The Office of the Superintendent of Financial Institutions (OSFI) launched its first quarterly release of regulatory changes on August 22, 2024, as part of its pilot of a new standardized approach to the way it releases updates for the federal financial sector. OSFI's stated objective with this approach is to provide more transparency and predictability, together with clear alignment of its regulatory responses to OSFI's identified key risks.
The first quarterly release included a final version of the updated Guideline E-21 on Operational Risk Management and Resilience.
Overall, the revised Guideline E-21 modernizes OSFI's approach to operational risk by emphasizing operational resilience and focussing on non-financial risks. The Guideline applies to all federally regulated financial institutions (FRFIs), including banks, insurance companies and foreign branches.
OSFI states that operational risk management is about identifying and managing risks that could impact the operations of FRFIs, while operational resilience is the ability to deliver operations, especially critical operations, through disruption, and is built on operational risk management. Guideline E-21 applies on a risk-basis, proportional to the FRFI's (a) size, (b) strategy, (c) risk profile, (d) nature, scope, and complexity of operations, and (e) interconnectedness to other financial institutions, the financial system, or the broader economy.
OSFI has reorganized and refined the text of its initial consultation draft for Guideline E-21 issued in October 2023, but has not substantively changed its expectations. Although stated differently in each version, the overarching expected outcome remains that operational risk management practices support operational resilience during disruptions.
Governance
The revised Guideline E-21 details OSFI's expectations for effective governance in respect of operational risk management and operational resilience, including responsibilities of senior management, business and central functions, oversight by risk and compliance functions, and independent assurance (e.g., by internal audit).
Operational Risk Management
Operational risks are to be managed within approved risk appetite and explicit risk limits. FRFIs are expected to have a risk taxonomy that includes categories of risks related to people, inadequate processes and systems, or external events.
Guideline E-21 discusses operational risk management tools including risk and control assessments, key risk indicators, operational risk event data analysis, and scenario analysis. The Guideline also highlights the importance of monitoring and reporting.
Operational Resilience
FRFIs are expected to identify and assess critical operations for the ability to withstand disruption, and to map internal and external dependencies. Tolerances for disruption are to be established, setting out the maximum level of disruption a FRFI can withstand.
Scenario testing continues to be encouraged in the final version of the Guideline. OSFI supports regular scenario testing over a range of severe but plausible scenarios, such as power outages, cyber incidents/technology failures, natural disasters, pandemics, and critical third-party service disruptions.
Scenario testing is expected to build on scenario analysis and focus on understanding when tolerances for disruption would be breached. Critical third-party suppliers should be included as necessary. Although OSFI does not set precise timing expectations, it encourages "regular" and "iterative" tests, with the "frequency and intensity of testing [being] proportional to the criticality of and risk to operations". Where there are significant changes in the risk environment, testing is expected to take place more frequently and outside the regular cycle.
Key Areas of Operational Risk Management That Strengthen Operational Resilience
E-21 highlights the following key areas of operational risk management that strengthen resilience:
- Business continuity risk management
- Disaster recovery risk management
- Crisis management
- Change management
- Technology and cyber risk management
- Third-party risk management
- Data risk management
Looking Forward
FRFIs are expected to immediately adhere to the expectations in sections 1 (Governance) and 2 (Operational Risk Management) of Guideline E-21.
There is a phased implementation approach for the remaining sections in the Guideline, as they tie into Guideline B-10: Third-Party Risk Management and Guideline B-13: Technology and Cyber Risk Management. Full adherence and operationalization is expected by September 1, 2026.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.