Dora Quick Start

Overview

The Digital Operational Resilience Act (DORA) requires EU financial institutions to perform due diligence on ICT third-parties and continuously monitor ICT third-party relationships against specific SLAs and KPIs. DORA mandates both traditional periodic vendor risk reviews reviews and ongoing, real-time oversight with comprehensive audit trails.

Key DORA requirements:

• Detailed due diligence on all ICT third-party service providers before entering into any contract (DORA RTS Article 6)
• Risk-based ICT assesssment framework (DORA RTS Article 5)
• Continuous monitoring of vendor performance against SLAs and KPIs (DORA RTS Article 9)
• Real-time risk event detection and response (DORA Articles 10-11, 17-18)
• Key contractual provisions like exit strategies, termination rights, SLAs, KPIs, and data protection (DORA Article 30)
• Comprehensive audit trails and compliance reporting

This guide walks you through setting up automated DORA compliance using Clarative’s platform. In this guide you will:

1. Automate Vendor Due Diligence
2. Automate SLA and KPI Monitoring
3. Automate Vendor Risk and Performance Reporting
4. Identify Contracts That Are Missing Required DORA Clauses

---

Step 1: Set Up Your Vendor Assessment Playbooks

Create playbooks to define vendor requirements during risk assessments.

1. Navigate to the Assessments tab in the sidebar. Click Playbook Library to open the Playbook Library.
2. Click Create Playbook to create a new playbook. You can upload an existing vendor questionnaire, choose from one of our standard templates (such as our security template or our DORA ICT template), or start from scratch.
3. Click on your new playbook and click “Edit” to customize the playbook to your needs.

Now you’re ready to kickoff automated vendor assessments in the Assessments tab. Just create a new assessment and upload the relevant documentation. See the Due Diligence Quick Start for details.

---

Step 2: Set Up Your SLA Registry

Create a centralized registry of all vendor SLAs, KPIs, and performance obligations. The Clarative team can complete this step for you.

What you’ll need

• Vendor contracts and service agreements
• List of critical ICT vendors and services

Onboard Your Vendors

Navigate to Vendors and add a new vendor or let the Clarative team onboard for you. Contact support@clarative.ai for assistance in onboarding new vendors.

Create SLAs with AI, with Clarative Presets, or Manually

1. Click a vendor to go to the vendor detail page and open the Performance Monitoring tab

2. If you have uploaded SLA documentation, click Extract with AI to extract SLAs, KPIs, and important vendor obligations

   a. Review AI-identified SLAs (uptime targets, response times, performance metrics)

   b. Validate and approve extracted SLAs

3. If you have not uploaded SLA documentation, click “Add” to add a new SLA. You can select from pre-configured SLAs if available, or configure your own SLA.

4. Assign owners to SLAs

5. Configure monitoring parameters for each SLA

Result

A comprehensive registry of all vendor SLAs with automated monitoring ready to activate.

---

Step 3: Configure Risk Data Sources

Enable continuous monitoring by connecting Clarative to multiple risk data sources. If you select a Clarative-supported vendor from the search field during vendor onboarding, most risk data sources are configured for you automatically.

Available data sources:

• Incident Reports: Public status pages and vendor notifications
• Security Breach Reports: CVE feeds and security advisories
• Regulatory Filings: SEC filings and regulatory announcements
• Adversarial News: Media monitoring for negative vendor coverage
• Synthetic Monitoring: Uptime and performance testing
• Vendor Data Requests: Automated questionnaires and data collection
• Internal Integrations: Connect your monitoring tools (Datadog, Splunk, etc.)

Configure Incident Monitoring

1. Open an SLA from the vendor Performance Monitoring tab, or create a new one and select “Uptime SLA”.
2. Click Configure SLA and go to the Tags tab.
3. Select the relevant Products, Services, and Regions for the SLA.

Configure Synthetic Monitoring (Heartbeat)

1. Click “Add” under Synthetic Monitoring on the vendor Performance Monitoring tab, or select a preconfigured monitor template from the list.

2. Configure the monitor to your specifications and test the monitor.

3. Click “Activate” on the monitor page to start monitoring.

   See more details on the Synthetic Monitoring page.

