--- title: Dora Quick Start | Clarative description: Get your Third-Party Risk Management (TPRM) program DORA-compliant in 6 simple steps using Clarative's third-party risk AI Automation Engine. --- ## Overview The Digital Operational Resilience Act (DORA) requires EU financial institutions to perform due diligence on ICT third-parties and continuously monitor ICT third-party relationships against specific SLAs and KPIs. DORA mandates both traditional periodic vendor risk reviews reviews and ongoing, real-time oversight with comprehensive audit trails. **Key DORA requirements:** - Detailed due diligence on all ICT third-party service providers before entering into any contract (DORA RTS Article 6) - Risk-based ICT assesssment framework (DORA RTS Article 5) - Continuous monitoring of vendor performance against SLAs and KPIs (DORA RTS Article 9) - Real-time risk event detection and response (DORA Articles 10-11, 17-18) - Key contractual provisions like exit strategies, termination rights, SLAs, KPIs, and data protection (DORA Article 30) - Comprehensive audit trails and compliance reporting This guide walks you through setting up automated DORA compliance using Clarative’s platform. In this guide you will: 1. Automate Vendor Due Diligence 2. Automate SLA and KPI Monitoring 3. Automate Vendor Risk and Performance Reporting 4. Identify Contracts That Are Missing Required DORA Clauses --- ## Step 1: Set Up Your Vendor Assessment Playbooks Create playbooks to define vendor requirements during risk assessments. 1. Navigate to the **Assessments** tab in the sidebar. Click **Playbook Library** to open the Playbook Library. 2. Click **Create Playbook** to create a new playbook. You can upload an existing vendor questionnaire, choose from one of our standard templates (such as our security template or our DORA ICT template), or start from scratch. 3. Click on your new playbook and click “Edit” to customize the playbook to your needs. Now you’re ready to kickoff automated vendor assessments in the **Assessments** tab. Just create a new assessment and upload the relevant documentation. See the [Due Diligence Quick Start](/guides/due_diligence_quickstart/index.md) for details. ![Playbook Modal](/_astro/playbook_modal.BU0OdU7C_Zt8TQX.webp) --- ## Step 2: Set Up Your [SLA Registry](/advanced/sla_configuration/index.md) Create a centralized registry of all vendor SLAs, KPIs, and performance obligations. The Clarative team can complete this step for you. ### What you’ll need - Vendor contracts and service agreements - List of critical ICT vendors and services ### Onboard Your Vendors Navigate to **Vendors** and add a new vendor or let the Clarative team onboard for you. Contact **** for assistance in onboarding new vendors. ### Create SLAs with AI, with Clarative Presets, or Manually 1. Click a vendor to go to the vendor detail page and open the **Performance Monitoring** tab 2. If you have uploaded SLA documentation, click **Extract with AI** to extract SLAs, KPIs, and important vendor obligations a. Review AI-identified SLAs (uptime targets, response times, performance metrics) b. Validate and approve extracted SLAs 3. If you have not uploaded SLA documentation, click “Add” to add a new SLA. You can select from pre-configured SLAs if available, or [configure your own SLA](/advanced/sla_configuration/index.md). 4. Assign owners to SLAs 5. Configure monitoring parameters for each SLA ![Extract SLAs](/_astro/extract_slas.DUWFPwHq_Z1mk0Wd.webp) ### Result A comprehensive registry of all vendor SLAs with automated monitoring ready to activate. --- ## Step 3: Configure Risk Data Sources Enable continuous monitoring by connecting Clarative to multiple risk data sources. If you select a Clarative-supported vendor from the search field during vendor onboarding, most risk data sources are configured for you automatically. ### Available data sources: - **Incident Reports:** Public status pages and vendor notifications - **Security Breach Reports:** CVE feeds and security advisories - **Regulatory Filings:** SEC filings and regulatory announcements - **Adversarial News:** Media monitoring for negative vendor coverage - **Synthetic Monitoring:** [Uptime and performance testing](/advanced/synthetic_monitoring/index.md) - **Vendor Data Requests:** Automated [questionnaires and data collection](/guides/due_diligence_quickstart/index.md) - **Internal Integrations:** Connect your monitoring tools (Datadog, Splunk, etc.) ### Configure Incident Monitoring 1. Open an SLA from the vendor **Performance Monitoring** tab, or [create a new one](/advanced/sla_configuration/index.md) and select “Uptime SLA”. 2. Click **Configure SLA** and go to the **Tags** tab. 3. Select the relevant Products, Services, and Regions for the SLA. ### Configure [Synthetic Monitoring](/advanced/synthetic_monitoring/index.md) (Heartbeat) 1. Click “Add” under [**Synthetic Monitoring**](/advanced/synthetic_monitoring/index.md) on the vendor **Performance Monitoring** tab, or select a preconfigured monitor template from the list. 2. Configure the monitor to your specifications and test the monitor. 3. Click “Activate” on the monitor page to start monitoring. See more details on the [Synthetic Monitoring page](/advanced/synthetic_monitoring/index.md). ### Configure Custom (Vendor Data Collection) SLAs 1. Click “Add” in the vendor **Performance Monitoring** tab to create a new SLA, and then select [Custom SLA](/advanced/sla_configuration#creating-a-vendor-reported-sla/index.md). 