Operational resilience key definitions

In July 2021, OSFI conducted a consultation on ways to position operational risk and resilience within its principles-based guidance framework. Based on feedback to that consultation, OSFI proposed to revise Guideline E-21: Operational Risk Management to shift the focus of that Guideline towards operational resilience, while continuing to reinforce its expectations in relation to operational risk management.

Achieving operational resilience involves:

• Identifying a FRFI’s critical operations and mapping the internal and external dependencies (people, systems, processes, third parties, facilities, etc.) required to support critical operations;
• Establishing tolerances for disruption in respect of each of the FRFI’s critical operations;
• Conducting scenario testing to gauge the ability of the FRFI to operate within its limits or tolerances for disruption in a range of severe but plausible scenarios; and
• Identifying and addressing any risks to the FRFI’s ability to operate within its limits or tolerances for disruption as part of both mapping and scenario testing.

OSFI is aware some FRFIs have begun designing and implementing their own programs towards achieving operational resilience. Until Guideline E-21 is revised, issued and in effect, OSFI expects FRFIs to use the following foundational definitions:

“Operational risk” is the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. Operational risk includes legal risk but excludes strategic and reputation risk.

“Operational resilience” is the ability of a FRFI to deliver its operations, including critical operations, through disruption. It is a prudential outcome of effective operational risk management. For a FRFI to be considered operationally resilient, it must be able to deliver through disruption at least its most critical operations. Operational resilience emphasizes preparation, response, recovery, learning, and adaptation by assuming disruptions, including simultaneous disruptions, will occur. Among other things, it includes resilience to technology and cyber risks.

“Critical operations” are the services, products or functions of a FRFI which, if disrupted, could put at risk the continued operation of the FRFI, its safety and soundness, or its role in the financial system.

“Tolerance for disruption” is the limit of disruption (for example: outage time, diminishment of service, loss of data, extent of customer impact, etc.) from any type of operational risk that a FRFI is willing to accept given a range of severe but plausible scenarios. Tolerances should be established for each critical operation of a FRFI and should take into account the compounding impact of related services, products or functions being disrupted simultaneously.

“Scenario testing” uses a hypothetical future state of the world to define changes in risk factors affecting the FRFI’s operations. This will normally involve changes in a number of risk factors, as well as ripple effects that are other impacts that follow logically from these changes and related management and regulatory actions. Scenario testing is typically conducted over the time horizon appropriate for the business and risks being tested. As it pertains to operational resilience, scenario testing would assess the effectiveness of the FRFI’s ability to operate within tolerances for disruption in a range of severe but plausible scenarios.

OSFI will hold a public information session on operational risk and resilience in the first quarter of 2023 and expects to publish draft revised guidance for consultation in spring 2023.