OSFI Guideline E-21

OSFI E-21 operational resilience, mapped

Identify critical operations, set tolerances for disruption, map third-party and ICT dependencies, run scenario tests, and report to the board - the OSFI Guideline E-21 resilience programme every Canadian FRFI must demonstrate by 1 September 2026, rendered as an editable BPMN process map.

Official source:

Read OSFI Guideline E-21 on osfi-bsif.gc.ca (official)

Map an E-21 critical operation Compare to APRA CPS 230

E-21 Pillars

The four pillars of E-21 resilience

Identification, tolerance, dependencies, testing - each pillar produces evidence that lives on the same critical-operations diagram.

Critical operations

The operations whose disruption would result in significant impact on customers, the FRFI, or the financial system. Identified, named, and documented as the unit of analysis everything else hangs off.

Tolerances for disruption

The maximum tolerable downtime, loss, or customer impact per critical operation - set by the board, defended against scenario testing, and reported when breached.

Dependencies (third parties + ICT)

Material service providers and ICT systems that support each critical operation. Mapped onto the same diagram so resilience analysis can't drift away from the operations it's meant to protect.

Scenario testing + reporting

Severe-but-plausible scenarios against tolerances. Board reporting on results, breaches, and remediation. Periodic OSFI reporting on the framework's operation.

E-21 Download

Take the E-21 one-pager with you

A fillable PDF and editable DOCX of the OSFI E-21 readiness one-pager. Tick each step in your PDF reader, fill in your FRFI’s organisation, programme owner, and target date, and circulate to your operational resilience and second-line stakeholders.

Download fillable PDF Download DOCX

The PDF includes real AcroForm checkboxes per step and fillable text fields for the organisation, programme owner, and target date. The DOCX is fully editable in Word, Google Docs, or any compatible editor.

FILLABLE PDF PREVIEW

OSFI Guideline E-21 readiness one-pager

OSFI Guideline E-21 - Operational Risk Management and Resilience

Organisation

[Organisation name]

Programme owner

[Programme owner]

Target date

[Target date]

Jurisdiction

Canada - OSFI

Programme owner kicks off the OSFI E-21 mapping and identifies the FRFI's critical operations.

For each critical operation, set the tolerance for disruption - the maximum tolerable downtime, loss, or customer impact.

Map the third-party arrangements and ICT dependencies that support each critical operation.

Run severe-but-plausible scenario testing against the operations and tolerances.

+ 2 more checkboxes in the downloaded PDF

E-21 Process Map

The E-21 programme as a process map

Identification feeds tolerance; tolerance feeds dependency mapping; testing closes the loop into board and OSFI reporting. One diagram per critical operation, all sharing the same shape.

Open in editor

OSFI E-21 operational resilience programme

An OSFI Guideline E-21 operational resilience programme rendered as a BPMN 2.0 process map. The flow identifies critical operations, sets impact tolerances, maps third-party and ICT dependencies, runs severe-but-plausible scenario testing, and reports to the board and OSFI - the obligations a Canadian FRFI must operate from 1 September 2026.

Programme owner kicks off the OSFI E-21 mapping and identifies the FRFI's critical operations.
For each critical operation, set the tolerance for disruption - the maximum tolerable downtime, loss, or customer impact.
Map the third-party arrangements and ICT dependencies that support each critical operation.
Run severe-but-plausible scenario testing against the operations and tolerances.
If scenario testing shows the tolerance would be breached, drive remediation and re-test before moving on.
Once tolerances hold, report findings, residual risk, and remediation plans to the board and to OSFI on the required cadence.

E-21 FAQ

Frequently asked questions

What is OSFI Guideline E-21?

Guideline E-21 is the Office of the Superintendent of Financial Institutions' guideline on Operational Risk Management and Resilience. It applies to federally regulated financial institutions (FRFIs) in Canada and consolidates OSFI's expectations for how an FRFI identifies, manages, and demonstrates resilience for its critical operations.

When does E-21 take effect?

OSFI published the revised Guideline E-21 in August 2024. The operational risk management expectations applied from publication; the operational resilience expectations apply from 1 September 2026. FRFIs should plan to demonstrate the full operational resilience framework by that 2026 date.

Who does E-21 apply to?

All FRFIs supervised by OSFI: banks, federally regulated trust and loan companies, federally regulated insurance companies, federally regulated pension plans (some elements), and bank holding companies. FRFIs are expected to apply the guideline proportionate to their size, risk profile, and complexity.

How does E-21 compare to APRA CPS 230 or the EU DORA?

The three regimes converge on similar substance - identify critical operations, set tolerances for disruption, manage third-party and ICT dependencies, test scenarios, report to the board. They diverge in jurisdiction, prescriptive detail, and reporting cadence. An FRFI with global operations typically maintains one underlying process map and tags evidence to the relevant regime.

Why use a process map for OSFI E-21?

E-21 expects FRFIs to be able to explain how each critical operation runs end-to-end - including third parties and ICT - and how tolerances are tested. A BPMN process map is the most direct way to show that: people, systems, handoffs, and decision points on one diagram. It's what an OSFI supervisor asks to see during an examination.

APRA CPS 230 (Australia)

The Australian operational-risk standard with very similar shape to E-21 - same critical operations, tolerances, scenario testing.

DORA (EU)

The EU Digital Operational Resilience Act applies similar substance to EU financial entities. Cross-mapped programmes save duplicate evidence.

EU AI Act architecture

The Annex IV technical-documentation flow - different domain, same “one diagram drives evidence collection” pattern.

Get OSFI E-21 ready before 1 September 2026

Pick the critical operation that worries you most. Open the template, rename the steps, attach tolerances and dependencies to the diagram - and use the same shape for the next one.