Configure Custom (Vendor Data Collection) SLAs

1. Click “Add” in the vendor Performance Monitoring tab to create a new SLA, and then select Custom SLA.
2. Name the SLA metric you want to measure and enter the ideal (green) and acceptable (yellow) value ranges.
3. Configure the vendor contact that is responsible for providing the metric, and the cadence to send automated email reminders.

---

Step 4: Set Up AI Risk Rules

Automate risk event prioritization to focus on the most critical issues first.

In Clarative

1. Navigate to AI Risk Rules by first going to the Risk tab and clicking Configure AI Triaging
2. Create rules by:
   • Event Type: Different rules for incidents vs. security breaches
   • Vendor: Custom rules for specific vendors
   • SLA Specific: Targeted rules for particular SLAs

Example rule configurations

• High Priority: Significant operational disruptions such as major outages, critical system failures, or data loss
• Medium Priority: Data unavailability caused by processing delays or other availability issues
• Low Priority: Temporary slowdowns or non-critical issues that do not impact operations

Result

AI automatically triages incoming risk events, ensuring your team focuses on DORA-relevant issues while maintaining complete audit trails.

---

Step 5: Find Non-Compliant Contracts with Search Grid

Use AI to identify missing DORA clauses across your contract portfolio and prioritize remediation efforts with Search Grid.

Required DORA clauses to search for:

• Audit rights
• Data integrity/resilience provisions
• Incident notification requirements
• Subcontractor approval clauses
• Termination rights

In Clarative:

1. Navigate to Discover (globe icon in sidebar)
2. Ensure you’re searching across All Vendors
3. Click DORA Compliance from the template options
4. Review the Table Preview showing all DORA clause types
5. Click Generate Table to create your clause matrix

Take action:

1. Export the clause table for your legal team
2. Prioritize remediation by:
   • Vendor criticality (focus on ICT-critical vendors first)
   • Contract renewal dates (combine with upcoming renewals)
   • Risk exposure level

Result:

A comprehensive audit of DORA compliance across all vendor contracts.

---

Step 6: Monitor Performance and Generate Reports

Track vendor performance against SLAs and maintain compliance reporting.

Real-time monitoring

1. Access the Risk tab to see all active risk events
2. Click into individual events to see:
   • AI triage explanation and reasoning
   • Full context and relevant SLA impact
3. Click Generate Verification Request to send risk event details to a subject matter expert or business owner for review and response
   • All actions are logged in the activity trail for audit purposes
4. Close the risk event as resolved or dismiss it

SLA performance tracking

1. Click on any vendor to view their SLA Detail page from the Performance Monitoring tab
2. Monitor performance against specific SLAs:
   • Uptime percentages vs. commitments
   • Incident impact summaries with business context
   • Historical performance trends
3. Identify potential SLA violations with supporting incident data

Compliance reporting

Clarative provides real time risk and compliance reporting as well as exportable SLA reports.

Risk Reporting

1. Navigate to Performance tab for executive dashboards
2. Track key DORA metrics:
   • Risks Identified: Events detected by continuous monitoring
   • Coverage Metrics: Number of vendors and SLAs actively monitored

SLA Reporting

1. Export SLA compliance reports for multiple with the Export Report button on the Vendors tab.
2. Export detailed vendor SLA reports by clicking Export Report on a specific SLA.

Result:

Shareable reports on vendor SLA compliance, availability, and risk event mitigation.

---

Maintaining DORA Compliance

Regular reviews

• At Vendor Onboarding: Perform due diligence assessments for all vendors
• Weekly: Monitor the Review tab for new risk events
• Monthly: Analyze vendor performance trends
• Quarterly: Update AI risk rules and SLA thresholds
• Annually: Perform periodic reassessmetns of your critical vendors

Audit preparation

All monitoring activities, triage decisions, and compliance actions are automatically logged and ready for examination.

---

Success Metrics

With Clarative’s DORA compliance setup, you’ll achieve:

• Automated first review of all vendor provided evidence during due diligence
• Automated continuous monitoring of all critical ICT vendors
• Real-time SLA performance tracking with violation alerts
• Comprehensive audit trails for all risk management activities
• Regulatory-ready reporting with evidence packages
• Reduced manual effort while improving oversight coverage

---

Need Help?

Contact support at support@clarative.ai.