Operational Resilience in Canada
Guideline E-21
Enhancing Operational Resilience in Financial Institutions
The OSFI’s Guideline E-21 provides a comprehensive basis for operational risk management and improving resilience of the FRFIs. The main objective of the guideline is to increase the FRFIs’ ability to: plan for, adapt to, withstand, and recover and resume operations following operational disruptions, to protect the continuity of critical services and support the stability of the Canadian financial system (OSFI., 2023).
Introducing the guideline is a preemptive step by OSFI to address rising risks threatening the FRFIs, such as cyber-threats, technology outages, pandemics, and physical events (OSFI., 2023). By adoption of principles of the new Guideline E-21 organizations can achieve operational resilience and maintain the confidence of the Canadians in the stability of the financial system (Bank of Canada, 2022).
What is Guideline E-21?
In simple terms, Guideline E-21 is fundamentally about empowering financial institutions with the tools and methodologies needed to effectively manage operational risks. Operational risks cover a wide range of risks originating from to a failure or inadequacy of internal processes, people and systems or from external events, such as cyber-attacks or interruption to supply chains, as described by the Basel Committee on Banking Supervision in 2021.
To enhance resilience, the guideline requires institutions to:
- Identify and prioritize critical operations to ensure business continuity.
- Implement proactive risk management measures that anticipate and mitigate potential disruptions.
- Define tolerances for disruption and establish comprehensive recovery plans.
- Foster a culture of preparedness, adaptability, and continuous improvement.
This guideline represents OSFI’s commitment to reinforcing the financial system’s robustness against ever-evolving threats. It aligns with global standards such as the Basel Committee on Banking Supervision’s Principles for Operational Resilience and the Financial Stability Board’s guidance on third-party risk management (FSB, 2023).
Key Requirements of Guideline E-21
1. Governance and Accountability
A strong governance framework is essential for effective operational resilience. Institutions must:
- Adopt a governance structure that clearly defines roles and responsibilities for managing operational risks.
- Ensure senior management and boards oversee resilience initiatives and align them with the institution’s strategic objectives and risk appetite (OSFI, 2023).
- Establish independent risk functions to provide an additional layer of oversight and ensure governance structures remain effective.
- Implement internal audit mechanisms to assess the effectiveness of risk management strategies and identify areas for improvement (Institute of Internal Auditors, 2022).
2. Operational Risk Management Framework
Institutions are required to maintain an enterprise-wide framework that integrates operational risk management into decision-making processes. This includes:
- Conducting risk and control self-assessments (RCSAs) to proactively identify vulnerabilities (Bank for International Settlements, 2022).
- Utilizing key risk indicators (KRIs) to monitor operational risks in real time and respond to emerging threats.
- Performing scenario analyses to evaluate potential disruptions and test the effectiveness of mitigation strategies.
- Ensuring regular updates and reviews of the framework to adapt to new risks and regulatory developments (OSFI, 2023).
3. Operational Resilience
Operational resilience extends beyond traditional risk management by focusing on an institution’s ability to deliver critical services despite disruptions. To achieve this, financial institutions must:
- Map dependencies, including internal processes, technology systems, third-party vendors, and key personnel.
- Define impact tolerances, establishing the maximum acceptable level of disruption for critical operations (Financial Stability Board, 2023).
- Develop contingency plans that outline response protocols, escalation procedures, and alternative service delivery mechanisms.
- Conduct stress testing under severe but plausible scenarios to assess resilience and identify potential weaknesses.
4. Key Areas for Strengthening Resilience
To comply with Guideline E-21, financial institutions should strengthen resilience in the following key areas:
a) Business Continuity Management
- Develop and maintain business continuity plans that enable institutions to recover swiftly from operational interruptions.
- Conduct regular business impact analyses (BIAs) to assess the potential consequences of disruptions (International Organization for Standardization, 2021).
b) Disaster Recovery Plans
- Focus on technology recovery strategies, ensuring IT systems can be restored quickly following cyberattacks, system failures, or natural disasters.
