DORA Quick Start
Get your Third-Party Risk Management (TPRM) program DORA-compliant in 5 simple steps using Clarative's AI-powered continuous monitoring platform.
Overview
The Digital Operational Resilience Act (DORA) requires EU financial institutions to continuously monitor ICT third-party relationships against specific SLAs and KPIs. Unlike traditional periodic reviews, DORA mandates ongoing, real-time oversight with comprehensive audit trails.
Key DORA requirements:
- Continuous monitoring of vendor performance against SLAs and KPIs
- Real-time risk event detection and response
- Comprehensive audit trails and compliance reporting
- Evidence-ready documentation for regulatory examinations
This guide walks you through setting up automated DORA compliance using Clarative's platform.
Step 1: Set Up Your SLA Registry
Create a centralized registry of all vendor SLAs, KPIs, and performance obligations. The Clarative team can complete this step for you.
What you'll need
- Vendor contracts and service agreements
- List of critical ICT vendors and services
Onboard Your Vendors
Navigate to Vendors and add a new vendor or let the Clarative team onboard for you. Contact support@clarative.ai for assistance in onboarding new vendors.
Extract SLAs with AI
- Click a vendor to go to the vendor detail page and open the Obligations tab
- Click Extract with AI to extract SLAs, KPIs, and important vendor obligations
- Review AI-identified SLAs (uptime targets, response times, performance metrics)
- Validate and approve extracted SLAs
- Assign owners to SLAs
- Configure monitoring parameters for each SLA
Result
A comprehensive registry of all vendor SLAs with automated monitoring ready to activate.
Step 2: Configure Risk Data Sources
Enable continuous monitoring by connecting Clarative to multiple risk data sources. If you select a Clarative-supported vendor from the search field during vendor onboarding, most risk data sources are configured for you automatically.
Available data sources:
- Incident Reports: Public status pages and vendor notifications
- Security Breach Reports: CVE feeds and security advisories
- Regulatory Filings: SEC filings and regulatory announcements
- Adversarial News: Media monitoring for negative vendor coverage
- Synthetic Monitoring: Uptime and performance testing
- Vendor Data Requests: Automated surveys and data collection
- Internal Integrations: Connect your monitoring tools (Datadog, Splunk, etc.)
Configure Incident Monitoring
- Open an SLA from the vendor Obligations tab, or create a new one
- Click Configure Incident Monitoring
- Select the relevant Products, Services, and Regions for the SLA
Configure Synthetic Monitoring (Heartbeat)
-
Click "Add" under Synthetic Monitoring on the vendor Obligations tab, or select a preconfigured monitor from the list.
-
Configure the monitor to your specifications and test the monitor.
-
Click "Activate" on the monitor page to start monitoring.
See more details on the Synthetic Monitoring page.
Step 3: Set Up AI Risk Rules
Automate risk event prioritization to focus on the most critical issues first.
In Clarative
- Navigate to AI Risk Rules by clicking the gear icon in the Risk tile
- Create rules by:
- Event Type: Different rules for incidents vs. security breaches
- Vendor: Custom rules for specific vendors
- SLA Specific: Targeted rules for particular SLAs
Example rule configurations
- High Priority: Significant operational disruptions such as major outages, critical system failures, or data loss
- Medium Priority: Data unavailability caused by processing delays or other availability issues
- Low Priority: Temporary slowdowns or non-critical issues that do not impact operations
Result
AI automatically triages incoming risk events, ensuring your team focuses on DORA-relevant issues while maintaining complete audit trails.
Step 4: Find Non-Compliant Contracts with Search Grid
Use AI to identify missing DORA clauses across your contract portfolio and prioritize remediation efforts with Search Grid.
Required DORA clauses to search for:
- Audit rights
- Data integrity/resilience provisions
- Incident notification requirements
- Subcontractor approval clauses
- Termination rights
In Clarative:
- Navigate to Discover (globe icon in sidebar)
- Ensure you're searching across All Vendors
- Click DORA Compliance from the template options
- Review the Table Preview showing all DORA clause types
- Click Generate Table to create your clause matrix
Take action:
- Export the clause table for your legal team
- Prioritize remediation by:
- Vendor criticality (focus on ICT-critical vendors first)
- Contract renewal dates (combine with upcoming renewals)
- Risk exposure level
Result:
A comprehensive audit of DORA compliance across all vendor contracts.
Step 5: Monitor Performance and Generate Reports
Track vendor performance against SLAs and maintain compliance reporting.
Real-time monitoring
- Access the Review tab to see all active risk events
- Click into individual events to see:
- AI triage explanation and reasoning
- Full context and relevant SLA impact
- Click Generate Verification Request to send risk event details to a subject matter expert or business owner for review and response
- All actions are logged in the activity trail for audit purposes
- Close the risk event as resolved or dismiss it
SLA performance tracking
- Click on any vendor to view their SLA Detail page from the Obligations tab
- Monitor performance against specific SLAs:
- Uptime percentages vs. commitments
- Incident impact summaries with business context
- Historical performance trends
- Identify potential SLA violations with supporting incident data
Compliance reporting
Clarative provides real time risk and compliance reporting as well as exportable SLA reports.
Risk Reporting
- Navigate to Report tab for executive dashboards
- Track key DORA metrics:
- Risks Identified: Events detected by continuous monitoring
- Risks Mitigated: Actions taken and issues resolved
- Coverage Metrics: Number of vendors and SLAs actively monitored, including ownership percentages
- Response Times: Team performance against due dates by severity
- See vendor-level compliance scores on the Vendor tab
SLA Reporting
- Export SLA compliance reports for multiple with the Export Report button on the Vendors tab.
- Export detailed vendor SLA reports by clicking Export Report on a specific SLA.
Result:
Shareable reports on vendor SLA compliance, availability, and risk event mitigation.
Maintaining DORA Compliance
Regular reviews
- Weekly: Monitor the Review tab for new risk events
- Monthly: Analyze vendor performance trends
- Quarterly: Update AI risk rules and SLA thresholds
- Annually: Comprehensive SLA registry review
Audit preparation
All monitoring activities, triage decisions, and compliance actions are automatically logged and ready for examination.
Success Metrics
With Clarative's DORA compliance setup, you'll achieve:
- Automated continuous monitoring of all critical ICT vendors
- Real-time SLA performance tracking with violation alerts
- Comprehensive audit trails for all risk management activities
- Regulatory-ready reporting with evidence packages
- Reduced manual effort while improving oversight coverage
Need Help?
Contact support at support@clarative.ai.