Operational Resilience in Canada

Guideline E-21

Enhancing Operational Resilience in Financial Institutions

Guideline E-21, issued by the Office of the Superintendent of Financial Institutions (OSFI) in Canada, establishes a comprehensive framework for operational risk management and resilience for federally regulated financial institutions (FRFIs). The guideline aims to enhance the ability of financial institutions to prepare for, withstand, and recover from operational disruptions, ensuring the continuity of critical operations and the stability of the financial system (OSFI, 2023). 

OSFI introduced this guideline in response to increasing threats to the financial sector, such as cyberattacks, technological failures, pandemics, and climate-related disasters. By implementing the principles outlined in Guideline E-21, institutions can ensure operational resilience and maintain public trust in the financial system (Bank of Canada, 2022). 

What is Guideline E-21?

At its core, Guideline E-21 focuses on equipping financial institutions with the tools and strategies to address operational risks effectively. Operational risks broadly encompass threats arising from inadequate or failed internal processes, human errors, system malfunctions, or external events such as cyberattacks or supply chain disruptions (Basel Committee on Banking Supervision, 2021). 

To enhance resilience, the guideline requires institutions to: 

  • Identify and prioritize critical operations to ensure business continuity. 
  • Implement proactive risk management measures that anticipate and mitigate potential disruptions. 
  • Define tolerances for disruption and establish comprehensive recovery plans. 
  • Foster a culture of preparedness, adaptability, and continuous improvement. 

This guideline represents OSFI’s commitment to reinforcing the financial system’s robustness against ever-evolving threats. It aligns with global standards such as the Basel Committee on Banking Supervision’s Principles for Operational Resilience and the Financial Stability Board’s guidance on third-party risk management (FSB, 2023). 

Key Requirements of Guideline E-21

1. Governance and Accountability

A strong governance framework is essential for effective operational resilience. Institutions must: 

  • Adopt a governance structure that clearly defines roles and responsibilities for managing operational risks. 
  • Ensure senior management and boards oversee resilience initiatives and align them with the institution’s strategic objectives and risk appetite (OSFI, 2023). 
  • Establish independent risk functions to provide an additional layer of oversight and ensure governance structures remain effective. 
  • Implement internal audit mechanisms to assess the effectiveness of risk management strategies and identify areas for improvement (Institute of Internal Auditors, 2022). 
2. Operational Risk Management Framework

Institutions are required to maintain an enterprise-wide framework that integrates operational risk management into decision-making processes. This includes: 

  • Conducting risk and control self-assessments (RCSAs) to proactively identify vulnerabilities (Bank for International Settlements, 2022). 
  • Utilizing key risk indicators (KRIs) to monitor operational risks in real time and respond to emerging threats. 
  • Performing scenario analyses to evaluate potential disruptions and test the effectiveness of mitigation strategies. 
  • Ensuring regular updates and reviews of the framework to adapt to new risks and regulatory developments (OSFI, 2023).
3. Operational Resilience

Operational resilience extends beyond traditional risk management by focusing on an institution’s ability to deliver critical services despite disruptions. To achieve this, financial institutions must: 

  • Map dependencies, including internal processes, technology systems, third-party vendors, and key personnel. 
  • Define impact tolerances, establishing the maximum acceptable level of disruption for critical operations (Financial Stability Board, 2023). 
  • Develop contingency plans that outline response protocols, escalation procedures, and alternative service delivery mechanisms. 
  • Conduct stress testing under severe but plausible scenarios to assess resilience and identify potential weaknesses.
4. Key Areas for Strengthening Resilience

To comply with Guideline E-21, financial institutions should strengthen resilience in the following key areas: 

a) Business Continuity Management

    • Develop and maintain business continuity plans that enable institutions to recover swiftly from operational interruptions. 
    • Conduct regular business impact analyses (BIAs) to assess the potential consequences of disruptions (International Organization for Standardization, 2021).

b) Disaster Recovery Plans

    • Focus on technology recovery strategies, ensuring IT systems can be restored quickly following cyberattacks, system failures, or natural disasters. 
    • Implement backup and redundancy measures to mitigate data loss and ensure seamless recovery (National Institute of Standards and Technology, 2022).

