Operational Resilience Consultation Results Summary
Table of contents
To: All Federally Regulated Financial Institutions (FRFIs)
Operational resilience is the ability of an institution to deliver its critical operations through disruption. It is regarded by OSFI as a prudential outcome that focuses on the continuity of the most critical operations of an institution, viewed end-to-end. Operational resilience emphasizes preparation, response, and adaptation by assuming disruptions will occur.
From OSFI’s perspective, the pace of digitalization, the complexity of the operating environment (including the third-party ecosystem) and the magnitude and frequency of operational disruption have underscored the importance of operational resilience. At the system level, a disruption to the critical operations of one or more institutions could foreseeably lead to a loss of public confidence in the wider Canadian financial system.
On July 6, 2021, OSFI issued an industry letter to federally regulated financial institutions (FRFIs) on operational resilience. OSFI received a number of responses from FRFIs, industry associations and a technology company.
In summary, respondents told OSFI that:
- Operational resilience should be viewed as an outcome of effective operational risk management, particularly the management of technology, cyber, third party, model, business continuity, compliance, people and process risks;
- OSFI should address operational resilience by including relevant principles in its Guideline E-21; and
- Any guidance in this area should be principles-based and proportionate to a FRFI’s size, nature, scope, and complexity of its operations, and broadly aligned with guidance on operational resilience in other jurisdictions.
While many respondents identified a FRFI’s culture as an important driver of effective operational resilience, some argued culture would not be best addressed through an operational resilience framework. Further, several respondents viewed reputation risk as an outcome of operational and financial risk management, as opposed to a stand-alone risk.
Based on this feedback, OSFI proposes to revise Guideline E-21 to shift the focus of the Guideline towards operational resilience, while continuing to reinforce OSFI’s expectations in relation to operational risk management. The revised Guideline will complement other OSFI guidelines that focus on specific risks and support operational resilience. The revised Guideline E-21 will be proportionate to FRFIs of different size, nature, scope, and complexity of operations.
OSFI also intends to issue a consultative document on culture and reputation risk in Q1 2022.
Respondents will have an additional opportunity to provide feedback on specific OSFI proposals on operational risk and resilience, including draft revisions to Guideline E-21 in 2022.