Where You Should Be Right Now
Guideline E-21 was published on August 22, 2024. OSFI gave federally regulated financial institutions two years to achieve full adherence and operationalization. That's a generous timeline by international standards — the UK gave its firms three years, and many still found it tight.
Here's the honest benchmark. By March 2026, you should have:
- Identified your critical operations — the services that, if disrupted, would threaten your institution's viability or the broader financial system
- Established governance — a cross-discipline committee with clear accountability, senior management oversight, and an operational risk management framework
- Begun dependency mapping — at least for your top-tier critical operations, with internal and external dependencies documented
- Set initial disruption tolerances — not just RTOs, but the maximum level of disruption you can withstand across severe but plausible scenarios
If you've done all of that, you're in reasonable shape. The next five months are about refining, testing, and filling gaps.
If you haven't — if "critical operations" is still a draft list in someone's inbox, or the dependency mapping hasn't started, or your disruption tolerances are just recycled RTOs from the old BCP — then five months is tight. Not impossible. But tight.
What E-21 Actually Requires by September
E-21 spans four pillars: governance, operational risk management, operational resilience, and supporting risk disciplines. Not all of them need to be fully mature by September 1. Here's what does.
The non-negotiables
Critical operations must be identified, mapped, and owned. This is the foundation. OSFI defines critical operations as services that, if disrupted, would threaten your institution's viability or harm the broader financial system. Identifying them sounds straightforward — it's not. The UK's FCA found that firms "varied" widely in quality when identifying their Important Business Services, with some inappropriately excluding services because competitors offered substitutes. OSFI will be looking at the same thing. Your critical operations list needs rationale, not just titles.
End-to-end dependency mapping must be complete for critical operations. E-21 explicitly requires "holistic, end-to-end mapping of critical operations" including internal systems, third-party providers, and technology infrastructure. This is where most institutions underestimate the effort. The UK experience showed that dependency mapping — especially beyond tier-one vendors into the full chain of dependencies underneath each service — was one of the most time-consuming workstreams.
Disruption tolerances must be set and documented. Not RTOs. Disruption tolerances. This distinction matters. An RTO is a recovery target for a specific system. A disruption tolerance is the maximum level of disruption your institution can absorb while still delivering a critical operation within acceptable bounds. Tolerances should be primarily time-based but can include complementary metrics — transaction volume thresholds, geographic impact, customer-type impact. The FCA flagged UK firms for providing "limited rationale" for when intolerable harm was reached. Document your reasoning, not just your numbers.
Scenario testing methodology must be developed. You don't need to complete all scenario testing by September 2026 — that deadline extends to September 1, 2027. But you do need the methodology in place: what scenarios you'll test, how you'll test them, and how you'll measure whether you stayed within your disruption tolerances. Think of it as having the exam ready even if you haven't taken it yet.
What can wait (but shouldn't wait long)
Completing all scenario tests — the September 2027 deadline gives you an additional year, but starting early builds credibility with OSFI and reveals gaps while you still have time to close them.
Full maturity across all supporting risk disciplines — business continuity, disaster recovery, crisis management, change management, technology/cyber risk, third-party risk, and data risk all fall under E-21's umbrella. OSFI expects progress, not perfection, on the supporting disciplines by September 2026.
What the UK Learned (And What It Means for You)
Canada isn't the first country to implement operational resilience regulation. The UK's FCA and PRA framework went live in March 2022 with a three-year transition period ending March 31, 2025. The lessons from that experience are directly relevant.
Static documents don't survive contact with regulators. Many UK firms created compliance artifacts — spreadsheets, PDF self-assessments, static dependency maps — that satisfied the initial requirements but became obsolete almost immediately. Cloud migrations happened. Vendors changed. New services launched. The documents didn't update. When regulators shifted from "have you identified your services?" to "can you prove you're within tolerances today?", firms with static documentation faced what analysts described as "significant compliance debt." Don't repeat this. Whatever you build in the next five months, build it to be maintainable, not just presentable.
Impact tolerances are harder than they look. The UK experience showed that firms consistently confused impact tolerances with RTOs. They'd set a four-hour tolerance for a payment service and call it done. But regulators wanted to know: four hours based on what? What's the consumer harm threshold? What transaction volume makes the disruption intolerable? What's different between a four-hour outage on a Tuesday versus a Friday before a long weekend? If your disruption tolerances don't have documented rationale behind the numbers, they're just recycled RTOs with a new label.
Third-party dependencies are the blind spot. Most institutions can map their own infrastructure reasonably well. The challenge is mapping what their third parties depend on — and what those third parties depend on. E-21 works alongside Guideline B-10 (Third-Party Risk Management) for a reason. The Rogers outage proved that a single third-party dependency can take down an entire critical operation. If your dependency map stops at "we use Rogers for connectivity," you haven't mapped the dependency — you've just named the vendor.
