Canada’s Office of the Superintendent of Financial Institutions – OSFI – is the latest in a long list of governing bodies to publish new requirements for operational resilience.

Guideline E-21 was published on August 22, 2024, and OSFI expects full adherence from federally regulated financial institutions by September 1, 2026. FRFIs include Canadian banks and insurance companies, as well as their foreign counterparts with operations in Canada.

Like other operational resilience regulations, the goal is to help financial institutions enhance their ability to prevent, detect, respond to, and recover from adverse events, while continuing to deliver critical operations. OSFI’s version combines elements of enterprise risk management with business continuity to comprehensively strengthen resilience.

While the guideline introduces new requirements, it largely builds upon existing practices. To fully comply, you will need to collaborate across risk and resilience teams to establish a clear operational risk management framework.

The good news is that most organizations should already have the basic pieces to this puzzle. Start there and then use the guideline as a structured framework to enhance and validate resilience.
OSFI Guideline E-21 - Four pillars

The Four Pillars of OSFI Guideline E-21

Guideline E-21 establishes expectations for operational risk and resilience in four main areas:

Governance. The guideline notes that senior management should be responsible for developing, implementing, and overseeing an effective operational risk management framework and resilience approach, ensuring clear accountability, adequate resources, and a strong risk culture. Business and central functions must manage operational risks and escalate issues appropriately. Additional guidelines are included for independent oversight and internal audit functions.

Operational Risk Management. Firms should have an effective operational risk management framework, which includes a defined risk appetite, policies, monitoring tools, and assessment methods to manage risks related to people, processes, systems, and external events. Regular reviews, monitoring, and reporting should be in place alongside escalation to inform senior management and the board of significant concerns.

Operational Resilience. Firms should identify and map critical operations, assess dependencies, and ensure they can withstand severe but plausible disruptions within set tolerances. Regular scenario testing, including simulations and coordination with third parties, should be in place to refine resilience strategies and improve the ability to manage crises effectively.

Key Areas of Operational Risk Management That Strengthen Operational Resilience. To support operational resilience, firms should also adhere to the outlined expectations for additional risk management disciplines including business continuity, disaster recovery, crisis management, change management, technology and cyber risk, third-party risk, and data risk.
Prepare for OSFI Guideline E-21

How to Prepare for OSFI Guideline E-21

Here are five steps to help you meet these requirements:

1. Establish a cross-discipline committee. Guideline E-21 emphasizes how various risk disciplines are needed to strengthen resilience. Start by establishing an organizational leader to head a compliance committee and spearhead communication between GRC, IT, and business continuity teams.

2. Conduct a gap analysis. Take status of your current risk programs by reviewing the policies and procedures of your operational risk, business continuity, disaster recovery, third-party risk, technology risk, crisis management, and data governance programs against the new requirements. Analyze which requirements are already met and which need further development, then create a clear action plan using Guideline E-21 as validation.

3. Strengthen risk governance and oversight. Establish clear roles, responsibilities, and accountability across senior management, business units, and risk functions. Provide training, improve risk reporting for clarity, and allow oversight functions to challenge practices and ensure adherence to your defined risk appetite and tolerances.

4. Map and assess critical operations. Identify critical operations – also known as important business services – and their dependencies (internal and external), map vulnerabilities, and establish tolerances for disruption. You should regularly review and update these assessments with the input of leadership to align with evolving risks and business priorities.

5. Develop and test resilience frameworks. Establish or enhance operational resilience frameworks to support the continuity of your critical operations and integrate business continuity, disaster recovery, and crisis management. Conduct scenario testing and business continuity plan exercises to prove the effectiveness of your preparedness under severe but plausible disruptions.

With the September 2026 deadline looming, now is the time for you to assess capabilities and refine your strategies. A strong, well-integrated approach to operational resilience will not only help you meet regulatory expectations but also safeguard your operations, protect stakeholders, and enhance your long-term stability.

For the latest information on new and existing operational resilience legislation, download our white paper, Operational Resilience: Navigating the Global Regulatory Landscape, and check out Riskonnect’s Business Continuity & Resilience consulting services for compliance support.