OSFI E-21: operational risk for Canadian FRFIs

To decrease operational risk, Canada has implemented a version of E-21 since 2016. But the updated 2024 version shifts focus from simply preventing risks to ensuring institutions can withstand and recover from major disruptions.

Having just passed the milestone of internal compliance checking, 2026 will be the year of full implementation. Therefore, it’s up to compliance and risk managers to get as familiar with OSFI E-21 as possible, especially to avoid priority 1 cyber incidents, which have nearly tripled since 2022. 

What are the core pillars of E-21?

Since 2024, E-21 has included four key pillars:

1. 1. Governance
2. 2. Operational risk management
3. 3. Operational resilience
4. 4. Specialist risks

Governance

The governance pillar establishes who is in charge and how decisions are made within the organization.

It provides accountability by making the Board and senior management explicitly responsible for operational resilience, and asks that institutions foster a culture where risks are openly discussed and escalated. The business must define the roles of the business units, risk and compliance, and internal audit as its three lines of defence.

Operational risk management

The operational risk management pillar focuses on prevention, including identifying and mitigating risks before they escalate.

It involves defining the risk appetite of the financial institution, and creating a taxonomy of potential risks, through categories like:

• – Human risks
• – Process failures
• – External errors
• – Supply chain issues

Operational resilience

The operational resilience pillar is critical, and was a key part of the 2024 update to OSFI E-21 guideline.

It asks that institutions identify the services that would harm customers if they were broken, such as ATMs going down. It also requires the mapping of services to identify each of the roles, software, and services that make it work.

Firms must set their impact tolerances to set a hard limit on disruption, and run regular scenario tests to check whether they stay within the tolerance levels.

Specialist risks

This final pillar asked that by September 2025, all compliant firms could prove their resilience in the following seven areas:

• – Technology and cybersecurity
• – Third-party risk
• – Data risks
• – Business continuity
• – Disaster recovery
• – Crisis management
• – Change management

To meet these requirements by the deadline, firms focused on closing the gaps between the old 2016 standards and the 2024 expectations.

How can you avoid self-assessment traps under the RCSA?

Self-assessments are used in E-21 compliance as the primary evidence to prove that financial institutions are resilient, as well as compliant. Alongside E-21 incident reporting, Risk and Control Self Assessments (RCSAs) are used by firms to identify inherent risks (before controls) and residual risks (after controls). And now, RCSA frameworks must be linked to critical operations, such as ‘payroll’ instead of the accounting and finance function.

But there are some common traps in self-assessments, including:

1. 1. Siloed data: business units often assess risks only within their own perimeter. But this causes them to miss the lineage of critical operations and shared services, which, if they went wrong, could affect multiple departments at once. 
2. 2. Stale scenarios: teams often copy and paste risk scenarios without considering how the technology, ecosystem, threats and processes have changed. This leaves institutions exposed to outdated risk calculations.
3. 3. Weak root causes: the ‘human error’ label is often generic and vague, hiding the real systemic failures that can make some of these errors inevitable. Firms should investigate and get to the real root cause of a risk. 

The bow-tie method and RCSA sprints

The bow-tie method is one of the most effective ways to visualize the ‘line of sight’ for OSFI auditors, because it forces teams to consider both prevention and recovery.

On the left side of the bowtie, firms should focus on considering the risks, mapping the threats and identifying what leaves them exposed.

The knot of the bowtie outlines the moment that control is lost, leading to a risk event occurring.

The right side of the bowtie should outline the consequences of the event, and what type of recovery barriers might exist that prevent you from aligning with the impact tolerances.  

30-day RCSA resilience sprints can also help teams to refresh their specific critical operations:

• – Week 1: identify critical operations and map their dependencies
• – Week 2: workshop the scenarios to identify consequences
• – Week 3: apply the bow-tie method and assign key risk indicators to the barriers
• – Week 4: execute your sign-off matrix, ensuring that senior management and the board are aware of their roles in the governance process

What’s the best tech stack for resilience?

Financial institutions have long been aware of the need to replace legacy systems with a truly resilient tech stack. But after achieving stakeholder buy-in, one of the greatest challenges for institutions at the highest level, what technology should you actually value?

A purpose-built governance, risk and compliance (GRC) tool

Best for large institutions, GRC tools automatically link IT assets to business services. This can reveal exactly which server, vendor, and person supports each critical operation. In particular, features like red, yellow, and green labels will be able to help you to quickly identify whether a current disruption is approaching your maximum threshold.

Communications archiving

The OFSI’s integrity and security guidelines emphasize the need for monitoring undue influence and misconduct. Choose Global Relay to move beyond just saving emails, and capture communications data across teams, zoom, AI platforms and even WhatsApp.

In a severe risk event scenario, this is the type of tool that can support your OFSI audit trail and explain exactly what happened, when, and by whom. 

AI anomaly detection

AI is truly the only option for continuous communications surveillance in 2026, enabling financial institutions to build true patterns of behaviofor for their network, users and vendors. By working this way, firms benefit from real-time detection, enabling faster responses with aims to reduce the consequences of a risk event.

E-21 mastery is required during your OSFI exam

When the regulator decides to look under the hood, you must be able to verify that your risk management isn’t just good on paper, it’s effective in practice too. Be ready for supervisor visits, sampling, and to expose your weakest links in order to work alongside the examiners. And ensure you have the right technology in place to give your institution both regulatory and real-world cyber resilience.

To learn more about Global Relay and how you can achieve end-to-end communications compliance, get in touch with a member of the team.