Why Most SLA Penalties Fail
An IT outsourcing SLA framework only works if breaching it costs the provider more than meeting it. In practice, most do not. Penalty clauses frequently go uninvoked because thresholds are set so high that the provider never technically triggers them, or because the process for claiming a credit is so cumbersome it is never worth the effort. The result is a service-level regime that reads impressively and changes nothing. Designing penalties that bite is the single highest-leverage piece of any IT outsourcing contract negotiation, and it starts with rejecting the provider's standard template — which, like the broader managed services clauses, is drafted to favour the supplier.
Sizing Service Credits and the At-Risk Pool
Size is the first lever. A service credit of 1–2% of monthly fees is absorbed as a cost of doing business and creates no incentive to improve. Credits of 5–15% of monthly fees for sustained underperformance are the band that gets a provider's attention and drives behaviour change. The credits are drawn from an at-risk pool — a defined percentage of monthly fees, often set close to the provider's profit margin and commonly 10–15% across the full SLA suite — so that consistent failure genuinely erodes the provider's economics rather than denting them.
The at-risk pool should be large enough that meeting the SLA is cheaper for the provider than breaching it. If the maximum credit you can ever claim is smaller than the provider's margin on the deal, the penalty is decorative.
The second lever is ease of claim. Credits should apply automatically on a missed metric, calculated from the provider's own SLA reporting, rather than requiring the buyer to raise, evidence, and chase each claim. A credit you have to fight for is a credit the provider keeps.
Targets: Uptime and Priority Tiers
Targets must reflect business impact, not a generic template. Standard business services target 99.9% uptime — about 8.76 hours of downtime a year — while premium or revenue-critical systems target 99.99%, roughly 52.6 minutes a year. Response and resolution should be tiered by priority, and critical-priority compliance should be contractually required at 99.5% or higher.
| Priority | Definition | Response target | Resolution target |
|---|---|---|---|
| P1 — Critical | Complete outage / business stopped | 15–30 minutes | ~4 hours |
| P2 — High | Major impact, multiple users | 1–2 hours | Same business day |
| P3 — Medium | Limited impact, workaround exists | 4–8 hours | 2–3 business days |
| P4 — Low | Minor / service request | 1 business day | As scheduled |
Critically, measure outcomes the business actually feels rather than metrics the provider can game. "Tickets closed" rewards volume, not resolution; tie credits instead to end-to-end resolution time, availability of revenue-carrying systems, and first-time-fix rates. Apply rigorous, bespoke SLAs to high-impact services and light templated terms to commodity towers — not the same standard to everything. For cloud-delivered services, the availability and egress mechanics differ enough to warrant separate treatment, covered in cloud managed services contracts.
Earn-Back and the Traps to Avoid
Earn-back lets a provider recover credits after a sustained period of meeting or beating target. It can be reasonable — but only if the qualifying period is long enough to prove genuine improvement rather than a single lucky month, and only if it never applies to the most critical metrics. Resist earn-back on data, security, and availability SLAs, where one good month does not undo the damage of a breach or a major outage. The other common trap is the exclusions list: providers pad it with carve-outs (planned maintenance, force majeure, "customer-caused" delays) until almost any failure becomes excusable. Negotiate the exclusions as hard as the targets.
Measuring and Enforcing the SLA
An SLA is only as good as the governance that runs it. Define the reporting cadence, the independent right to verify the provider's SLA data, and the service-review forums where misses are addressed — buyers who meet their providers frequently to review and renegotiate service levels report markedly higher outsourcing success. This connects directly to the governance framework, to benchmarking the service levels themselves in are you overpaying, and to the escalation paths in dispute resolution mechanisms.
Designed well, the SLA stops being a document the provider files and becomes the instrument that keeps performance honest across the term. For the full framework, download the IT Outsourcing Negotiation Guide, explore our IT outsourcing negotiation service, or request a confidential briefing.