Kickstarting the Resilience Readiness Series: What to Expect

In a time of rising uncertainty—whether from economic shifts, cyber threats, climate events, or operational disruptions—resilience is more than just a buzzword. It’s a core capability. Our goal is to break down the concept of resilience into actionable areas of assessment, planning, and monitoring, aligned with evolving industry expectations, in particular financial services within Canada. Each post will explore how risk functions can meaningfully contribute to strengthening an institution’s ability to absorb shocks, adapt to change, and continue to deliver critical financial services under a range of scenarios.

Why Now?

The business environment in which we are currently perating is evolving rapidly. For Federally Reguated Financial Institutions (FRFIs), OSFI’s strategic shift toward risk-based, principles-focused oversight includes a significant emphasis on resilience. The release of Guideline E-21: Operational Resilience, the updated B-10: Third-Party Risk Management, and the intensified focus on operational resilience reflects OSFI’s intent to ensure that institutions can withstand, recover, and adapt to stress events—without relying solely on regulatory intervention. These principles can easily be transferred to other industries.

Risk professionals are in a pivotal position to embed resilience thinking across the organization. But where to begin?

Key OSFI Guidance on Resilience

Throughout this series, we’ll explore how to apply OSFI’s guidance in practical ways, including:

• Operational Resilience (Guideline E-21): This foundational guideline outlines expectations around identifying critical operations, mapping dependencies, setting impact tolerances, and testing for disruptions.

• Third-Party Risk Management (Guideline B-10): Resilience is only as strong as your weakest link. We'll assess how to evaluate external partners and integrate third-party disruptions into broader resilience planning.

• Technology and Cyber Risk (Guideline B-13): Resilience is digital, and cyber threats are front and centre. This includes requirements for cyber event reporting, business continuity, and IT recovery.

• Recovery Planning (OSFI’s Recovery Planning Expectations): Recovery planning is not just a check-the-box exercise. It’s an essential tool to assess institutional resilience under idiosyncratic and systemic stress scenarios, including capital, liquidity, and operational disruptions.

• Climate Risk (OSFI B-15): Climate change is an amplifying risk. We'll discuss how to embed climate resilience in risk and operational assessments.

Becuase OSFI guidance is principle based, these topics are easily transported to business on any size in any industry.

What to Expect from This Series

Each blog will focus on a practical aspect of resilience assessment:

• How to identify resilience vulnerabilities using risk and control self-assessments (RCSAs)

• Building scenario-based stress testing for resilience, beyond traditional capital scenarios

• Aligning business continuity, incident response, and recovery planning

• Governance and Board engagement in resilience oversight

• Integrating resilience into risk appetite frameworks

A Call to Action for Risk Leaders

Risk professionals are the connective tissue across any organization. You understand operational interdependencies, emerging threats, and the nuances of regulatory compliance. This series is your guide to turning that knowledge into a structured, proactive resilience agenda.

Whether you’re enhancing your institution’s recovery plan or embedding resilience into day-to-day risk management, this series will equip you with insight and tools tailored for Canada’s regulatory context.

Stay tuned for our next post: “Operational Resilience in Action: What OSFI’s E-21 Means for Risk Professionals”.