c) Crisis Management

    • Establish dedicated crisis response teams trained to coordinate decision-making and communication during emergencies. 
    • Develop structured communication plans to ensure timely and accurate information flow to stakeholders.

d) Change Management

    • Identify and mitigate risks associated with organizational changes, mergers, and new system implementations. 
    • Implement robust testing and validation processes before deploying new technologies or operational structures (ISACA, 2022). 

e) Cyber and Technology Risk Management

    • Implement cybersecurity controls aligned with OSFI’s Guideline B-13, which sets expectations for cyber risk management. 
    • Enhance threat detection capabilities using advanced analytics and artificial intelligence to identify and respond to cyber threats proactively (Cybersecurity and Infrastructure Security Agency, 2023). 

f) Third-Party Risk Management

    • Ensure that critical third-party service providers adhere to stringent operational standards, as outlined in OSFI’s Guideline B-10. 
    • Establish contractual agreements that include resilience expectations, regular audits, and incident response coordination. 

g) Data Risk Management

    • Maintain data integrity, security, and availability through comprehensive data governance policies. 
    • Ensure compliance with data protection regulations, such as the Personal Information Protection and Electronic Documents Act (PIPEDA), to safeguard sensitive information. 

WHO DOES IT IMPACT?

Given its broad applicability, the guideline affects financial institutions of varying sizes, from large multinational banks to smaller, regionally focused entities. To account for differences in operational complexity and risk exposure, OSFI has designed the guideline to be scalable, allowing organizations to implement resilience measures that are proportionate to their size and business model (OSFI, 2023). 

Moreover, third-party service providers working with FRFIs, particularly those involved in critical business operations, may also be indirectly impacted by the guideline’s requirements. These entities must align their operational resilience practices with the expectations set forth in E-21 to ensure seamless service continuity (Financial Stability Board, 2023). 

Guideline E-21 applies to all federally regulated financial institutions (FRFIs) in Canada, including: 

Insurance Companies
Banks and Credit Unions
Foreign bank branches operating within Canada

Importance of Guideline E-21

Safeguarding Financial Stability 

The guideline plays a pivotal role in enhancing the resilience of Canada’s financial sector. By mandating comprehensive risk management measures, it ensures that institutions can navigate disruptions without jeopardizing the broader economy. A resilient financial sector protects consumers, businesses, and the government from the cascading effects of operational failures (Bank for International Settlements, 2022). 

Protecting Stakeholders 

Operational failures can have far-reaching consequences for customers, employees, and investors. E-21 emphasizes stakeholder protection by prioritizing the continuity of critical services. Ensuring operational resilience fosters trust and confidence in the financial system, reducing the likelihood of panic during crises (FSB, 2023). 

Adapting to Emerging Risks 

In today’s interconnected world, risks are more dynamic than ever, requiring financial institutions to be vigilant and well-prepared for various threats. Cyberattacks have become increasingly sophisticated, necessitating robust cybersecurity measures and rapid incident response capabilities (Cybersecurity and Infrastructure Security Agency, 2023). Supply chain disruptions also pose significant risks, making it essential for institutions to assess third-party dependencies and implement contingency plans to mitigate vulnerabilities (OSFI, 2023). Additionally, climate-related risks, such as extreme weather events and environmental changes, demand adaptive business continuity planning to ensure operational resilience (Financial Stability Board, 2023). Furthermore, pandemics and public health crises, as demonstrated by COVID-19, highlight the importance of flexible and scalable crisis management frameworks to maintain service continuity during global health emergencies (World Health Organization, 2022). Given these evolving threats, financial institutions must adopt proactive strategies to safeguard their operations and ensure long-term stability.

Interplay between E-21, DORA, and FCA/PRA’s Operational Resilience Framework

Interplay between E-21, DORA, and FCA/PRA’s Operational Resilience Framework

A detailed analysis of cross-border regulatory frameworks, emerging technology risks, and their implications for financial institutions.