- Implement backup and redundancy measures to mitigate data loss and ensure seamless recovery (National Institute of Standards and Technology, 2022).
c) Crisis Management
- Establish dedicated crisis response teams trained to coordinate decision-making and communication during emergencies.
- Develop structured communication plans to ensure timely and accurate information flow to stakeholders.
d) Change Management
- Identify and mitigate risks associated with organizational changes, mergers, and new system implementations.
- Implement robust testing and validation processes before deploying new technologies or operational structures (ISACA, 2022).
e) Cyber and Technology Risk Management
- Implement cybersecurity controls aligned with OSFI’s Guideline B-13, which sets expectations for cyber risk management.
- Enhance threat detection capabilities using advanced analytics and artificial intelligence to identify and respond to cyber threats proactively (Cybersecurity and Infrastructure Security Agency, 2023).
f) Third-Party Risk Management
- Ensure that critical third-party service providers adhere to stringent operational standards, as outlined in OSFI’s Guideline B-10.
- Establish contractual agreements that include resilience expectations, regular audits, and incident response coordination.
g) Data Risk Management
- Maintain data integrity, security, and availability through comprehensive data governance policies.
- Ensure compliance with data protection regulations, such as the Personal Information Protection and Electronic Documents Act (PIPEDA), to safeguard sensitive information.
WHO DOES IT IMPACT?
Given the generalizability of the guidance in this regard, a wide range of financial institutions are covered by the guideline (from significant multinational banks to smaller, regional organizations). Although institutions may face different levels of operational complexity and inherent risk, the Office of the Superintendent of Financial Institutions (OSFI) has designed the guideline to be scalable so that institutions can take resilience actions proportionate to the operational complexities and inherent risk that are present in their organization and business model (OSFI, 2023).
Note also that third-party service providers to federally regulated financial institutions (FRFIs), in particular those that perform functions critical to operations, could be indirectly impacted by the requirements in this guideline. These entities will be expected to align their own operational resilience practices with the requirements outlined in E-21 to ensure ongoing service continuity (Financial Stability Board, 2023).
Guideline E-21 applies to all federally regulated financial institutions (FRFIs) in Canada, including:
Insurance Companies
Banks and Credit Unions
Foreign bank branches operating within Canada
Importance of Guideline E-21
Safeguarding Financial Stability
Ensuring adherence to the guideline would play a key role in enhancing resilience of Canada’s financial sector. By establishing robust rules for risk management, it ensures that financial institutions are well prepared to absorb shocks and avoid any amplification of systemic risk to the broader economy. A stable financial sector helps protect individual consumers, businesses, and governments from the consequences of a default (Bank for International Settlements, 2022).
Protecting Stakeholders
The impact of operational failures can have severe consequences for all stakeholders including customers, staff and investors. For E-21, protecting stakeholder interests is crucial and operational continuity of essential services is given top priorities. Maintaining operational resilience builds trust and confidence in the financial system, reducing the likelihood of general panic during in times of crisis (FSB, 2013)
Adapting to Emerging Risks
In today’s interconnected world, the threats faced are increasingly fluid and require organizations to be prepared to respond to a range of risks. Cyber-attacks are growing in complexity, demanding strong cybersecurity and quick response capability (Cybersecurity and Infrastructure Security Agency, 2023). Disruptions to the supply chain introduce significant risks, so organizations should analyze their reliance on third parties and plan for how to manage any vulnerabilities in a crisis (Office of the Superintendent of Financial Institutions, 2023). Climate risks from extreme weather events and environmental changes require adaptable business continuity planning to achieve operational resilience over the long term (Financial Stability Board, 2023). The impacts of a pandemic, such as COVID-19, and other public health crises highlight the requirement for flexible and scalable crisis management approaches to maintain the continuity of services during global health emergencies (World Health Organization, 2022). In the face of these evolving risks, it is essential for organizations to take preventative steps to protect their operations and ensure ongoing stability.
Interplay between E-21, DORA, and FCA/PRA’s Operational Resilience Framework
A detailed analysis of cross-border regulatory frameworks, emerging technology risks, and their implications for financial institutions.
