On November 10, 2023, the Office of the Superintendent of Financial Institutions (OSFI) released a supervisory letter to underscore the importance of effective business continuity plans (BCPs) and disaster recovery planning for federally regulated financial institutions (FRFIs) in preparing for and recovering from the risks of an increasing number and severity of disruptive events (Letter). OSFI outlined its guidance in dealing with such risks for FRFIs in its proposed draft Guideline E-21 – Operational Resilience and Operational Risk Management (Draft Guideline E-21) released on October 13, 2023. Please also refer to the article we previously published on Draft Guideline E-21 on October 20, 2023, for further information: “OSFI releases drafts for Guideline E-21 and the Integrity and Security Guideline.”
FRFIs operate in a complex risk environment and face threats to their operations such as control failures, third party disruptions, infrastructure outages, technology failures, geopolitical incidents, pandemics and natural disasters. This article provides a summary of the Letter and applicable guidance for FRFIs from Draft Guideline E-21, Guideline B-13 – Technology and Cyber Risk Management (Guideline B-13), and Guideline B-10 – Third-Party Risk Management (Guideline B-10) in addressing the concerns raised by OSFI in the Letter. Guideline B-13 becomes effective January 1, 2024, while Guideline B-10 becomes effective May 1, 2024. OSFI is currently conducting consultations on Draft Guideline E-21 and accepting comments until February 5, 2024.
In OSFI’s view, the frequency and severity of disruptive events is, and will continue to be, on the rise. The Letter addresses the importance of implementing and maintaining effective BCPs, disaster recovery planning, management of critical third parties and scenario testing, all of which are key components to operational resilience, as outlined in Draft Guideline E-21. Brief summaries of OSFI’s expectations for each of these components are set out below.
OSFI has proposed that FRFIs implement effective BCPs to prepare, respond, recover, learn and adapt to disruptive events. Sound practices for BCPs include, among other things, internal decision-making protocols for invoking the BCP, roles and responsibilities for managing disruptions to critical operations, recovery objectives, including recovery levels and recovery times and initiatives to provide training and raise awareness so that staff can respond and adapt. Please refer to Draft Guideline E-21 for OSFI’s proposed expectations relating to business continuity management in the context of operational resilience.
FRFI BCPs should address severe but plausible situations, including prolonged disruptions and multiple simultaneous disruptions, where a third party could fail to continue providing service. Third parties should be required to regularly test their own business continuity and disaster recovery programs as they pertain to services provided to the FRFI.
FRFIs should also conduct testing to identify potential deficiencies and gaps within BCPs. Please refer to Guideline B-10 for additional information.
Disaster recovery planning
FRFIs are expected to establish and maintain an Enterprise Disaster Recovery Program to support their ability to deliver technology services through disruption and operate within their risk tolerance. The disaster recovery program should be aligned with the FRFI’s business continuity management program. For additional expectations pertaining to disaster recovery planning, please refer to Guideline B-13.
Management of critical third parties
OSFI defines third-party arrangements as any type of business or strategic arrangement between the FRFI and an entity(ies) or individuals, by contract or otherwise, excluding arrangements with FRFI customers (e.g., depositors and policyholders) and employment contracts. Such arrangements include, among other things, critical services for the FRFI, minor support arrangements and strategic arrangements where no service is actually being provided. OSFI expects the FRFI to manage the risks related to all third-party arrangements and retain accountability for business activities, functions and services outsourced to a third party. Critical operations are those services, products or functions of a FRFI which could put the continued operation of the FRFI, its safety and soundness, or its role in the financial system at risk if disrupted. Third-party arrangements should be in alignment with the FRFI’s risk appetite and managed proportionate to the level of criticality and risk. FRFIs are expected to have contingency plans for critical third-party arrangements. Please refer to Guideline B-10 for additional considerations with respect to criticality and third-party arrangements.
OSFI has proposed that FRFIs develop and regularly conduct scenario testing to assess the potential impact of severe risk events and evaluate their ability to deliver critical operations within established tolerances for disruption. Scenario testing should be conducted for, among other things, large-scale technology failures and power outages, critical third-party interruptions, pandemics, natural disasters and cyber incidents. Please refer to Draft Guideline E-21 for additional information as to OSFI’s expectations in this regard.
Over the next 18 months, OSFI intends to issue questionnaires to select groups of FRFIs seeking general information on their BCPs, disaster recovery plans, relevant critical third parties and related testing.
In light of the foregoing and Guidelines B-10 and B-13 coming into effect in 2024, we recommend that FRFIs carefully review and determine whether any enhancements are necessary to their disaster recovery plans, BCPs, third-party risk management framework and/or scenario testing to keep pace with the rapid evolution of threats and to address a range of severe but plausible scenarios.
For more information on this topic, please do not hesitate to contact a member of Dentons Canada’s Corporate & Regulatory Insurance group.