On August 22, 2024, the Office of the Superintendent of Financial Institutions Canada (OSFI) released the final version of Guideline E-21: Operational Risk Management and Resilience (the Guideline), applicable to federally regulated financial institutions conducting business in Canada, including federally regulated insurers (Insurers). OSFI’s release of the Guideline comes after the completion of a public consultation period in early 2024 regarding the draft version of the Guideline. We previously published an article providing further background on the draft version of the Guideline released by OSFI in the fall of 2023.

The final version of the Guideline is substantially similar to the draft Guideline.

This article provides a brief overview of the changes implemented by OSFI in response to feedback received during the consultation period, in the final version of the Guideline and the implications for Insurers conducting business in Canada.

Overview of changes in the final Guideline

OSFI provided commentary regarding certain changes made to the final version of the Guideline based on feedback received during the public consultation period. Such changes are summarized in further detail below.

(a) Guideline structure and terminology

 Matters related to operational risk management precede those dealing with operational resilience in the final version of the Guideline, making it more intuitive for the reader. OSFI also included simplified language with the overarching goal of making the Guideline easier to understand.

(b) Scenario testing and analysis

OSFI also clarified the following with respect to matters related to scenario testing and analysis:

  • OSFI’s listing of operational risk management tools is not exhaustive;
  • scenario analysis is still relevant and focuses on identifying and assessing the impact, controls and mitigating actions of operational risks at the business unit level and enterprise wide;
  • scenario testing goes further to test whether critical operations can remain within tolerances for disruption on an end-to-end basis, across multiple business lines, in severe but plausible circumstances;
  • the frequency of scenario testing should align with risk and criticality, but when significant changes in the risk environment arise, scenario testing should take place outside the regular cycle of such testing; and
  • critical third parties should be involved in scenario testing where possible (acknowledging that third-party participation in scenario testing may not always be possible).

(c) Change management

Respondents requested that OSFI provide flexibility to scale change management activities to align with the type of change initiated by the financial institution. The final version of the Guideline clarifies that change management activities should apply to significant changes.

(d) Phased implementation of the Guideline

In response to industry feedback, OSFI has made the expectations in the Guideline subject to a phased implementation (as discussed further below).

Implications for federally regulated Insurers conducting business in Canada

OSFI is implementing the expectations in the Guideline using a phased approach, as set out below:

  • The expectations set out in sections 1 and 2 of the Guideline (Governance and Operational Risk Management, respectively) are effective as of the release date of the Guideline (August 22, 2024).
  • Insurers will have until September 1, 2025, to be in compliance with Section 4 of the Guideline. For context, section 4 of the Guideline deals with matters related to key areas of operational risk management that strengthen operational resilience.  By September 1, 2026, OSFI expects Insurers (including other federally regulated financial institutions) to be in full compliance with the Guideline. OSFI recognizes that although operational resilience programs will mature over time, Insurers should have completed identification, mapping and setting tolerances for disruption of their critical operations.
  • Insurers should also develop their scenario testing methodology and begin the testing process so that by September 1, 2027, testing has been completed for all critical operations.

During the implementation period, OSFI plans to selectively conduct supervisory work to assess institutions’ progress in implementing their operational resilience programs. OSFI will also continue to assess whether Insurers have effective operational risk management practices in place. This is similar to the approach OSFI has taken in respect of other risk categories, including third-party risk management and capital and liquidity risk.

Insurers should confirm that their internal compliance processes include review and implementation of the Guideline, including the above-noted implementation milestones.

For more information on this topic or any questions regarding the interpretation or implementation of the Guideline, please contact the authors, Laurie LaPalme, Derek Levinsky, Marisa Coggin or Jesse Collins-Swartz, or reach out to a member of Dentons Canada’s Corporate and Regulatory Insurance group.

Subscribe and stay updated
Receive our latest blog posts by email.
Stay in Touch
Laurie LaPalme

About Laurie LaPalme

Laurie LaPalme leads Dentons Canada’s National Corporate and Regulatory Insurance practice and is Co-Lead of the National Insurance sector group. With more than 20 years of experience advising domestic and foreign life and general insurance companies, insurance agents and brokers, reinsurance companies on corporate and regulatory matters, transactions, corporate reorganizations, and governance issues, clients note that Laurie is “absolutely an expert and that comes across clearly in the work,” taken from a Chambers Canada client interview.

Full bio

Derek Levinsky

About Derek Levinsky

Derek Levinsky (He/Him/His) is a partner in Dentons’ Corporate group and Insurance sector practice. Based in Toronto, Derek provides legal services to a wide range of clients in the insurance market, including brokers, agents, and other actors in the insurance space.

Full bio

Marisa Coggin

About Marisa Coggin

Marisa Coggin is a partner in the Corporate and Insurance groups at Dentons. Marisa’s practice focuses on corporate and commercial law with an emphasis on corporate and regulatory insurance. Marisa also offers experience in, and regularly assists clients with corporate reorganizations, mergers & acquisitions and financing.

Full bio

Jesse Collins-Swartz

About Jesse Collins-Swartz

Jesse Collins-Swartz is an associate in the Corporate group and Insurance sector practice at Dentons Canada LLP. Jesse’s work focuses on corporate and regulatory matters and commercial transactions, including M&A, joint ventures, corporate finance, and reinsurance.

Full bio

RELATED POSTS