BLOG

OSFI’s Guideline E-21: Ensuring Operational Resilience, Risk Management and Compliance in Canadian Financial Institutions

Resolver
· 6 minute read
Two canadian flags are displayed in front of modern office buildings. The image relates to the osfi e-21 guideline on operational resilience and risk management.

When a major Canadian financial institution faces a cyberattack, its operations can be crippled for days. In 2023, Canadian banks saw a surge in “priority one” cyberattacks, with incidents nearly tripling in just one year. These high-impact breaches cause major disruptions and data leaks, posing serious risks to financial institutions.

To address these vulnerabilities like these, the OSFI E-21 Guideline was implemented by the Office of the Superintendent of Financial Institutions, mandating financial institutions to report significant cyberattacks. This helps regulators monitor vulnerabilities and ensures banks take necessary measures to protect themselves and their clients.

Breaches like these don’t just hit one bank. Their effects cascade through customers, markets, and other institutions, eroding trust and destabilizing the financial sector. To limit that kind of ripple effect, institutions need scenario-based planning and analysis, supported by continuity plans that respond to disruptions, regular exercises and testing, and mapping of different datapoints.

In this blog, you’ll learn the essentials of operational resilience for Canadian financial institutions and why it’s crucial for industry stability. Discover how these guidelines help safeguard the financial system, ensure compliance, and enhance risk management practices.

What is operational resilience?

The Office of the Superintendent of Financial Institutions in Canada has set specific expectations for operational resilience through OSFI Guideline E-21. Operational resilience refers to how Canadian financial institutions prepare for, withstand, and recover from unexpected disruptions like cyberattacks, natural disasters, or other significant failures.

Under E-21, federally regulated financial institutions (FRFIs) must identify their critical operations, determine how long those services can be disrupted, and regularly test their ability to meet those limits. These activities must be backed by risk programs that connect real threats to actual service impact.

The guidelines cover various aspects of risk management, including business continuity, disaster recovery, crisis management, and data protection. By following these guidelines, institutions can maintain operational continuity, protect their clients’ interests, and comply with Canadian financial regulations.

E-21 broadens the traditional scope of operational risk to cover more than just internal threats, to include internal control failures, infrastructure outages, vendor issues, geopolitical disruptions, pandemics, and natural disasters. These risks need to be managed through a single, connected approach.

Alongside that shift, the guideline sets new expectations for how institutions manage data. Risk-related data must be accurate, complete, timely, and secure; across its full lifecycle. That includes how it’s gathered, stored, shared and eventually discarded. These requirements apply to any system used to support resilience planning.

To support this wider scope, E-21 replaces several older OSFI documents and brings together key areas under one framework. It introduces requirements for scenario testing, change management, and third-party oversight. Resilience efforts are not just outlined in policy. Now, they need to be documented, tested, and reviewed regularly.

E-21 also works with two related guidelines: B-10, which focuses on third-party risk, and B-13, which covers technology and cyber risk. Taken together, these form a more consistent set of expectations across risk, continuity, and resilience functions.

OSFI’s E-21 updates and effective dates ensure that financial institutions stay current with the latest regulatory compliance requirements, reinforcing the stability and reliability of Canada’s financial system.

What is OSFI?

OSFI (Office of the Superintendent of Financial Institutions) is an independent agency of the Government of Canada. It oversees and regulates federally regulated financial institutions (FRFIs), including banks, insurance companies, and pension plans. OSFI’s primary mission is to protect the rights and interests of depositors, policyholders, and pension plan members, while also contributing to the stability of the Canadian financial system.

One of OSFI’s key initiatives is the implementation of OSFI Guideline E-21. This guideline sets expectations for operational resilience, helping institutions better prepare for and respond to crises, ensuring the continued trust and stability of the financial system.

E-21 brings OSFI’s older guidance together under one updated standard. It covers operational risk, business continuity, and how institutions plan for service disruptions. The expectations scale based on the institution. For instance, a small credit union won’t be held to the same testing requirements as a national bank. But both need to know which services matter most and how long they can be down before serious impact.

What is the OSFI Guideline E-21?

