Operational Resilience in Action: What OSFI's E-21 means for Risk Professionals

When OSFI released the revised Guideline E-21 on Operational Risk Management and Resilience in 2023, it signaled a shift in how Canadian financial institutions are expected to manage not just operational risk—but disruption. And if there’s anything the last few years have taught us, it’s that disruption is not a question of if, but when.

For risk professionals, E-21 isn’t just a compliance exercise—it’s a blueprint for future-proofing operations, reputations, and customer trust. Let’s explore what this guideline really means in practice, and how we can bring operational resilience to life inside our institutions.

Resilience Is More Than a Buzzword

Operational resilience is about an organization’s ability to deliver critical operations through disruption. Not just bouncing back—but continuing to function during a cyberattack, a vendor outage, a flood, or yes, even a recession.

E-21 defines resilience in practical terms. It expects federally regulated financial institutions (FRFIs) to:

• Identify critical operations that support their most important functions

• Map dependencies, including third parties and internal resources

• Assess risks and vulnerabilities, not just to assets but to the delivery of services

• Test their ability to operate through severe, but plausible, disruptions

• Develop comprehensive response and recovery strategies

And here’s the kicker: OSFI expects risk and business leaders to treat resilience as a business outcome, not just an IT or business continuity issue.

So What’s New Here?

At first glance, some risk professionals might think, “We’ve done business continuity planning (BCP) for years. Isn’t this the same?” Not quite.

E-21 moves us beyond BCP checklists and siloed incident response. It calls for a fully integrated approach across all three lines of defence. And rather than focusing on the restoration of systems or data, it prioritizes the continuity of critical operations—those essential activities that, if disrupted, would pose a threat to financial stability, market confidence, or customer well-being.

5 Ways Risk Professionals Can Put E-21 Into Action

1. Map Critical Operations Like a Strategist, Not a Technician

Start by identifying your institution’s most critical end to end operations—not just from a technical or process view, but from the standpoint of customer impact and systemic importance. Work with the business to map dependencies across people, systems, data flows, and third parties.

Risk teams should partner with business operations and look at end-to-end operations against 2 key considerations:

• A service or busiess ooperation that provides an outcome to a customer; and

• Would cause intolerable harm to a customer if it was disrupted for a period of time

  
  

This step isn’t just operational—it’s strategic. It helps define where your institution’s risk appetite meets its risk capacity.

2. Link Resilience to Risk Appetite and Materiality

Management should set resilience tolerances—clear, measurable thresholds for how much disruption is acceptable for each critical operation.

Risk leaders can guide this process by:

• Helping business lines define impact metrics (e.g., max downtime, transaction backlogs)

• Embedding these tolerances into the enterprise risk appetite statement

• Escalating breaches in tolerances through the Enterprise Risk Management (ERM) framework

This isn’t just about risk avoidance—it’s about enabling the business to make informed trade-offs under pressure.

3. Test, Don’t Just Plan

Tabletop exercises and annual drills won’t cut it anymore. Effective Operational Resilience calls for regular testing of resilience capabilities through severe but plausible scenarios.

Use simulated crises—cyberattacks, power outages, third-party failures, regulatory surprises—to:

• Assess your response plans

• Stress-test your recovery times

• Expose coordination gaps between departments

Risk professionals can lead the charge by facilitating cross-functional scenarios and ensuring lessons learned feed directly into control enhancements and policy updates.

4. Bring Third Parties Into the Fold

With so many core operations outsourced—payments, cloud platforms, fraud monitoring—third-party risk is a pillar of resilience.

Effective Operational Resilience underscores the need to:

• Identify which vendors support critical operations

• Ensure those vendors have adequate resilience capabilities (and SLAs)

• Test recovery procedures jointly, where possible

Risk teams must champion more rigorous vendor oversight and push procurement and legal teams to integrate resilience into contracts—not just performance metrics.

5. Make Resilience a Board-Level Conversation

Ultimately, resilience is a governance issue. Senior management and boards are responsible for oversight of operational resilience frameworks.

Risk professionals can help elevate the discussion by:

• Reporting on resilience maturity in quarterly risk dashboards

• Presenting scenario outcomes and heatmaps to risk committees

• Flagging where resilience gaps intersect with other enterprise risks (e.g., cyber, conduct, or third-party)

Why It Matters Now

In 2025, financial institutions face a volatile mix of threats: economic slowdown, digital disruption, evolving cyber risks, and geopolitical uncertainty.

Regulators around the world are moving to enhance operational resilience. The UK’s FCA, the EU’s DORA regulation, Australia's APRA Guidance, and U.S. regulators are all sharpening expectations around operational resilience. E-21 keeps Canadian institutions aligned with global best practices.

Final Thoughts: Lead Resilience from the Front

For Canadian risk professionals, OSFI’s E-21 is both a challenge and an opportunity. It challenges us to rethink how we define and manage operational risk. But it also gives us an opportunity to lead from the front, driving cross-functional change that can protect our institutions—and their customers—when it matters most.

Resilience isn’t about predicting the next crisis. It’s about being ready for any crisis. E-21 gives us the playbook. Now it’s up to us to run the plays.