DRAWING 01 · HERO
FIG. 01 · HERO
CASE NO.
04 / 05
BASED
DEN · REMOTE
ROLE
CX & EX TRANSFORMATION
REV.
v2026.04

01 · BRIEF · CASE 04 OF 05

Lockouts: From 27 Hour MTTR to 22 minutes

Estée Lauder's desk was taking 3,515 password-reset tickets a month, escalating 42.6%. I unified six ITIL towers into one operating model.

WINDOW
~6 weeks 90-day SPLUNK analysis
CLIENT
Wipro Digital Estée Lauder Companies (ELC)
SCOPE
6 ITIL towers · 3 unified tiers~40K employees
INTAKE
3,515 password-reset INCs/mo42.6% escalating

↓ delta · MTTR reduction for lockouts

DRAWING 01 · DELTAFIG. 01 · MTTR REDUCTION FOR LOCKOUTS
DRAWING NO.
01 / 05
CLAIM
98.64% MTTR REDUCTION
BASELINE
27H → 22 MIN LOCKOUTS
LAST REV.
04/26

01 · DELTA

MTTR Reduction for Lockouts

SOURCE · SERVICENOW + SPLUNK90-DAY ANALYSIS
13KAnnual lockouts eliminated
+13%NPS over goal · post-redesign
30+Operational outcomes shipped

↓ diagnosis · where lockouts actually came from

DRAWING 02 · DIAGNOSISFIG. 02 · LOCKOUT ECONOMICS
DRAWING NO.
02 / 05
CLAIM
43% · BROWSER-CACHE ORIGIN
BASELINE
3,515 INC/MO · 42.6% ESC.
LAST REV.
04/26

02 · DIAGNOSIS · WHERE LOCKOUTS ACTUALLY CAME FROM

LOCKOUT.ECONOMICSPassword reset & lockout INCs · 90-day SPLUNK analysis · ELC Service Desk
SOURCE · SPLUNK + ServiceNow
FIG. 02-AIntake
3,515
Password reset & lockout INCs
per month · Service Desk intake
100% incoming
FIG. 02-BEscalation
42.6%
Escalated beyond Service Desk
~1,498 INCs leaking to higher tiers
— SD agents could not localize complex lockouts— No cross-tool telemetry · AD, Cisco ISE, endpoint all separate— Inaccurate routing · repeated customer restarts
FIG. 02-CLatency
Time-to-resolve when escalated
vs. cases closed at the Service Desk
ROOT CAUSE · 43% of lockouts traced to browser-cached passwords, not AD policy and not user error in the usual sense. Invisible to legacy routing.
FIG. 02-DTarget
10%
Reduction target
Redesign + SPLUNK-driven routing
$62KSD cost / yr saved2,283 hEmployee time / yr15K+ hResolver-group time
The query that made lockouts legibleFIG. 02-E · Diagnostic

A single SPLUNK query — written by Wipro's CAS team, surfaced to 10 of 80+ SD agents — correlated AD lockout events (EventCode 4740) with source host, caller, and signature. Before: lockouts were anonymous. After: every lockout had a traceable origin — device, browser, session, repeat-offender pattern.

source=WinEventLog:Security EventCode=4740 | dedup _time user EventCode | eval host=coalesce(Caller_Computer_Name, host) | eval signature=COALESCE(signature, failure_reason)

You can't redesign what you can't see.

35% · by phoneLockouts handled · pre-redesign
50+ · 200+Repeat users · INCs · reviewed via SPLUNK
10 / 80+Agents with SPLUNK access · day-one gap

↓ flow · one ticket, two models

DRAWING 03 · FLOWFIG. 03 · SERVICE RECORD
DRAWING NO.
03 / 05
CLAIM
27H → 22MIN · SAME TICKET
BASELINE
4 HANDOFFS · 3 RESTARTS
LAST REV.
04/26

04 · FLOW · ONE TICKET, TWO MODELS

One ticket. Two models. Same Monday morning.

Same employee, same problem, same Monday morning. Before: they restart the story at every handoff. After: the context travels with the case and the Service Desk closes it before coffee gets cold.

BEFORE · LegacyFIG. 03-A · Service record

Context lost at every handoff · 6 towers · manual routing · customer restarts

09:12Claudia Can't sign in. Calls Service Desk.
09:18SD Agent · T1AD lockout assumed. Resets password. Hangs up.
10:47ClaudiaLocked out again. Different agent.Restarts the story.
11:02SD Agent · T1Routes to AD Engineering — suspected policy issue.
Hour 8AD Tower · T2No AD issue. Bounces to Endpoint.No context payload.
Hour 19Endpoint TowerRequests Claudia's asset ID.Third restart.
Hour 25Network TowerRouted again. Cisco ISE logs requested.
Hour 27ResolvedRoot cause: browser-cached password.Nobody writes that down.
27 hoursMTTR
4Tower handoffs
3Customer restarts
AFTER · RedesignedFIG. 03-B · Service record

Context travels with the case · 3 tiers · SPLUNK-aware routing · structured intake

09:12ClaudiaCan't sign in. Opens intake via self-service.
09:12Intake · SPLUNKCorrelates AD event 4740 + source host + signature.Flags browser-cache pattern.
09:17SD Agent · T1Ticket opens with full payload: user, host, signature, 2 prior lockouts. Agent runs the browser-cache playbook.
09:34Resolved · T1Cleared Chrome credential cache. Guided re-auth. Closed at Service Desk.
09:34Feedback loopResolution pattern logged. If the same signature fires 3× for a user, it routes direct-to-playbook next time.
22 minMTTR
0Tower handoffs
0Customer restarts

↓ design · six towers, three tiers

DRAWING 04 · DESIGNFIG. 04 · OPERATING MODEL
DRAWING NO.
04 / 05
CLAIM
6 TOWERS → 3 TIERS
BASELINE
OPS STAFFING · ENFORCED CEILING
LAST REV.
04/26

04 · DESIGN · SIX TOWERS, THREE TIERS

Ops said three tiers was the ceiling. They were right.

My first design was four tiers. Operations pushed back — given current staffing, they'd be stuck running two of them understaffed. We rebuilt around three. It performed better because every team could actually own their lane without ambiguity.

REV. 02 · Redrawn
FIG. 04 · Operating-model assemblySCALE · 1 : 1

BEFORE · 6 towersNo shared metrics · no common escalation

A·1

AD
Engineering

A·2

Endpoint
Compute

A·3

Network
Cisco ISE

A·4

App &
Identity

A·5

Service
Desk

A·6

Operations
& Eng

T01< 4h target

Triage & Resolve

Structured intake with SPLUNK-driven payload. Browser-cache playbook lives here. Most cases never need to leave this tier.

72% close here

T02< 2d target

Specialist Engage

Domain engineers pick up a full context payload. No customer restart. Signature + source host + prior history attached.

Full payload · zero restarts

T03< 5d target

Product & Engineering

Reserved for defects and architectural fixes. Repeat signatures trigger here, feed the roadmap directly.

Repeat signatures → roadmap

PROJECTION · six labeled columns redraw into three tiers · construction lines on scrollSHEET 05 / 06

↘ closing · the larger story

DRAWING 05 · CLOSINGFIG. 05 · APHORISM