E‑21’s scope extends across seven areas of operational risk management: business continuity, disaster recovery, crisis management, change management, technology and cyber risk, third‑party risk, and data risk. Under business continuity, institutions conduct impact analyses, draft response plans with clear roles and communication steps, and run scenario tests that reflect real threats — long outages, simultaneous failures or vendor breakdowns. Disaster recovery focuses on tech fail‑over processes. Crisis management defines escalation protocols, board alerts and stakeholder updates, followed by lessons‑learned exercises.

Change management governs major shifts — new systems, product launches or market entries — by embedding risk reviews, project controls and post‑implementation metrics. Technology and cyber risk management prepares for network, system or data failures. Third‑party risk assesses vendor resilience, asking third parties to show their own continuity testing. Data risk management makes sure vital data, especially client or proprietary information, remains accurate, available and secure throughout its lifecycle.

E‑21 mandates regular testing that matches each service’s risk level, involves senior leaders in reviewing outcomes and drives concrete improvements. Following these expectations helps FRFIs keep essential functions running when real‑world disruptions occur.

See How Bangor Savings Bank Used Resolver to Improve ERM Process Efficiency & Collaboration with Risk Owners

Which banks are regulated by OSFI?

The Office of the Superintendent of Financial Institutions (OSFI) regulates all federally incorporated financial institutions in Canada, including major banks like the Canadian Imperial Bank of Commerce (CIBC, Royal Bank of Canada (RBC), Toronto-Dominion Bank (TD), Bank of Nova Scotia (Scotiabank), and Bank of Montreal (BMO). OSFI also regulates insurance companies, as well as federally regulated trust and loan companies.

The benefits of E-21 for Canadian financial institutions

By adhering to the E-21 Guideline, Canadian financial institutions can maintain compliance with regulatory standards and protect the interests of their stakeholders. The framework helps institutions manage day-to-day operations more effectively and prepares them for unforeseen disruptions, fostering a stable and resilient financial system in Canada.

Four sections outlining key operational strategies: resilience, risk management, compliance, and crisis management.

Four colored icons with corresponding descriptions on a white background. Green gear icon labeled 'enhanced operational resilience' with text 'strengthens the ability to prepare for, respond to, and recover from disruptions. ' blue warning triangle icon labeled 'improved risk management' with text 'provides a comprehensive framework for identifying, assessing, and mitigating operational risks. ' yellow checklist icon labeled 'regulatory compliance' with text 'ensures alignment with osfi's expectations and international standards, minimizing the risk of penalties. ' gray target icon labeled 'business continuity and crisis management' with text 'strengthens the ability to prepare for, respond to, and recover from disruptions. '

By following these guidelines, financial institutions can build a more robust operational framework that not only meets regulatory requirements but also strengthens their overall resilience and reliability.

E-21 pushes teams to work from the same playbook. Risk, compliance, audit, and continuity functions often use different systems and track different metrics. That can slow response times and lead to missed handoffs during an incident. Shared tools and reporting make it easier to spot issues early, coordinate next steps, and avoid duplicated work. It also supports stronger accountability. Teams are expected to track breach events, link them to remediation plans, and follow up across departments until the issue is resolved.

Institutions should also be able to show where thresholds have been breached and demonstrate how that triggered action; not just within one team, but across business units.

OSFI E-21 components and effective dates

The OSFI E-21 update introduces new guidelines to better address operational risk management challenges. Financial institutions must adapt their risk management frameworks according to the following timeline:

A timeline outlining key dates for the OSFI E-21 Guideline updates and compliance requirements for financial institutions.

This timeline ensures that institutions have sufficient time to adapt and comply with the new guidelines, reinforcing their operational resilience and risk management practices.

OSFI released final Guideline E‑21 on August 22, 2024. By September 1, 2025, institutions must fully meet the requirements. Any gaps from the 2016 operational risk guideline should be closed by then. Full adherence to the entire guideline is due September 1, 2026, even though resilience programs will continue maturing. Senior leaders must oversee testing, review results and drive improvements; documentation alone won’t pass muster.

