DRAWING 01 · HERO

FIG. 01 · HERO

CASE NO.: 04 / 05
BASED: DEN · REMOTE
ROLE: CX & EX TRANSFORMATION
REV.: v2026.04

01 · BRIEF · CASE 04 OF 05

Lockouts: From 27 Hour MTTR to 22 minutes

Estée Lauder's desk was taking 3,515 password-reset tickets a month, escalating 42.6%. I unified six ITIL towers into one operating model.

WINDOW: ~6 weeks 90-day SPLUNK analysis
CLIENT: Wipro Digital Estée Lauder Companies (ELC)
SCOPE: 6 ITIL towers · 3 unified tiers~40K employees
INTAKE: 3,515 password-reset INCs/mo42.6% escalating

↓ delta · MTTR reduction for lockouts

DRAWING 01 · DELTAFIG. 01 · MTTR REDUCTION FOR LOCKOUTS

DRAWING NO.: 01 / 05
CLAIM: 98.64% MTTR REDUCTION
BASELINE: 27H → 22 MIN LOCKOUTS
LAST REV.: 04/26

01 · DELTA

MTTR Reduction for Lockouts

SOURCE · SERVICENOW + SPLUNK90-DAY ANALYSIS

13KAnnual lockouts eliminated

+13%NPS over goal · post-redesign

30+Operational outcomes shipped

↓ diagnosis · where lockouts actually came from

DRAWING 02 · DIAGNOSISFIG. 02 · LOCKOUT ECONOMICS

DRAWING NO.: 02 / 05
CLAIM: 43% · BROWSER-CACHE ORIGIN
BASELINE: 3,515 INC/MO · 42.6% ESC.
LAST REV.: 04/26

02 · DIAGNOSIS · WHERE LOCKOUTS ACTUALLY CAME FROM

FIG. 02-AIntake

3,515

Password reset & lockout INCs
per month · Service Desk intake
100% incoming

FIG. 02-BEscalation

42.6%

Escalated beyond Service Desk
~1,498 INCs leaking to higher tiers

— SD agents could not localize complex lockouts— No cross-tool telemetry · AD, Cisco ISE, endpoint all separate— Inaccurate routing · repeated customer restarts

FIG. 02-CLatency

4×

Time-to-resolve when escalated
vs. cases closed at the Service Desk

ROOT CAUSE · 43% of lockouts traced to browser-cached passwords, not AD policy and not user error in the usual sense. Invisible to legacy routing.

FIG. 02-DTarget

10%

Reduction target
Redesign + SPLUNK-driven routing

$62KSD cost / yr saved2,283 hEmployee time / yr15K+ hResolver-group time

The query that made lockouts legibleFIG. 02-E · Diagnostic

A single SPLUNK query — written by Wipro's CAS team, surfaced to 10 of 80+ SD agents — correlated AD lockout events (EventCode 4740) with source host, caller, and signature. Before: lockouts were anonymous. After: every lockout had a traceable origin — device, browser, session, repeat-offender pattern.

source=WinEventLog:Security EventCode=4740 | dedup _time user EventCode | eval host=coalesce(Caller_Computer_Name, host) | eval signature=COALESCE(signature, failure_reason)

You can't redesign what you can't see.

35% · by phoneLockouts handled · pre-redesign

50+ · 200+Repeat users · INCs · reviewed via SPLUNK

10 / 80+Agents with SPLUNK access · day-one gap

↓ flow · one ticket, two models

DRAWING 03 · FLOWFIG. 03 · SERVICE RECORD

DRAWING NO.: 03 / 05
CLAIM: 27H → 22MIN · SAME TICKET
BASELINE: 4 HANDOFFS · 3 RESTARTS
LAST REV.: 04/26

04 · FLOW · ONE TICKET, TWO MODELS

One ticket. Two models. Same Monday morning.

Same employee, same problem, same Monday morning. Before: they restart the story at every handoff. After: the context travels with the case and the Service Desk closes it before coffee gets cold.

BEFORE · LegacyFIG. 03-A · Service record

Context lost at every handoff · 6 towers · manual routing · customer restarts

09:12Claudia Can't sign in. Calls Service Desk.

09:18SD Agent · T1AD lockout assumed. Resets password. Hangs up.

10:47ClaudiaLocked out again. Different agent.Restarts the story.

11:02SD Agent · T1Routes to AD Engineering — suspected policy issue.

Hour 8AD Tower · T2No AD issue. Bounces to Endpoint.No context payload.

Hour 19Endpoint TowerRequests Claudia's asset ID.Third restart.

Hour 25Network TowerRouted again. Cisco ISE logs requested.

Hour 27ResolvedRoot cause: browser-cached password.Nobody writes that down.

27 hoursMTTR

4Tower handoffs

3Customer restarts

AFTER · RedesignedFIG. 03-B · Service record

Context travels with the case · 3 tiers · SPLUNK-aware routing · structured intake

09:12ClaudiaCan't sign in. Opens intake via self-service.

09:12Intake · SPLUNKCorrelates AD event 4740 + source host + signature.Flags browser-cache pattern.

09:17SD Agent · T1Ticket opens with full payload: user, host, signature, 2 prior lockouts. Agent runs the browser-cache playbook.

09:34Resolved · T1Cleared Chrome credential cache. Guided re-auth. Closed at Service Desk.

09:34Feedback loopResolution pattern logged. If the same signature fires 3× for a user, it routes direct-to-playbook next time.

22 minMTTR

0Tower handoffs

0Customer restarts

↓ design · six towers, three tiers

DRAWING 04 · DESIGNFIG. 04 · OPERATING MODEL

DRAWING NO.: 04 / 05
CLAIM: 6 TOWERS → 3 TIERS
BASELINE: OPS STAFFING · ENFORCED CEILING
LAST REV.: 04/26

04 · DESIGN · SIX TOWERS, THREE TIERS

Ops said three tiers was the ceiling. They were right.

My first design was four tiers. Operations pushed back — given current staffing, they'd be stuck running two of them understaffed. We rebuilt around three. It performed better because every team could actually own their lane without ambiguity.

REV. 02 · Redrawn

FIG. 04 · Operating-model assemblySCALE · 1 : 1

BEFORE · 6 towersNo shared metrics · no common escalation

A·1

AD
Engineering

A·2

Endpoint
Compute

A·3

Network
Cisco ISE

A·4

App &
Identity

A·5

Service
Desk

A·6

Operations
& Eng

T01< 4h target

Triage & Resolve

Structured intake with SPLUNK-driven payload. Browser-cache playbook lives here. Most cases never need to leave this tier.

72% close here

T02< 2d target

Specialist Engage

Domain engineers pick up a full context payload. No customer restart. Signature + source host + prior history attached.

Full payload · zero restarts

T03< 5d target

Product & Engineering

Reserved for defects and architectural fixes. Repeat signatures trigger here, feed the roadmap directly.

Repeat signatures → roadmap

PROJECTION · six labeled columns redraw into three tiers · construction lines on scrollSHEET 05 / 06

↘ closing · the larger story

DRAWING 05 · CLOSINGFIG. 05 · APHORISM

Signals the org can't see are the signals the org is paying for.

Next case · 05 of 05EY Healthcare · Say YES Summer Back to allSelected work · five builds