OSFI's Guideline E-21: Ensuring Operational Resilience, Risk Management and Compliance in Canadian Financial Institutions

· 4 minute read

When a major Canadian financial institution faces a cyberattack, its operations can be crippled for days. In 2023, Canadian banks saw a surge in “priority one” cyberattacks, with incidents nearly tripling in just one year. These high-impact breaches cause major disruptions and data leaks, posing serious risks to financial institutions. To address these vulnerabilities, the Office of the Superintendent of Financial Institutions (OSFI) has updated its E-21 Guideline, mandating financial institutions to report significant cyberattacks. This helps regulators monitor vulnerabilities and ensures banks take necessary measures to protect themselves and their clients.

The cascading effects of such breaches on customers, markets, and other financial entities highlight the critical need for robust operational resilience. Cyberattacks can prevent customers from accessing their accounts and phishing attacks can expose sensitive information, eroding trust and destabilizing the financial sector.

In this blog, you’ll learn the essentials of operational resilience for Canadian financial institutions and why it’s crucial for industry stability. Discover how these guidelines help safeguard the financial system, ensure compliance, and enhance risk management practices.

What is operational resilience?

The Office of the Superintendent of Financial Institutions in Canada has set specific expectations for operational resilience through OSFI Guideline E-21. Operational resilience refers to how Canadian financial institutions prepare for, withstand, and recover from unexpected disruptions like cyberattacks, natural disasters, or other significant failures.

The recent CrowdStrike outage, which caused widespread disruptions across various industries, serves as a stark reminder of the critical importance of operational resilience. Financial institutions, in particular, must be prepared to handle such unexpected events to maintain stability and trust. OSFI E-21 provides a structured approach to managing these risks, ensuring that institutions have the necessary frameworks in place to quickly identify, assess, and mitigate the impact of such incidents.

The OSFI E-21 Guidelines cover various aspects of risk management, including business continuity, disaster recovery, crisis management, and data protection. By following these guidelines, institutions can maintain operational continuity, protect their clients’ interests, and comply with Canadian financial regulations.

The E-21 Guideline also aligns with broader efforts like the Digital Operational Resilience Act in Canada, emphasizing the importance of staying resilient in a digital age. OSFI’s E-21 updates and effective dates ensure that financial institutions stay current with the latest regulatory compliance requirements, reinforcing the stability and reliability of Canada’s financial system.

What is OSFI?

OSFI (Office of the Superintendent of Financial Institutions) is an independent agency of the Government of Canada. It oversees and regulates federally regulated financial institutions (FRFIs), including banks, insurance companies, and pension plans. OSFI’s primary mission is to protect the rights and interests of depositors, policyholders, and pension plan members, while also contributing to the stability of the Canadian financial system.

One of OSFI’s key initiatives is the implementation of OSFI Guideline E-21. This guideline sets expectations for operational resilience, helping institutions better prepare for and respond to crises, ensuring the continued trust and stability of the financial system.

What is the OSFI Guideline E-21?

Operational disruptions can have severe consequences for financial institutions, affecting their ability to serve customers and maintain market stability. The OSFI E-21 Guideline provides a roadmap for strengthening resilience and managing risks by setting expectations for operational risk management applicable to all FRFIs (federally regulated financial institutions) in Canada.

OSFI E-21 sets clear expectations to help organizations handle non-financial risks by consolidating and modernizing OSFI’s guidance on operational risk management. This ensures that institutions can maintain essential functions even in the face of significant challenges.

OSFI’s Guideline E-21 establishes comprehensive frameworks and standards for managing operational risks across all federally regulated financial institutions. The framework, classified as “1a” and “1b” risk management, tailors its expectations to suit the varying complexities and sizes of these institutions. This means that both large and small institutions can effectively manage their operational resilience.

See How Bangor Savings Bank Used Resolver to Improve ERM Process Efficiency & Collaboration with Risk Owners

Which banks are regulated by OSFI?

The Office of the Superintendent of Financial Institutions (OSFI) regulates all federally incorporated financial institutions in Canada, including major banks like the Royal Bank of Canada (RBC), Toronto-Dominion Bank (TD), Bank of Nova Scotia (Scotiabank), and Bank of Montreal (BMO). OSFI also regulates insurance companies, as well as federally regulated trust and loan companies.