2. Name the SLA metric you want to measure and enter the ideal (green) and acceptable (yellow) value ranges. 3. Configure the vendor contact that is responsible for providing the metric, and the cadence to send automated email reminders. --- ## Step 4: Set Up [AI Risk Rules](/advanced/risk_review_rules/index.md) Automate risk event prioritization to focus on the most critical issues first. ### In Clarative 1. Navigate to [**AI Risk Rules**](/advanced/risk_review_rules/index.md) by first going to the **Risk** tab and clicking **Configure AI Triaging** 2. Create rules by: - **Event Type:** Different rules for incidents vs. security breaches - **Vendor:** Custom rules for specific vendors - **SLA Specific:** Targeted rules for particular SLAs ### Example rule configurations - **High Priority:** Significant operational disruptions such as major outages, critical system failures, or data loss - **Medium Priority:** Data unavailability caused by processing delays or other availability issues - **Low Priority:** Temporary slowdowns or non-critical issues that do not impact operations ![AI Risk Rules](/_astro/ai_risk_rules.DVPOM413_ZibPex.webp) ### Result AI automatically triages incoming [risk events](/basics/risk_events/index.md), ensuring your team focuses on DORA-relevant issues while maintaining complete audit trails. --- ## Step 5: Find Non-Compliant Contracts with Search Grid Use AI to identify missing DORA clauses across your contract portfolio and prioritize remediation efforts with [Search Grid](/basics/search_grid/index.md). ![AI Risk Rules](/_astro/dora_search_grid.BxzDDUwc_Z1dyFFW.webp) ### Required DORA clauses to search for: - Audit rights - Data integrity/resilience provisions - Incident notification requirements - Subcontractor approval clauses - Termination rights ### In Clarative: 1. Navigate to **Discover** (globe icon in sidebar) 2. Ensure you’re searching across **All Vendors** 3. Click **DORA Compliance** from the template options 4. Review the **Table Preview** showing all DORA clause types 5. Click **Generate Table** to create your clause matrix ### Take action: 1. **Export** the clause table for your legal team 2. Prioritize remediation by: - Vendor criticality (focus on ICT-critical vendors first) - Contract renewal dates (combine with upcoming renewals) - Risk exposure level ### Result: A comprehensive audit of DORA compliance across all vendor contracts. --- ## Step 6: Monitor Performance and Generate Reports Track vendor performance against SLAs and maintain compliance reporting. ### Real-time monitoring 1. Access the **Risk** tab to see all active [risk events](/basics/risk_events/index.md) 2. Click into individual events to see: - AI triage explanation and reasoning - Full context and relevant SLA impact 3. Click **Generate Verification Request** to send risk event details to a subject matter expert or business owner for review and response - All actions are logged in the activity trail for audit purposes 4. Close the risk event as resolved or dismiss it ![Risk Event](/_astro/risk_event_detail.BMwgO46F_MEi2j.webp) ### SLA performance tracking 1. Click on any vendor to view their **SLA Detail** page from the **Performance Monitoring** tab 2. Monitor performance against specific SLAs: - Uptime percentages vs. commitments - Incident impact summaries with business context - Historical performance trends 3. Identify potential SLA violations with supporting incident data ### Compliance reporting Clarative provides real time risk and compliance reporting as well as exportable SLA reports. **Risk Reporting** 1. Navigate to **Performance** tab for executive dashboards 2. Track key DORA metrics: - **Risks Identified:** Events detected by continuous monitoring - **Coverage Metrics:** Number of vendors and SLAs actively monitored **SLA Reporting** 1. Export SLA compliance reports for multiple with the **Export Report** button on the **Vendors** tab. 2. Export detailed vendor SLA reports by clicking **Export Report** on a specific SLA. ![Report Export](/_astro/vendor_compliance_export.8Vm73zYd_uDiWP.webp) ### Result: Shareable reports on vendor SLA compliance, availability, and risk event mitigation. --- ## Maintaining DORA Compliance ### Regular reviews - At Vendor Onboarding: Perform due diligence assessments for all vendors - Weekly: Monitor the **Review** tab for new risk events - Monthly: Analyze vendor performance trends - Quarterly: Update AI risk rules and SLA thresholds - Annually: Perform periodic reassessmetns of your critical vendors ### Audit preparation All monitoring activities, triage decisions, and compliance actions are automatically logged and ready for examination. --- ## Success Metrics With Clarative’s DORA compliance setup, you’ll achieve: - **Automated first review** of all vendor provided evidence during due diligence - **Automated continuous monitoring** of all critical ICT vendors - **Real-time SLA performance tracking** with violation alerts - **Comprehensive audit trails** for all risk management activities - **Regulatory-ready reporting** with evidence packages - **Reduced manual effort** while improving oversight coverage --- ## Need Help? Contact support at ****.