Framework Interplay
Guideline E-21 aligns with DORA (Digital Operational Resilience Act) and the FCA/PRA’s Operational Resilience framework, ensuring a consistent approach to resilience across jurisdictions:
- DORA: Mandates digital resilience in EU financial entities, emphasizing ICT risk management and third-party oversight. Canadian banks operating in the EU must integrate DORA’s cybersecurity and incident reporting mandates into their operations.
- FCA/PRA Framework: Requires UK financial institutions to set impact tolerances and conduct scenario testing—similar to E-21’s resilience expectations. Canadian banks with UK operations must adhere to both regulatory standards to ensure cross-border compliance.
Cross-Border Implications for Canadian Banks
- Dual Compliance Requirements: Banks with EU/UK subsidiaries must reconcile OSFI’s principles with DORA’s ICT risk framework and FCA/PRA’s resilience mandates.
- Data Localization Challenges: E-21’s operational resilience approach must align with GDPR and UK data protection laws, affecting cloud services and third-party risk management.
- Stress Testing Alignment: OSFI’s severe but plausible scenario testing mirrors UK/EU standards, necessitating integrated resilience testing for cross-border entities.
Integration with AI and Emerging Technology Risks
Governing AI/ML-driven Processes in Resilience Planning
- Establish AI governance frameworks to ensure explainability, robustness, and bias mitigation in AI-driven decision-making.
- Develop resilience strategies that account for AI model drift, adversarial attacks, and system dependencies.
Linking OSFI’s Guideline B-13 to AI Risk Mitigation
- Guideline B-13 requires FRFIs to protect AI-driven operations against cybersecurity threats.
- Integrate AI risk assessments into enterprise risk management frameworks to ensure models function reliably under operational stress.
Third-Party and Outsourcing Risk Updates
Monitoring Third-Party Resilience under E-21
- Cloud Computing Risks: OSFI B-10 aligns with EBA’s Outsourcing Guidelines and PRA SS2/21, requiring assessment of vendor concentration risks and implementation of contractual resilience requirements.
- Third-Party Due Diligence: Conduct real-time risk monitoring, periodic audits, and enforce contractual obligations to ensure service continuity.
- Operational Continuity Tests: Validate backup arrangements and incident response readiness through regular third-party resilience testing.
Climate and ESG Resilience Considerations
- Aligning Business Continuity Strategies: Incorporate climate risk stress testing into business continuity and disaster recovery frameworks.
- OSFI’s Climate Risk Management Guidance: Mandates FRFIs to assess physical and transition risks, ensuring operational resilience against extreme weather events.
- TCFD-Aligned Scenario Analyses: Integrate climate scenario analyses into operational risk management processes.
Regulatory Supervision and Enforcement
Penalties for Non-Compliance with E-21 by 2026
- OSFI may impose supervisory actions, capital add-ons, or enforcement measures against non-compliant FRFIs.
- Institutions failing to meet impact tolerances risk public disclosure requirements or licensing restrictions.
- Heightened regulatory scrutiny could affect risk ratings, funding costs, and investor confidence.
Comparing OSFI’s Resilience Testing to FCA’s Impact Tolerances
- OSFI’s severe but plausible scenario testing mirrors FCA’s impact tolerance assessments to ensure timely recovery of critical functions.
- FCA requires self-assessments and board attestations for operational resilience, while OSFI demands documented evidence of compliance.
- Both frameworks emphasize third-party resilience testing to mitigate supply chain and outsourcing risks.
Timeline E-21 (Where are we?)
Immediate Compliance
Establish governance structures and initiate operational risk management frameworks.
Intermediate Milestones
Implement and test operational resilience plans, ensuring alignment with impact tolerances.
Full Compliance Deadline
All FRFIs must demonstrate operational resilience across critical functions.
As the September 2026 compliance deadline approaches, institutions must adopt a proactive resilience strategy. By doing so, they will safeguard financial stability, protect stakeholders, and enhance trust in Canada’s financial sector.
Want to hire
E-21 Expert?
Book a call with our experts