What is Operational Resilience as per OSFI Guideline E-21?

Operational Resilience Definition and Overview

As defined in OSFI Guideline E-21, Operational Resilience is the ability of a financial institution to continue delivering critical operations through disruptive events. It involves a strategic and integrated approach that ensures critical business functions continue to operate smoothly, even in the face of unexpected challenges, which could be, but are not limited to:

• Technology Failures

• Third-party disruptions

• Infrastructure outages

• Cyber incidents

• Pandemics

• Control failures

• Ransomware

• Data breaches

• Natural disasters

Operational Resilience recognizes the inevitability of disruptions, including simultaneous ones. It refers to an organization's ability to anticipate, prepare for, respond to, recover from, and adapt to disruptions in its operational environment. Therefore, Operational Resilience:

1. Demands preparation.

2. Requires responsiveness.

3. Involves recovery.

4. Encourages learning.

5. Necessitates adaptation.

As the Federally Regulated Financial Institutions (FRFIs) refine its operational resilience approach, the underlying operational risk management should shift from a business-unit focus to a holistic consideration of end-to-end operations. Organizations with operational resilience anticipate and acknowledge disruptions, responding, adapting, recovering, and learning from such events.

What are the steps to achieve Operational Resilience by FRFIs?

With an emphasis on delivering critical functions amid disruptions, FRFIs are recommended to follow the main steps outlined in OSFI Guideline E-21:

1. Identifying and mapping critical operations with all dependencies

2. Establishing tolerance levels for disruption to critical operations

3. Executing scenario testing and analysis across severe but plausible scenarios

4. Integrating Operational Resilience Framework in the existing enterprise-wide Risk Management Framework

Operational Resilience Framework encompasses various elements, including business continuity management, disaster recovery, crisis management, third-party risk management, technology and cyber-risk management, and the ability to adapt and learn from disruptions.

Operational resilience is not a one-time initiative; it is an ongoing commitment to staying agile, responsive, and well-prepared in the face of a dynamic and unpredictable business environment. As per Operational Resilience, it is essential for institutions to foster a culture of adaptability and learning within the workforce.

What are the Expected Outcomes with Operational Resilience Framework?

According to OSFI's Guideline E-21 on Operational Resilience and Operational Risk Management, the following outcomes are expected to be achieved by FRFIs:

1. Ensuring the delivery of critical operations.

2. Integrating Operational Risk Management into the Risk Management System framework.

3. Overseeing operational risks while adhering to FRFI's risk appetite.

4. Reinforcing Operational Resilience through Business Continuity Management (BCM), Disaster Recovery (DR), Crisis Management, Technology and Cyber Risk Management, and Third-party Risk Management

Operational resilience goes beyond risk oversight; It requires being initiative-taking, which means strategically strengthening resilience across various specialized areas. Business Continuity Management (BCM) ensures continuity in crucial functions during disruptions, while Disaster Recovery (DR) strategies function as a safety net for data and infrastructure.

Extending its reach, crisis Management prepares organizations to navigate tumultuous scenarios, and Technology and Cyber Risk Management shields against digital threats. Operational resilience embraces Third-party Risk Management to mitigate vulnerabilities introduced by external partners. The constructive interaction of these components creates a robust foundation, enabling businesses to navigate uncertainties with confidence and agility.

#OperationalResilience #OperationalResilienceFramework, #OperationalRiskManagement #OSFIe21Guideline #ResilienceNow #BusinessContinuityManagement #DisasterRecovery #CrisisManagement #TechnologyandCyberRiskManagement #ThirdPartyRiskManagement

References:

1. OSFI Guideline E-21: Operational Resilience and Operational Risk Management (Date: October 2023)

2. OSFI Guideline E-21: Operational Risk Management (Date: June 2016)