A Realistic Five-Month Plan
Here's what you can actually accomplish between now and September 1, organized by priority.
Lock the critical operations list and assign ownership
If you haven't finalized which operations are "critical" under E-21's definition, this is week one. Get senior management sign-off. Assign an owner for each critical operation — someone with authority, not just accountability. Document the rationale for why each operation qualifies and, just as importantly, why others don't.
Complete dependency mapping for top-tier critical operations
Start with your two or three most critical operations and map them end-to-end. Internal systems, third-party providers, technology infrastructure, people dependencies. Go beyond tier-one: if you depend on a payment processor, map what that processor depends on. This is where ownership questions surface — embrace them now rather than discovering them during a regulatory review.
Set disruption tolerances with documented rationale
For each critical operation, establish the maximum tolerable disruption. Make it specific: time-based, with complementary volume and impact metrics where relevant. Document why each threshold was set. Involve business stakeholders, not just risk teams — the trading desk and HR will have very different answers about acceptable email downtime, and that conversation needs to happen now.
Develop scenario testing methodology and run a pilot
Design your testing approach: what scenarios, what success criteria, how results feed back into tolerance calibration. Then run at least one pilot test against your highest-priority critical operation. You don't need to complete all testing by September — that's the 2027 deadline — but having one completed test demonstrates maturity and, more practically, reveals whether your dependency maps and tolerances hold up under stress.
Gap remediation and documentation finalization
The pilot test will surface gaps. Use August to close the most critical ones, update your dependency maps with what you learned, and finalize the documentation package. Ensure your governance structure is in place: clear escalation paths, regular reporting cadence, board-level visibility into operational resilience posture.
The Three Mistakes That Will Cost You
Treating E-21 as a documentation exercise. The temptation is to produce the artifacts OSFI expects — the critical operations register, the dependency maps, the tolerance statements — and call it done. This is exactly what happened in the UK, and regulators saw through it immediately. OSFI isn't asking for documents. They're asking for capability. Can your institution actually identify what's breaking during a disruption, assess whether you're within tolerance, and take action? If the answer depends on someone opening a PDF that was last updated six months ago, you don't have the capability.
Mapping dependencies in a spreadsheet and calling it done. A static dependency map is better than no map. But static maps decay the moment they're created. Infrastructure changes constantly — new services, new vendors, configuration updates. If your dependency map doesn't have a mechanism for staying current, it will be wrong by the time OSFI looks at it. The UK firms that struggled most post-March 2025 were the ones whose maps had drifted so far from reality that they couldn't answer basic questions about their current dependency landscape.
Setting tolerances without checking the math. Your payment service has a two-hour disruption tolerance. Does the authentication infrastructure it depends on support that? Does the network connectivity? Does the third-party processor? If the dependency chain can't support the tolerance you've set, then the tolerance is fiction. Run the numbers end-to-end before you submit them.
What September Actually Means
September 1, 2026 is not the finish line. It's the point at which OSFI expects your operational resilience program to be operational — meaning the structures are in place, the critical operations are identified and mapped, the tolerances are set, and the testing methodology exists.
The heavier lift — completing scenario testing across all critical operations — extends to September 2027. And the ongoing expectation — maintaining the maps, re-testing after material changes, updating tolerances as the business evolves — is permanent.
If you're behind, the worst thing you can do is nothing. The second worst thing is to rush through a compliance exercise that produces artifacts nobody trusts. The best thing you can do is start with the critical operations that matter most, map them honestly, set tolerances with real rationale, and build a program that can grow after September rather than one that peaks on the deadline and decays immediately after.
Five months is enough to build something real. It's not enough to fake it.
Sources & Related Reading
- The Rogers Outage: What It Taught Canada About Operational Resilience
- What Is Operational Resilience Modeling? From Compliance to Continuous Confidence
- What Is Infrastructure Dependency Mapping? A Complete Guide
- Your RTO Is a Lie: Recovery Time Objectives Are Chains, Not Numbers
- Nobody Wants to Own the Dependency Map (And That's Why It's Always Wrong)
- The Email Dependency Test: Map One Service, Find Twenty Problems
- How to Keep BCP Documentation in Sync with Infrastructure (And Why It Never Is)
- Business Continuity Reports Are Mandatory. Why Are You Still Writing Them in Word?
- OSFI's September Deadline Is a Few Months Away. Where Are You?
- OSFI — Guideline E-21: Operational Risk Management and Resilience
- OSFI — Backgrounder: Guideline E-21
- Enactia — FCA & PRA Operational Resilience 2026: From Compliance to Continuous Resilience
- FCA — Operational Resilience: Insights and Observations for Firms