Here’s how the timeline breaks down:

  • Governance and Executive Oversight: By September 1, 2025, senior leadership should set direction, approve disruption tolerances and keep active support in place for operational risk and resilience programs.
  • Operational Risk Management Requirements: Identify critical operations, set maximum downtime limits and tie those thresholds to actual risk exposure by September 1, 2025.
  • Resilience Planning and Data Risk Controls: Formalize business continuity, crisis response and data management across departments and third parties. Requirements take effect September 1, 2025.
  • Scenario Testing for Critical Operations: Develop a testing methodology and begin exercises using realistic scenarios. By September 1, 2027, testing must cover every critical service. Institutions should have testing under way by the full-implementation date of September 1, 2026.

During the transition period, OSFI will conduct selective supervisory reviews to track each institution’s progress on operational resilience programs and ongoing risk-management practices.

Digital Operational Resilience Act (DORA) and OSFI E-21

Much like the Digital Operational Resilience Act (DORA) in the EU, the enhanced Guideline E-21 aims to prevent scenarios that disrupt business continuity in the Canadian financial sector. Both regulations ensure that financial institutions can maintain operations and protect stakeholders under adverse conditions.

Comparison table between dora (eu) and osfi e-21 (canada) guidelines. Focus: dora (eu): ict risk management osfi e-21 (canada): holistic operational risk management scope: dora (eu): european financial sector osfi e-21 (canada): canadian financial institutions key areas: dora (eu): testing, incident reporting osfi e-21 (canada): business continuity, crisis management, data risk management flexibility: dora (eu): fixed framework osfi e-21 (canada): scalable based on institution size and complexity

DORA zeroes in on ICT risk, mandating system tests and incident reporting so financial firms can ride out digital failures. OSFI E‑21, by contrast, casts a wider net. It asks Canadian institutions to tackle seven operational risk areas — business continuity, disaster recovery, crisis management, change management, technology and cyber risk, third‑party risk and data risk — so they build resilience across every critical function, not just digital ones.

By providing a comprehensive approach, OSFI E-21 allows institutions to tailor their risk management practices according to their specific needs, ensuring the stability and reliability of Canada’s financial system.

Read more: Diving into the Digital Operational Resilience Act (DORA)

How Resolver’s GRC Platform can help you comply with OSFI’s E-21 Guideline

E‑21 lays out seven areas that banks and credit unions must address — everything from business continuity and crisis response to third‑party oversight and data safeguards — so institutions can keep essential functions running when things go wrong. Resolver’s GRC platform pulls those pieces together: it maps critical operations, schedules and tracks tests, flags gaps and generates reports in a single dashboard. That way, teams spend less time wrestling with spreadsheets and more time tightening resilience across every risk category.

Our platform aggregates risk data from various sources, providing a holistic view of risks so institutions can better understand their risk landscape and make informed decisions. Using advanced analytics, Resolver identifies potential risk areas, predicts future risks, and provides tools to continuously monitor operational risks. This real-time monitoring ensures that institutions can quickly detect and respond to potential threats.

Resolver supports resilience planning by giving teams one place to document incidents, review disruptions, and track progress toward recovery goals. It also simplifies collaboration across departments by reducing manual reporting tasks and bringing together risk and control data in a central platform.

Request a customized demo today to see the full benefits of Resolver’s GRC Software. Learn how we can help you more effectively manage risks and improve your operational resilience. Embrace the benefits of a unified approach to risk management and ensure compliance with OSFI E-21.

Interested in learning more about how Resolver can help? Contact us! We'd love to chat
Table Of Contents
    Related Blogs
    Audit Management Software Solution: Complete GuideDeveloping, Defining and Quantifying Your Risk AppetiteReporting to Executives as a Unified GRC Team MORE BLOGS

    Discover Resolver's Software

    Incident Management Software

    Protect your organization and prove your security team’s value with Resolver’s Incident Management application. Improve data capture, increase operational efficiency, and generate actionable insights, so you can stop chasing incidents and start getting ahead of them.

    Learn More

    Enterprise Risk Management Software

    Provide your organization’s board and senior leaders a top-down, strategic perspective of risks on the horizon. Manage risk holistically and proactively to increase the likelihood your business will achieve its core objectives.

    Learn More

    Regulatory Compliance

    Save time by monitoring all regulatory compliance activities, providing insights into key risk areas, and then focusing resources on addressing regulatory concerns.

    Learn More

    Request a demo

    By clicking the button below you agree to our Terms of Service and Privacy Policy.
    If you see this, leave it blank.