's management, MSPAlliance has expanded its reach and influence to include education, standards of conduct and certifications for managed services professionals and companies. Author of the book The Art of Managed Services, Weaver writes and speaks extensively about the managed services industry.