Backgrounder: Guideline E-21, Operational Risk and Resilience

Overview

Guideline E-21 sets our expectations for financial institutions to prepare for and recover from severe disruptive events. It enhances expectations for operational risk management and establishes new ones related to operational resilience, business continuity risk management, crisis management, change management, and data risk management.

Why it's important

Operational risks can evolve into financial risks if left unchecked. Identifying, assessing, managing, and monitoring operational risks, therefore, contributes to the safety and soundness of financial institutions. Effective operational risk management also contributes to an institution's integrity and security by preventing control failures that can be exploited by ill-intended actors, and result in fraud, legal challenges, and reputation events.

Today's financial institutions operate in a complex risk environment, with increasing risks to their operations from:

• internal control failures
• third-party disruptions
• infrastructure outages
• technology failures
• cyber and geopolitical incidents
• pandemics
• natural disasters

Robust operational risk management and resilience enhance the ability to prevent, detect, respond to, and recover from adverse events, while continuing to deliver critical operations.

Links to other guidelines

Guideline E-21 is a foundational guideline, supporting risk management in other areas that contribute to operational resilience such as Guideline B-13, Technology and Cyber Risk Management and Guideline B-10, Third-Party Risk Management.

These risk areas are closely linked, and financial institutions should carefully consider their connections. For example, financial institutions should implement measures to mitigate cyber threats and also ensure that third parties providing services have robust measures safeguarding against threats. Effective management of these risk areas will help institutions be prepared to respond, recover, and learn from disruptions of any kind.

History of Guideline E-21

Guideline E-21 first came into effect in 2016, setting out expectations for financial institutions' operational risk management.

In 2021, we asked financial institutions for their perspectives on operational resilience. Based on their feedback, we revised Guideline E-21 placing greater emphasis on operational resilience while maintaining operational risk management expectations.

In 2022, we published key definitions related to operational resilience in an industry letter. This was followed by release of revised draft Guideline E-21 in October 2023 for a 3-month public consultation process.

Effective date

Final Guideline E-21 was published on August 22, 2024. Financial institutions are expected to immediately adhere to operational risk management expectations in sections 1 and 2. There is a phased implementation approach for other expectations in the guideline, with full adherence and operationalization expected by September 1, 2026.