The benefits of E-21 for Canadian financial institutions

By adhering to the E-21 Guideline, Canadian financial institutions can maintain compliance with regulatory standards and protect the interests of their stakeholders. The framework helps institutions manage day-to-day operations more effectively and prepares them for unforeseen disruptions, fostering a stable and resilient financial system in Canada.

Four colored icons with corresponding descriptions on a white background. Green gear icon labeled 'enhanced operational resilience' with text 'strengthens the ability to prepare for, respond to, and recover from disruptions. '
blue warning triangle icon labeled 'improved risk management' with text 'provides a comprehensive framework for identifying, assessing, and mitigating operational risks. '
yellow checklist icon labeled 'regulatory compliance' with text 'ensures alignment with osfi's expectations and international standards, minimizing the risk of penalties. '
gray target icon labeled 'business continuity and crisis management' with text 'strengthens the ability to prepare for, respond to, and recover from disruptions. '

By following these guidelines, financial institutions can build a more robust operational framework that not only meets regulatory requirements but also strengthens their overall resilience and reliability.

OSFI E-21 components and effective dates

The OSFI E-21 update introduces new guidelines to better address operational risk management challenges. Financial institutions must adapt their risk management frameworks according to the following timeline:

Timeline illustration detailing the implementation milestones for the updated e-21 guideline. December 2023: 'osfi releases the final version of the updated e-21 guideline. '
january 2024: 'financial institutions begin preparations for compliance with the new requirements. '
june 2024: 'institutions must complete initial self-assessments and submit compliance reports to osfi. '
december 2024: 'full implementation of all e-21 guidelines is required, with continuous monitoring and reporting obligations in place. '

This timeline ensures that institutions have sufficient time to adapt and comply with the new guidelines, reinforcing their operational resilience and risk management practices.

Digital Operational Resilience Act (DORA) and OSFI E-21

Much like the Digital Operational Resilience Act (DORA) in the EU, the enhanced Guideline E-21 aims to prevent scenarios that disrupt business continuity in the Canadian financial sector. Both regulations ensure that financial institutions can maintain operations and protect stakeholders under adverse conditions.

Comparison table between dora (eu) and osfi e-21 (canada) guidelines. Focus:
dora (eu): ict risk management
osfi e-21 (canada): holistic operational risk management
scope:
dora (eu): european financial sector
osfi e-21 (canada): canadian financial institutions
key areas:
dora (eu): testing, incident reporting
osfi e-21 (canada): business continuity, crisis management, data risk management
flexibility:
dora (eu): fixed framework
osfi e-21 (canada): scalable based on institution size and complexity

Essentially, DORA focuses on ICT risk management, testing, and incident reporting to ensure resilience against digital disruptions. OSFI E-21, on the other hand, covers a broader range of operational risks, including ICT, business continuity, crisis management, change management, and data risk management.

By providing a comprehensive approach, OSFI E-21 allows institutions to tailor their risk management practices according to their specific needs, ensuring the stability and reliability of Canada’s financial system.

Read more: Diving into the Digital Operational Resilience Act (DORA)

How Resolver’s GRC Platform can help you comply with OSFI’s E-21 Guideline

Adhering to OSFI’s Guideline E-21 is crucial for Canadian financial institutions to maintain operational resilience and effective risk management. Resolver’s GRC platform simplifies compliance and reporting, making the process more manageable for financial institutions.

Our platform aggregates risk data from various sources, providing a holistic view of risks so institutions can better understand their risk landscape and make informed decisions. Using advanced analytics, Resolver identifies potential risk areas, predicts future risks, and provides tools to continuously monitor operational risks. This real-time monitoring ensures that institutions can quickly detect and respond to potential threats.

Resolver generates comprehensive reports on risk management activities and outcomes to support decision-making and regulatory compliance. Our software also enhances the ability to respond to and recover from operational disruptions efficiently.

Request a customized demo today to see the full benefits of Resolver’s GRC Software. Learn how we can help you more effectively manage risks and improve your operational resilience. Embrace the benefits of a unified approach to risk management and ensure compliance with OSFI E-21.

This content was originally published on July 10, 2024, and updated for data and content relevancy.

Interested in learning more about how Resolver can help? Contact us! We'd love to chat
Table Of Contents

    Request a demo