Framework Interplay

Guideline E-21 aligns with DORA (Digital Operational Resilience Act) and the FCA/PRA’s Operational Resilience framework, ensuring a consistent approach to resilience across jurisdictions:

  • DORA: Mandates digital resilience in EU financial entities, emphasizing ICT risk management and third-party oversight. Canadian banks operating in the EU must integrate DORA’s cybersecurity and incident reporting mandates into their operations.
  • FCA/PRA Framework: Requires UK financial institutions to set impact tolerances and conduct scenario testing—similar to E-21’s resilience expectations. Canadian banks with UK operations must adhere to both regulatory standards to ensure cross-border compliance.

Cross-Border Implications for Canadian Banks

  • Dual Compliance Requirements: Banks with EU/UK subsidiaries must reconcile OSFI’s principles with DORA’s ICT risk framework and FCA/PRA’s resilience mandates.
  • Data Localization Challenges: E-21’s operational resilience approach must align with GDPR and UK data protection laws, affecting cloud services and third-party risk management.
  • Stress Testing Alignment: OSFI’s severe but plausible scenario testing mirrors UK/EU standards, necessitating integrated resilience testing for cross-border entities.

Integration with AI and Emerging Technology Risks

Governing AI/ML-driven Processes in Resilience Planning

  • Establish AI governance frameworks to ensure explainability, robustness, and bias mitigation in AI-driven decision-making.
  • Develop resilience strategies that account for AI model drift, adversarial attacks, and system dependencies.

Linking OSFI’s Guideline B-13 to AI Risk Mitigation

  • Guideline B-13 requires FRFIs to protect AI-driven operations against cybersecurity threats.
  • Integrate AI risk assessments into enterprise risk management frameworks to ensure models function reliably under operational stress.

Third-Party and Outsourcing Risk Updates

Monitoring Third-Party Resilience under E-21

  • Cloud Computing Risks: OSFI B-10 aligns with EBA’s Outsourcing Guidelines and PRA SS2/21, requiring assessment of vendor concentration risks and implementation of contractual resilience requirements.
  • Third-Party Due Diligence: Conduct real-time risk monitoring, periodic audits, and enforce contractual obligations to ensure service continuity.
  • Operational Continuity Tests: Validate backup arrangements and incident response readiness through regular third-party resilience testing.

Climate and ESG Resilience Considerations

  • Aligning Business Continuity Strategies: Incorporate climate risk stress testing into business continuity and disaster recovery frameworks.
  • OSFI’s Climate Risk Management Guidance: Mandates FRFIs to assess physical and transition risks, ensuring operational resilience against extreme weather events.
  • TCFD-Aligned Scenario Analyses: Integrate climate scenario analyses into operational risk management processes.

Regulatory Supervision and Enforcement

Penalties for Non-Compliance with E-21 by 2026

  • OSFI may impose supervisory actions, capital add-ons, or enforcement measures against non-compliant FRFIs.
  • Institutions failing to meet impact tolerances risk public disclosure requirements or licensing restrictions.
  • Heightened regulatory scrutiny could affect risk ratings, funding costs, and investor confidence.

Comparing OSFI’s Resilience Testing to FCA’s Impact Tolerances

  • OSFI’s severe but plausible scenario testing mirrors FCA’s impact tolerance assessments to ensure timely recovery of critical functions.
  • FCA requires self-assessments and board attestations for operational resilience, while OSFI demands documented evidence of compliance.
  • Both frameworks emphasize third-party resilience testing to mitigate supply chain and outsourcing risks.

Timeline E-21 (Where are we?)

2023-2024
Immediate Compliance

Establish governance structures and initiate operational risk management frameworks.

2025
Intermediate Milestones

Implement and test operational resilience plans, ensuring alignment with impact tolerances.

01 September 2026
Full Compliance Deadline

All FRFIs must demonstrate operational resilience across critical functions.

As the September 2026 compliance deadline approaches, institutions must adopt a proactive resilience strategy. By doing so, they will safeguard financial stability, protect stakeholders, and enhance trust in Canada’s financial sector.

Want to hire

E-21 Expert?

Book a call with our experts

Hire US