Regulatory Context
DORA Article 28(1) requires financial entities to conduct and maintain ongoing risk assessments of their ICT third-party dependencies. This is not a one-time exercise — it is a continuous obligation that must be embedded into your third-party risk management framework. The risk assessment must evaluate the nature, scale, complexity, and importance of the ICT-related dependencies, and the risks arising from contractual arrangements with ICT third-party service providers.
Article 28(5) further requires that financial entities develop exit strategies for all ICT third-party arrangements supporting critical or important functions. These exit strategies must ensure that the entity can withdraw from the arrangement without disruption to its business activities, without limiting compliance with regulatory requirements, and without detriment to the continuity and quality of services provided to clients.
The ITS 2024/2956 template B_07.01 mandates reporting risk assessment data to your NCA. This includes the risk level, substitutability assessment, exit planning status, and concentration risk indicators for each ICT provider relationship. The Risk Assessments module in Venvera maps directly to these reporting fields.
Risk Assessment List Page
Navigate to DORA > Register of Information > Risk Assessments to see all existing assessments. The page displays a sortable data table with the following columns:
| Column | Type | Required | Description |
|---|---|---|---|
| Provider | Link | — | The name of the ICT provider being assessed. Clicking the name navigates to the provider's detail page in the ICT Providers module. |
| Date | Formatted date | — | The date of the assessment, displayed in the tenant's configured date format. |
| Risk Level | Badge | — | A colour-coded badge: Critical (red), High (amber), Medium (blue), Low (green). |
| Concentration | Yes/No | — | Whether concentration risk has been flagged for this provider. "Yes" appears in amber, "No" in muted text. |
| Next Review | Date or dash | — | The scheduled date for the next review of this assessment. Displayed in the tenant's date format, or a dash if not set. |
| Findings | Truncated text | — | A truncated preview of the findings text. Shows a dash if no findings were recorded. |
| Actions | Icon buttons | — | Edit (pencil icon — navigates to the edit page) and Delete (trash icon — confirmation required). |
Empty State
If no assessments exist, the page displays a centred empty state with a shield icon, the heading "No assessments yet", a prompt to assess ICT provider risk, and a "New assessment" button.
Creating a Risk Assessment
Click "New assessment" to navigate to the dedicated creation page. The form is divided into two sections: the main risk assessment fields and the exit strategy section.
Choose the provider to assess from the dropdown. This list is populated from your ICT Providers register. If the provider is not listed, add it first in the ICT Providers module.
Click one of the four radio options: Low, Medium, High, or Critical. Consider the criticality of functions the provider supports, the provider's security posture, and any concentration risk factors.
Record what you found during the assessment and what actions you propose. These fields provide the narrative context that NCAs and auditors expect.
Assign a substitutability score from 0 to 10 and set the next review date. The score is a key input for concentration risk analysis.
Check the concentration risk flag if applicable. This marks the provider for enhanced scrutiny under Article 31.
Fill in substitutability reasoning, exit plan status, alternative provider identification, reintegration feasibility, and discontinuation impact. This section maps to ITS B_07.01 fields.
Click "Create Assessment" to save. You will be returned to the assessments list.
Main Assessment Fields
| Field | Type | Required | Description |
|---|---|---|---|
| ICT Provider | Dropdown | Required | Select the ICT provider to assess from the dropdown. Each assessment links to one provider, though you can create multiple assessments for the same provider over time to build a historical record. |
| Risk Level | Radio button (4 options) | Required |
Low (green) — Minimal risk. Non-critical functions, strong controls, alternatives readily available. Medium (blue) — Moderate risk requiring monitoring. Acceptable security posture, limited but available alternatives. High (amber) — Significant risk requiring active management. May have identified security gaps or limited alternatives. Enhanced monitoring needed. Critical (red) — Highest risk level. Supports critical functions, difficult to replace, or presents concentration risk. DORA requires enhanced contractual provisions and documented exit strategies. |
| Findings | Textarea | Optional | Record the key findings from the assessment. Examples: "Provider lacks SOC 2 Type II certification", "Single data centre creates availability risk". Be specific and factual — findings may be reviewed by NCAs. |
| Mitigations | Textarea | Optional | Actions proposed or taken to address identified risks. Examples: "Requested SOC 2 roadmap by Q2 2026", "Implemented secondary backup to alternative provider". Link mitigations to specific findings wherever possible. |
| Substitutability Score | Number (0-10, step 0.1) | Optional |
A numeric score from 0.0 to 10.0 measuring how easily this provider could be replaced: 0.0 = Irreplaceable. Extreme concentration risk. No alternatives exist or switching would take years. 1.0-3.0 = Very difficult to substitute. Few alternatives, high switching costs. 4.0-6.0 = Moderately substitutable. Alternatives exist but switching requires significant effort. 7.0-9.0 = Easily substitutable. Multiple alternatives, reasonable costs, standardised interfaces. 10.0 = Trivially substitutable. Commodity service, no switching costs. DORA Art. 28(8) emphasises substitutability because it determines the entity's ability to execute exit strategies. This score feeds into the B_07.01 export. |
| Next Review Date | Date picker | Optional | When this assessment should next be reviewed. DORA Art. 28(6) requires that risk assessments be updated at least annually for providers supporting critical or important functions. Set this date to ensure timely reviews. It appears in the assessments table for easy tracking. |
| Concentration Risk | Checkbox | Optional | Check this box if concentration risk is identified per DORA Article 31 — i.e., multiple critical functions depend on the same provider, the provider has no viable substitutes, or the provider is critical to many financial entities. Flagging this triggers enhanced scrutiny and inclusion in the B_07.01 export. |
Exit Strategy Section
The second form section is dedicated to exit strategy and substitutability data, required by DORA ITS 2024/2956 for B_07.01 risk assessment reporting. A note on the form reads: "Required by DORA ITS 2024/2956 for B_07.01 risk assessment reporting."
