OSFI E-21 IS FOUR MONTHS AWAY. HERE’S THE QUESTIONS MOST CANADIAN BANKS AND CREDIT UNIONS ARE ASKING
AND THE ONE THEY ARE AVOIDING
A practitioner's read on what defensible operational resilience looks like under E-21, and why a binder full of BCPs probably isn't it.
Four Months Out
Ask a C-suite leader at a federally regulated Canadian bank or credit union whether they have a Business Continuity Plan, and the answer is almost always yes. Ask whether the plan would hold up under a real OSFI supervisory review on September 2nd, 2026, and the answers get quieter.
That gap, between having a document and being able to prove the document works, is the whole point of OSFI Guideline E-21. And with full adherence required by September 1, 2026, the time to find out which side of the gap you're on is now, not during your first selective supervisory review.
The Section 4 milestone passed in September 2025. Scenario testing across all critical operations is due by September 2027. The middle deadline, operationalization of the full guideline, is the one that's about to land. It's also the one most clients are quietly worried about.
Like other regulatory deadlines, this one has crept up on a lot of institutions, and many are now scrambling to the finish line. The practical test is simple: if you haven't run a few tabletop exercises cleanly yet, you're at risk of missing the date.
This article is for the people inside Canadian FRFIs who already know they have work to do and are trying to figure out where to start.
The Bottom Line
OSFI E-21 requires full adherence from federally regulated financial institutions by September 1, 2026, with scenario testing of all critical operations by September 2027.
The guideline shifts the bar from business continuity planning (a document) to operational resilience (a tested program).
OSFI has already flagged that most disruptions to critical operations now originate at third parties. B-10 and B-13 are the supporting guidelines that come along for the ride.
Most institutions have a BCP. Far fewer have evidence they can put in front of a supervisor: critical operations mapped, tolerances set, dependencies traced, scenarios tested, and results acted upon. Tabletop exercises are how that evidence gets created.
The fastest way to find out where you stand is a structured, time-boxed gap assessment, before a regulator does it for you.
What E-21 Asks For (In Plain English)
E-21 is sometimes described as a refresh of business continuity guidance. It isn't. It's a different operating model.
The 2016 version of E-21 was about operational risk management. The 2024 version, finalized August 22, 2024, layers operational resilience on top: the assumption that severe disruptions will happen, and the expectation that you can deliver your critical operations through them. OSFI's own framing is that operational risk management is the cornerstone, and operational resilience is the building you put on it.
Practically, that translates to four supervisory expectations:
Identify your critical operations. Not your important systems. The end-to-end services whose disruption would harm clients, market integrity, or the broader Canadian financial system.
Set tolerances for disruption. A specific, defensible number for the maximum level of disruption each critical operation can sustain under severe-but-plausible scenarios.
Map the dependencies that hold those operations up. Internal systems, people, processes, data, and third parties. Especially third parties.
Scenario-test against those tolerances. Tabletops, simulations, and live-systems testing, with the frequency and depth proportional to the criticality of the operation.
E-21 doesn't sit on its own. It works in concert with Guideline B-10 on third-party risk management and Guideline B-13 on technology and cyber risk. If your critical operation rides on a SaaS core, a cloud platform, and three managed service providers, all three guidelines are in scope at once.
The Six Questions Clients Keep Asking (And the Honest Answers)
The conversations we have with Canadian FRFI clients tend to circle the same six questions. Here's what we tell them.
1. "We have a BCP. Where are we actually against the September 2026 deadline?"
Honestly? Most institutions are further behind than their internal status reports suggest. The Section 4 milestone in September 2025 was about closing legacy gaps from the 2016 guideline. Many institutions self-assessed as compliant against expectations they had partially met for years, which is not the same thing as being ready for the 2026 bar.
The diagnostic test is simple. If a supervisor asked you today to show:
Your list of critical operations with documented rationale for each
Tolerances for disruption with the analytical basis for the number
A current dependency map covering internal and third-party reliance
Test results from at least one severe-but-plausible scenario, typically a tabletop exercise, with action items closed or tracked
Board minutes showing senior management oversight of the above
…could you produce all five within a week? If not, that's the gap.
2. "How do we identify 'critical operations' in a way that satisfies OSFI?"
This is where most programs go sideways. Teams default to listing systems (the core banking platform, online banking, the payment rails) instead of operations (member access to deposits, mortgage payment processing, payroll for clients, fraud monitoring).
OSFI's expectation is end-to-end. A critical operation includes the people who execute it, the processes they follow, the technology they depend on, the data that flows through it, and the third parties that touch any of those things. If your "critical operations" list looks like an asset inventory, it's the wrong list.
A good test: can you describe what fails for the member or the market if this operation is disrupted, and over what timeframe the harm becomes severe? If you can, you're describing an operation. If you can only describe what stops working internally, you're describing a system.
3. "Our last BCP was written three years ago. Two major systems have changed. What do we do?"
Don't rewrite it. Re-baseline it.
The trap is treating E-21 as a documentation refresh. A new BCP that doesn't reflect your current critical operations, dependencies, and tolerances is just a new document with the same problem.
A practical sequence: confirm what your critical operations are today, map what they actually depend on now (including the systems you've added since the last BCP was written), set tolerances based on current business reality, and only then update the response procedures. Most of the value is in the first three steps. The procedures fall out of those almost on their own.
