OSFI's September Deadline Is a Few Months Away. Where Are You?

Not a draft. Not a working document someone started in Q4. A list of operations that, if disrupted, would threaten your institution's viability or harm the broader financial system — reviewed, challenged, and approved by senior management. Each one has a named owner with authority, not just accountability. The rationale for what made the list, and what didn't, is documented.

E-21 requires "holistic, end-to-end mapping" — internal systems, third-party providers, technology infrastructure, people, and the interconnections between all of them. If your mapping stops at "we use vendor X for payments," you've named the dependency without mapping it. What does vendor X depend on? What's the chain underneath?

A disruption tolerance is the maximum level of disruption you can absorb while still delivering the critical operation. It's primarily time-based but should include complementary metrics: transaction volume, geographic scope, customer segments affected. If you took your old RTOs, relabeled them "disruption tolerances," and moved on — that doesn't meet the standard. The UK's FCA flagged firms specifically for this.

E-21 requires an explicit operational risk appetite statement integrated into your enterprise risk framework. This isn't aspirational language — it's specific limits and thresholds: how much operational loss is acceptable, what risk concentrations are tolerable, what categories of risk require escalation. Key risk indicators should be in place and regularly reported to senior management.

A cross-discipline committee — not just risk, but IT, business continuity, operations, and business lines — with a clear mandate, regular meeting cadence, and escalation paths to the board. Someone senior owns operational resilience as a program, not as a side project. Independent risk and compliance functions provide oversight. Internal audit has a role.

E-21 works alongside Guideline B-10 (Third-Party Risk Management) for a reason. If your critical payment service depends on a single telecom carrier, and that carrier goes down, your operation goes down — Canada learned this the hard way in 2022. Third-party mapping must go beyond tier-one vendors. What do your critical third parties depend on? Where are the concentration risks?

Full scenario testing isn't due until September 2027, but the methodology must be in place by September 2026. That means: what scenarios you'll test, what "severe but plausible" means for your institution, how you'll assess whether you stayed within disruption tolerances, and how results feed back into remediation. If you've run at least one pilot test against a critical operation, you're ahead.

E-21 doesn't accept BCP documents that were accurate when they were written and have drifted since. If your infrastructure has changed — new services, new vendors, cloud migrations, architecture updates — and the BCP hasn't been updated to reflect those changes, you have a documentation gap that creates false confidence. Static plans are a liability, not a compliance artifact.

When a significant change happens — new system deployment, vendor migration, architecture modification — does the process include an assessment of impact on critical operations and their dependency maps? E-21 requires change management activities to cover significant changes, with the expectation that resilience considerations are embedded in the process, not bolted on after.

Crisis management is a required supporting discipline under E-21. It's not enough to have a plan — it needs to have been exercised. Does your team know who makes the call, who communicates externally, how critical operations are prioritized during a real disruption? If your crisis management plan was last tested before E-21 was published, it predates the requirements it's supposed to meet.