| Field | Type | Required | Description |
|---|---|---|---|
| Substitutability Reason | Textarea | Optional | A narrative explanation of why the provider received the given substitutability score. NCAs expect a reasoned justification, not just a number. Example: "Score of 2.5 because the provider's proprietary API is deeply embedded in our payment pipeline, and migration would require 18+ months of development." |
| Exit Plan Exists | Dropdown (3 options) | Optional |
Not assessed (default) — Exit planning has not been evaluated yet. Yes — A documented exit plan exists for this provider relationship. DORA Art. 28(8) requires exit plans for arrangements supporting critical or important functions. No — No exit plan exists. For critical/important function providers, this is a compliance gap that should be remediated. |
| Alternative Providers Identified | Dropdown (3 options) | Optional |
Not assessed (default) — Alternative providers have not been evaluated. Yes — One or more alternative providers have been identified who could deliver equivalent services. When selected, an additional field appears for entering alternative provider names. No — No alternatives have been identified. This significantly increases concentration risk. |
| Reintegration Possibility | Dropdown (4 options) | Optional |
Assesses the feasibility of bringing the outsourced service back in-house: Not assessed (default) — Reintegration has not been evaluated. Easy — Can reintegrate in-house with existing capabilities and reasonable effort. Difficult — Significant resources, time, or capability gaps make reintegration challenging. Highly complex — Extremely difficult to reintegrate. Requires capabilities the entity does not currently have. May take years to execute. |
| Discontinuation Impact | Dropdown (4 options) | Optional |
What would happen if this provider's services were suddenly discontinued: Not assessed (default) — Impact has not been evaluated. Low — Minor inconvenience; the entity can absorb the impact with existing contingencies. Medium — Noticeable disruption; some services degraded, but core operations continue. High — Severe disruption; material impact on the entity's ability to operate, serve clients, or meet regulatory obligations. |
| Alternative Provider Names/IDs | Text input (comma-separated) | Optional | This field appears only when "Alternative Providers Identified" is set to "Yes". Enter the names of identified alternative providers, separated by commas. Example: "Azure, GCP, OVHcloud". This data feeds into the B_07.01 export and demonstrates that the entity has viable alternatives, reducing concentration risk concerns. |
Editing a Risk Assessment
Click the pencil icon in the Actions column of the assessments table to navigate to the edit page. The edit page is identical in layout to the creation page, with all fields pre-populated with the assessment's current values. Make your changes and click "Save Changes" to update, or "Cancel" to return to the list without saving.
Deleting a Risk Assessment
Click the trash icon in the Actions column and confirm the dialog: "Delete this risk assessment?". Deletion is permanent. Consider whether you need to retain the assessment for audit trail purposes before deleting.
Why Exit Strategies Matter
DORA Article 28(8) requires financial entities to have documented exit strategies for ICT third-party arrangements that support critical or important functions. This is not optional guidance — it is a binding regulatory requirement. Your NCA will assess whether:
- Exit plans exist and are documented for all critical/important provider relationships.
- Alternative providers have been identified and evaluated.
- The entity understands reintegration feasibility and has planned accordingly.
- Substitutability has been assessed with a reasoned justification.
- The entity can withdraw from the arrangement without disrupting business continuity.
Concentration risk assessment under Article 31 also depends on exit strategy data. If the entity depends on a provider with low substitutability (say, 1.5 out of 10) and no exit plan, this represents a material concentration risk that the NCA may escalate to the ESAs for designation of that provider as "critical" under the DORA oversight framework.