4. "B-10 requires exit plans for critical third parties. We can't realistically exit our core banking vendor for three years. Now what?"
Two things.
First, the absence of a documented exit plan is itself a finding. OSFI is not asking you to leave the vendor; it's asking you to demonstrate that you've thought through what you would do if you had to. A credible exit plan that acknowledges a multi-year transition, identifies the alternatives, and quantifies the cost and timing is more defensible than no plan at all.
Second, OSFI has been explicit that more disruptions to critical operations now originate at third parties and their supply chains. That means your third-party resilience is part of your resilience, full stop. Pressing your critical vendors for their own BCPs, their test results, and their concentration risk on hyperscalers is now a regulatory expectation, not a procurement nicety. If your contracts don't currently support those requests, the renegotiation cycle starts now.
5. "We're 18 months into a core banking migration. Does our BCP cover the transition period?"
Probably not, and this is where serious operational risk hides during a transformation. We've written about why the period after go-live is more dangerous than most institutions assume, and the same logic applies during cutover.
E-21 doesn't pause during a major program. If anything, supervisory expectations rise, because you're carrying additional change risk on top of steady-state operational risk. You need three things: a BCP that reflects the dual-running state where you're partially on each system, a tested rollback plan (not a theoretical one), and a clear answer to "who has authority to invoke the plan in the middle of a hypercare weekend?"
If you're also going through a merger on top of the migration, the integration challenges are predictable and they compound resilience risk significantly. Plan for both.
6. "We've never done scenario testing at the level E-21 expects. Where do we start?"
Start with tabletop exercises. They're the unit of evidence regulators want to see, and they're the fastest way to generate it before September.
A clean tabletop, run on a real critical operation, with the right people in the room, an honest scenario, and an action list that gets tracked afterwards, gives you four of the five things on the diagnostic checklist above in a single exercise. It surfaces dependencies you didn't know you had. It tells you whether your tolerances are credible. It produces a documented test result. And it puts your senior management in the room watching the program work, which is itself part of the governance evidence.
If you haven't run a few tabletops cleanly yet, that's where the September deadline pressure actually lives. Not in writing more documentation, but in producing the evidence that the documentation reflects something real.
By September 2027, scenario testing needs to extend across all critical operations, and the maturity bar rises:
Tabletops are the starting point, not the destination. They exercise decision-making and communication well. To test whether your systems and people actually hold up under a serious disruption, you eventually need simulations and live-systems testing on top.
Tests should include third parties where possible, and document the gap where they can't be. OSFI's "where possible" is not a get-out-of-testing card. If a critical vendor refuses to participate, the documented good-faith effort to engage them is itself part of your evidence file.
The output is a tracked action list, not a report. A tested plan that didn't surface anything to fix usually means the scenario wasn't hard enough. The point of a test is to find the gaps.
What If We Test and It Fails?
This is the question almost nobody asks out loud in a first conversation. It sits underneath all six of the questions above, and it usually sounds something like this:
If I test the plan and it fails, I've documented a problem I'm now accountable for fixing, and I don't know if I have the resources to fix it. So I'd rather not test.
This is human, and it's almost universal. It's also the thing OSFI's supervisory model is designed to surface. Selective supervisory reviews during the transition period mean that the institutions that find the gaps internally first are in a much stronger position than those whose gaps are surfaced for them.
The good news: a structured gap assessment doesn't have to start as an audit. It can start as a diagnostic that maps where you are against where E-21 expects you to be, in a contained, time-boxed way that doesn't put a finding on the record before you're ready.
That's why we built one.
Where to Start
If you're inside a federally regulated Canadian bank or credit union and you've read this far, the next step is straightforward: get an honest read on where your program sits against E-21, before September 1.
We've put together a free Business Resilience Assessment that surfaces the gaps without putting a finding on record. It takes about 20 minutes. It will tell you the five things most likely to come up in a supervisory review and the order to address them in.
If you'd rather have the conversation directly, our Business Continuity and Disaster Recovery practice supports Canadian FRFIs through the full E-21 lifecycle, from critical operations identification through scenario testing and remediation. We also work with institutions whose resilience obligations are tangled up with other major programs (core banking replacements, mergers, cloud migrations) where the risk is highest and the regulatory tolerance is lowest. See our work on core banking transformation for context.
Either way, the deadline is fixed. The work isn't, and there's still time.
Start the free Business Resilience Assessment →
Or talk to our team about E-21 readiness →
This article is part of 2Oaks Consulting's coverage of operational resilience and regulatory readiness for Canadian financial institutions. For OSFI's official guideline text and implementation timeline, see the OSFI E-21 backgrounder.
2Oaks emerged from deep within the banking sector, where our founders personally navigated the challenges of core system modernization. This hands-on experience shaped our unique approach to technology consulting -one that combines technical expertise with practical wisdom. We're not your typical consultancy. As a vendor neutral partner, we work exclusively for our clients' interests across banking, financial services, retail, and public sectors.
What sets us apart is our commitment to co-creation and knowledge transfer. We work alongside your team, ensuring that our solutions aren't just implemented but truly integrated into your organization. Our lean, efficient approach eschews unnecessary complexity in favour of practical, results-driven outcomes. Whether you're facing a system transformation, technology upgrade, or strategic shift, reach out to 2Oaks to discover how our principled, authentic approach can drive your success.