OSFI Guideline E-21 addresses operational risk management and operational resilience. It is about how federally regulated financial institutions prepare for and recover from severe disruptive events while managing operational risk across the business.
Official sources
- OSFI Guideline E-21: Operational Risk Management and Resilience
- OSFI backgrounder: Guideline E-21, Operational Risk and Resilience
- OSFI letter releasing final Guideline E-21
OSFI's backgrounder says E-21 sets expectations for financial institutions to prepare for and recover from severe disruptive events. It enhances expectations for operational risk management and adds expectations for operational resilience, business continuity risk, crisis management, change management, and data risk management.
What E-21 is trying to do
E-21 asks institutions to understand what could disrupt operations and how the institution would continue or recover. Operational resilience is not a binder of continuity plans. It is the ability to identify critical operations, map dependencies, test disruption scenarios, and fix gaps.
What the guideline covers
- Operational risk management governance and accountability.
- Critical operations and resilience expectations.
- Business continuity risk management.
- Crisis management.
- Change management and data risk management.
- Scenario testing, remediation, and reporting.
- Third-party and technology dependencies as sources of disruption.
What teams need to operationalize
Teams need to map critical operations to people, process, technology, data, facilities, third parties, and fourth parties. They also need a way to track scenario tests, incidents, lessons learned, open issues, and management reporting. A resilience program is only useful if it can show how dependencies behave under stress.
Evidence to maintain
- Operational risk framework and governance records.
- Critical operations and dependency maps.
- Business continuity and crisis management plans.
- Scenario tests, exercises, findings, and remediation.
- Incident, issue, change, and data-risk records.
- Management and board reporting on resilience posture.
Common gaps
- Critical operations are listed without dependency depth.
- Scenario tests do not involve third-party or technology failure.
- Continuity plans are not updated after provider changes or incidents.
- Operational risk issues and resilience issues are tracked in separate systems.
How Halbarad helps
Halbarad helps institutions connect critical operations to third parties, downstream providers, systems, incidents, issues, tests, and remediation. Continuous Monitoring and Nth-Party Discovery help keep dependency evidence current while Governance workflows preserve approvals and audit trail.
Halbarad helps evidence operational resilience work. It does not replace OSFI review or legal interpretation.
Disclaimer
This guide is for general information only and is not legal advice. Review the official regulation, guidance, and supervisory materials, and consult qualified counsel or compliance advisors for your organization's specific obligations.