Most Canadian credit unions and banks have a Business Continuity Plan. Far fewer have the evidence a supervisor will ask for. The full adherence deadline is September 1, 2026. 2Oaks helps you close the gap before the regulator finds it.
A system outage, a cyberattack, a key person walkout, a regulatory review. When something goes wrong, the plan on the shelf and the reality on the floor rarely match. We help close that gap before it matters.
Documentation exists but teams have never run through a real scenario. When a crisis hits, no one knows their role. OSFI E-21 requires documented evidence of testing, not just a plan on file.
A new digital banking platform goes live. The BCP still references the old system. That gap is invisible until a disruption, or a supervisory review, surfaces it.
OSFI E-21 shifts the bar from business continuity planning as a document to operational resilience as a tested, evidenced program. The September 2026 deadline is not a soft target.
E-21 is not a refresh of existing business continuity guidance. It is a different operating model, one that assumes severe disruptions will happen and expects you to prove you can deliver critical operations through them.
E-21 works in concert with Guideline B-10 (third-party risk) and B-13 (technology and cyber risk). If your critical operations depend on a cloud platform or managed service providers, all three guidelines apply.
September 2025: Section 4 milestone. Closing legacy gaps from the 2016 guideline.
Full operationalization of E-21. Critical operations identified, tolerances set, dependencies mapped, tabletop exercises run with documented results. This is the deadline most institutions are quietly worried about.
Scenario testing across all critical operations. Tabletops are the starting point. Simulations and live-systems testing must follow. Third-party participation expected where possible.
Our free Business Resilience Assessment takes 20 minutes and surfaces the five things most likely to come up in a supervisory review, in a way that doesn't put a finding on the record.
Take the Free Assessment →We don't hand you a framework and leave. We work inside your organization to build a continuity program that is practical, tested, and audit-ready for E-21.
We align your BCMS strategy with corporate objectives, develop phased implementation roadmaps, and establish governance structures with the executive sponsorship to sustain them.
We assess against ISO 22301 and E-21 expectations, identify gaps in policies and capabilities, and build a prioritized remediation plan with measurable milestones.
Robust frameworks and comprehensive policies covering business continuity, crisis management, and disaster recovery, built to scale with your institution and satisfy regulatory scrutiny.
We map dependencies across people, processes, technology, data, and third parties, and establish RTOs and RPOs aligned with your actual business tolerance, not assumptions.
We identify threats specific to your operating environment, evaluate likelihood and impact, and build risk registers integrated with enterprise risk management frameworks.
Practical recovery approaches for various disruption types, including alternate site strategies, workforce continuity, and communication protocols, balanced for cost and risk reduction.
Business continuity, disaster recovery, and crisis management plans with role-specific playbooks, built on a document management system structured for accessibility and audit-readiness.
Multi-year exercise calendars, tabletop and full-scale exercises tailored to your threat landscape, and after-action reviews that produce the documented evidence E-21 requires.
Steering committees, ISO 22301-aligned management review processes, and audit-ready evidence packages. Your program runs well and can prove it when a supervisor asks.
Digital banking migrations create a window of real continuity risk that most institutions don't plan for. The new system is live. The old plan references the old system. E-21 doesn't pause during a major program.
When continuity plans are postponed until after go-live, organizations expose themselves to unnecessary risk at exactly the wrong moment. You need a BCP that reflects the dual-running state, a tested rollback plan, and a clear answer to who has authority to invoke the plan during a hypercare weekend. Disaster recovery is often tested. Business continuity is not. When stakeholders don't know their roles during a crisis, response breaks down quickly.
Start with an honest read on where your program stands. Our free Business Resilience Assessment takes 20 minutes and tells you the five things most likely to come up in a supervisory review.
Andrew Mills Partner, 2Oaks Consulting andrew.mills@2oaks.ca