Key factors to consider when procuring a managed IT service

Alex Massie is a program director with Seven Consulting in Melbourne and has over 35 years experience in the IT industry.

Managed IT services have been around for a long time. In recent times, we have seen the introduction of a range of “technology-as-a-service” offerings such as SaaS (Software as a Service) and PaaS (Platform as a Service).

These “as a service” offerings resonate with business executives who are looking to buy an industry leading, scaleable solution to support their business. Managed IT services are becoming more widely accepted for common services that are not the company’s key differentiator. For example, managed IT services are available for common services such as CRM (customer relationship management), HR (human resources), email management (eg. O365), unified communications (e.g. MS Teams, Zoom), network management and help desk management.

A comparison of inhouse vs outsourced IT services is provided in the diagram below:

Source: ionos.com

Some organisations have the technical skills and experience to integrate their environments with the major cloud providers such as AWS, Microsoft and Google. However, a number of other organisations are working with partners/system integrators who can provide an industry leading, scaleable solution and who also manage the cloud components of the solution.

Based on our experience, the most important factors to consider when procuring a managed IT service include:

1. Define the requirements of the managed IT service from the customer/organisation’s perspective
2. Define key selection criteria for the new managed IT service
3. Identify any gaps in the managed IT service offering versus what is already in place today
4. Plan for transition to the new managed IT service
5. Design the integration between the managed IT solution and the organisations systems
6. Design the end to end (e2e) security architecture
7. Ensure that the managed IT service will be highly available, resilient and able to recover quickly
8. Define the KPIs (Key Performance Indicators)/Service Levels upon which the managed IT service will be measured and reported
9. Ensure that the technical solution and commercial arrangements can scale (up or down) depending upon business demand

We will now discuss each of the above points in a bit more detail.

1. Define the requirements of the managed IT service from the customer/organisation’s perspective

It is critical to define what the customer wants to buy, rather than what the seller wants to sell. The managed IT service needs to make sense in terms of the organisation’s business, its structure and the ecosystem in which it operates. Undertake stakeholder analysis to ensure all customers of the new service are engaged in the process, understand why they are being engaged and the importance of their views.

2. Define key selection criteria for the new managed IT service

Define the criteria which will be used to evaluate and select the new provider of managed IT services. The criteria should include functional requirements, technical requirements, NFRs (non-functional requirements such as availability, response times, recovery times, number of concurrent users), financial stability, 24/7 support, onshore presence, service level reporting and service credits. Review and signoff the selection criteria with identified key stakeholders.

3. Identify any gaps in the managed IT service offering versus what is already in place today

Managed IT services are based on the aggregation of volume to provide a lower cost to serve, which is then passed on to the customer. Managed IT services also save money by leveraging software, infrastructure and people across multiple customers. The scope of some managed IT services will require infrequent, adhoc, customer specific processes which are likely to be less cost effective than the high volume processes but are still part of the scope. For each gap which is identified, determine how the gap can be filled, by who and at what cost and ensure your plan addresses.

4. Plan for transition to the new managed IT service

Plan the key activities required in terms of the migration of processes, people and technology (systems and data). Potential people impacts could include redeployments, transfers or redundancies. Some infrastructure assets may no longer be required and will need to be decommissioned/written-off/disposed. New roles may be required to manage the service delivery of the IT services by the new provider. Prepare a detailed plan of the transition of processes, people and technology across multiple sites.

5. Design the integration between the managed IT solution and the organisations systems

The software solutions being offered as a managed IT service are increasingly part of an ecosystem of software providers (e.g. Salesforce partner community) where integration between the vendor solutions is available out of the box. The complexity in the integration will be between the managed service provider systems and the customer’s systems. The more customised and older the customer systems, the more difficult they will be to integrate. The new solution based on the managed IT service needs to integrate tightly into the organisations own systems and interfaces. Extensive testing will be required to ensure all the required data flows between the various systems and that the organisation has not lost visibility to any its data. Ensure that joint detailed reviews of the interface specifications are completed and that integration testing starts as early as possible.

6. Design the e2e security architecture

The cloud environments upon which many of the managed IT services are built, have high levels of user, data and physical security. The complexity is introduced to ensure security across the end-to-end architecture including inhouse and external components. Factors to consider in the e2e security architecture include identity/access management, single sign-on, data security/sovereignty, perimeter security and protection from denial of service attacks. Arrange for a security specialist to review your e2e security architecture and a penetration testing specialist to conduct penetration testing of the final solution. Ensure these activities and external costs are included in your plan.

7. Ensure that the managed IT service will be highly available, resilient and able to recover quickly

As the managed IT service may not be hosted in your data centre, you need to ensure that the solution has a high availability architecture. You need to read the fine print to make sure that the time to recover from an outage is measured in minutes and not days.  Business Continuity Plans and Disaster Recovery Plans will need to be updated to reflect the role and recovery timeframes for the new managed IT services. Conduct as minimum disaster recovery testing to test the failover and resiliency of the e2e solution prior to ‘go live’.  Undertake BCP of new service as soon as practically possible after ‘go live’

8. Define the KPIs (Key Performance Indicators)/Service Levels upon which the managed IT service will be measured and reported

Once you have defined the scope of the IT services to be managed, you need to negotiate service levels upon which the contract will be measured. For example, availability could be a KPI and the service level could be 99.99% availability. There may be incentives for the service provider to exceed the service levels and/or service credits if the service levels are not met. Other service levels could be set for number of outages per month by severity, resolution time to fix outages, number of transactions processed, number of errors etc. Some form of online portal dashboard should be available for the customer to review service levels at any time during the month, rather than just a monthly report. Review the KPIs with key stakeholders and test the service level reports during User Acceptance and/or Operational Acceptance testing phases.

9. Ensure that the technical solution and commercial arrangements can scale (up or down) depending upon business demand

We live in a fast moving, ever changing world. It is hard to predict business volumes, global pandemics and follow on impacts on various businesses. Therefore, it is important that your technical solution can scale up and scale down based on the number of users and transactions. Conduct performance testing of the technical solution. In addition to technical scaleability, it is also important that your commercial arrangements can scale up and down. You only want to pay for what you use. You don’t want to have to pay fixed costs if the business volumes have dropped significantly due to COVID restrictions or travel restrictions.  Ensure engagement of commercial specialists throughout the lifetime of the program to ensure fit for purpose 3^rd party contracting.

In conclusion, the number of managed IT services will continue to grow within the business environment. It is important that we design the managed IT service solutions to be well integrated, secure and scaleable. The commercial arrangements of the managed IT services also need to be flexible to cater for significant variations in business volumes.  Seven Consulting is working with a number of our clients to implement managed IT services from new providers and migrate systems and workloads to cloud-based platforms. If you would like to discuss our experience of implementing managed IT services, please click on the button below: