FinancialFederal — CanadaIn force March 2024

OSFI E-21

OSFI Guideline E-21 — Operational Resilience and Operational Risk Management

Operational risk and resilience for federally regulated financial institutions

Run OSFI E-21 assessment ← All frameworks

Overview

OSFI E-21 establishes expectations for how federally regulated financial institutions manage operational risk and build operational resilience. It requires FRFIs to identify critical operations, set impact tolerances, test their ability to stay within tolerances during disruptions, and embed resilience into their risk management culture.

Authority

Office of the Superintendent of Financial Institutions (OSFI)

Jurisdiction

Federal — Canada

Effective date

March 2024

Applicability

Who must comply with OSFI E-21?

Federally regulated financial institutions subject to OSFI supervision, including banks, trust companies, insurance companies, and co-operative credit associations.

Compliance scope

Your organization collects personal information

You operate in the applicable jurisdiction

Commercial activities are involved

You use or disclose personal data

Not sure if OSFI E-21 applies? Run a free assessment →

Requirements

Key obligations under OSFI E-21

Critical Operations Inventory

Identify all critical operations — the services whose disruption would pose risks to financial stability, customers, or the institution.

Impact Tolerances

Define maximum tolerable disruption levels for each critical operation in terms of duration, data loss, and service degradation.

Resilience Testing

Regularly test your ability to remain within impact tolerances during severe but plausible disruption scenarios.

Operational Risk Framework

Maintain a comprehensive operational risk management framework with risk identification, assessment, monitoring, and reporting.

Third-party Dependencies

Map operational dependencies on third parties for critical operations and incorporate into resilience testing.

Incident Management

Have documented incident response and recovery procedures for operational events affecting critical operations.

Enforcement

Penalties & enforcement

Maximum penalty

Supervisory intervention; administrative sanctions

Enforced by: Office of the Superintendent of Financial Institutions

How Canuckt keeps you penalty-free:

Critical operations inventory template aligned with OSFI E-21 classification guidance

Impact tolerance definition framework with industry benchmark thresholds for financial services

Third-party operational dependency mapping integrated with your B-10 vendor inventory

Incident management plan templates that satisfy both OSFI E-21 and PIPEDA breach response requirements

Frameworks that often overlap with OSFI E-21

Financial

OSFI B-10

Canada's federal financial institution technology risk framework

Financial

FINTRAC

Canada's AML/CFT compliance framework

Standards

ISO 27001

The international gold standard for information security

Run a free OSFI E-21 gap assessment

Answer 47 questions, get a scored gap report, and see exactly what you need to do to comply with OSFI E-21 — in under 3 hours. Free forever.

Start free assessment

No credit card

Results in hours

Canadian data residency