Business Resiliency Practice
The 2Oaks Business Resiliency Practice helps organizations build and prove operational resilience under one team: business continuity planning, disaster recovery, regulatory compliance, and ISO 22301 certification. We work with financial institutions, public sector organizations, and other regulated enterprises that need a Business Continuity Management System (BCMS) that satisfies regulators and functions under real disruption. Whether you are preparing for an OSFI Guideline E-21 examination, refreshing a stale continuity plan, recovering from an outage, or pursuing ISO 22301 certification, our consultants deliver the strategy, documentation, testing, and audit support required to get there.
Operational disruption is no longer a question of if. Cyber events, vendor failures, system outages, weather, and regulatory shocks all affect day-to-day operations. The organizations that recover well are the ones that planned, tested, and embedded resilience before the disruption arrived. Regulators have moved in step: OSFI E-21, FFIEC expectations, FCA operational resilience rules, and the ISO 22301 standard now set out specific demands for evidence, not just intent. We help organizations close the gap between the plan on paper and the response
Business Resilience
Planning Matters.
Our consultants deliver the full scope of business resiliency work required to plan for, respond to, and recover from operational disruption:
Business continuity planning, business impact analysis (BIA), and recovery strategy development
Disaster recovery planning, infrastructure resilience design, and failover testing
Operational resilience programs aligned with OSFI Guideline E-21, OCC, FFIEC, and FCA expectations
ISO 22301 readiness, implementation, internal audit, and certification audit support
Crisis management frameworks, communication protocols, and tabletop, functional, and full-scale exercises
Third-party and vendor resilience oversight
Board reporting, examination preparation, and audit-ready evidence packaging
Our Point of View:
The Practice is built around six positions we hold consistently across every engagement:
Resilience That Works. Plans are designed to function under pressure, not just to satisfy a checklist. We test end-to-end and capture what actually happened, not what was supposed to happen.
Regulatory Depth. Hands-on experience with OSFI Guideline E-21, OCC, FFIEC, FCA, and other supervisory frameworks, paired with practical evidence packaging for examinations.
ISO 22301 End-to-End. Readiness assessment, management system design, documentation, internal audit, and certification audit support, with an outcome that delivers operational resilience rather than a certificate in isolation.
Embedded, Not Adjacent. Continuity capability is built into operations, system changes, and vendor relationships so it stays current, instead of being refreshed once a year and ignored the rest of the time.
Executive-Ready Reporting. Board reporting, metrics, and dashboards that show program health honestly, so leadership and regulators see the same picture your operations team does.
Multi-Jurisdictional Coverage. Practical experience harmonizing requirements across Canadian, U.S., and U.K. regulatory regimes so organizations operating across borders do not maintain four overlapping programs.
Services within the Practice
Partner with 2Oaks to build resilience capability that protects enterprise value, satisfies regulatory expectations, and gives your organization confidence that recovery is more than a plan on paper.
5
We already have a business continuity plan. Why would we need 2Oaks?
1
Most organizations we work with already have a business continuity plan. The issue is usually not that the plan does not exist. It is that the plan has not kept up with system changes, has not been tested end-to-end, or has never been exercised in a way that builds real organizational response.
Our consultants help you find the gap between the plan on paper and what would actually happen in a disruption, and then close it. Scott Wilson's article When Things Go Wrong: What Business Continuity Planning Actually Requires covers this in more depth, including why resilience is an ongoing practice rather than a one-time project.
6
What industries does the Business Resiliency Practice serve?
2
Our heaviest concentration is in financial services: banks, credit unions, insurers, and payments organizations operating under OSFI, OCC, FFIEC, or FCA supervision. We also work with public sector organizations, healthcare, and infrastructure providers where operational disruption carries regulatory or public-interest consequences.
The Practice's regulatory depth is built on experience in supervised environments, so it tends to be most useful to organizations where examiners, auditors, or board risk committees are asking specific questions about resilience.
What does an OSFI E-21 readiness engagement look like?
3
OSFI Guideline E-21 sets specific expectations for operational resilience at federally regulated financial institutions, with particular focus on critical operations, severe-but-plausible scenarios, impact tolerances, and third-party dependencies. A typical readiness engagement starts with mapping your current state against E-21's specific clauses, identifying critical operations and the tolerances around them, testing the dependencies behind those operations, and building the evidence package OSFI examiners will look for.
Engagement length depends on starting maturity, but most institutions need three to six months of focused work. Our article OSFI E-21 Is Four Months Away: The Questions Most Canadian Banks and Credit Unions Are Asking covers the questions institutions are raising most often as the deadline approaches.
Do you work alongside our internal team or replace it?
How long does ISO 22301 certification take?
4
Can you help us prepare for a regulatory examination on short notice?
Your Questions Answered:
Honestly, it depends on where you start. Organizations with a mature BCMS already aligned to ISO 22301 concepts can be ready for a Stage 1 certification audit in six to nine months. Organizations starting closer to scratch, or those with significant scope or multi-site complexity, typically need twelve to twenty-four months to build, document, exercise, and internally audit the management system before a certification body audit makes sense.
We provide a readiness assessment early in the engagement so the timeline is grounded in evidence rather than optimism. See our ISO 22301 Implementation and Audit service page for the full scope of what implementation involves.
Alongside, almost always. Most of our clients have internal business continuity, risk, audit, or compliance teams who own the program day-to-day. Our role is to add specialist depth where it is needed (ISO 22301 implementation experience, OSFI examination preparation, BIA methodology, exercise design, multi-jurisdictional regulatory mapping) and to transfer that capability to your team as we go. We are not a managed service. By the end of an engagement, your team should own the result, not depend on us to maintain it.
Yes, and this is one of the more common ways clients first engage with us. Short-notice examination preparation is a focused engagement, typically four to eight weeks, where we conduct a mock examination, identify the evidence gaps that would cause findings, package what you have into an examiner-ready format, and coach your leadership team on how to respond to questioning.
The work cannot create a program that does not exist, but it can substantially improve how well an existing program presents under scrutiny. Scott Wilson's article on The Risks You Didn't Know You Had covers some of the hidden dependencies that examination preparation often surfaces for the first time.