On November 10, 2023, the Office of the Superintendent of Financial Institutions (OSFI) released a supervisory letter to underscore the importance of effective business continuity plans (BCPs) and disaster recovery planning for federally regulated financial institutions (FRFIs) in preparing for and recovering from the risks of an increasing number and severity of disruptive events (Letter). OSFI outlined its guidance in dealing with such risks for FRFIs in its proposed draft Guideline E-21 – Operational Resilience and Operational Risk Management (Draft Guideline E-21) released on October 13, 2023. Please also refer to the article we previously published on Draft Guideline E-21 on October 20, 2023, for further information: "OSFI releases drafts for Guideline E-21 and the Integrity and Security Guideline."

FRFIs operate in a complex risk environment and face threats to their operations such as control failures, third party disruptions, infrastructure outages, technology failures, geopolitical incidents, pandemics and natural disasters. This article provides a summary of the Letter and applicable guidance for FRFIs from Draft Guideline E-21, Guideline B-13 – Technology and Cyber Risk Management (Guideline B-13), and Guideline B-10 – Third-Party Risk Management (Guideline B-10) in addressing the concerns raised by OSFI in the Letter. Guideline B-13 becomes effective January 1, 2024, while Guideline B-10 becomes effective May 1, 2024. OSFI is currently conducting consultations on Draft Guideline E-21 and accepting comments until February 5, 2024.

Letter

In OSFI's view, the frequency and severity of disruptive events is, and will continue to be, on the rise. The Letter addresses the importance of implementing and maintaining effective BCPs, disaster recovery planning, management of critical third parties and scenario testing, all of which are key components to operational resilience, as outlined in Draft Guideline E-21. Brief summaries of OSFI's expectations for each of these components are set out below.

BCPs

OSFI has proposed that FRFIs implement effective BCPs to prepare, respond, recover, learn and adapt to disruptive events. Sound practices for BCPs include, among other things, internal decision-making protocols for invoking the BCP, roles and responsibilities for managing disruptions to critical operations, recovery objectives, including recovery levels and recovery times and initiatives to provide training and raise awareness so that staff can respond and adapt. Please refer to Draft Guideline E-21 for OSFI's proposed expectations relating to business continuity management in the context of operational resilience.

FRFI BCPs should address severe but plausible situations, including prolonged disruptions and multiple simultaneous disruptions, where a third party could fail to continue providing service. Third parties should be required to regularly test their own business continuity and disaster recovery programs as they pertain to services provided to the FRFI.

FRFIs should also conduct testing to identify potential deficiencies and gaps within BCPs. Please refer to Guideline B-10 for additional information.

Disaster recovery planning

FRFIs are expected to establish and maintain an Enterprise Disaster Recovery Program to support their ability to deliver technology services through disruption and operate within their risk tolerance. The disaster recovery program should be aligned with the FRFI's business continuity management program. For additional expectations pertaining to disaster recovery planning, please refer to Guideline B-13.

Management of critical third parties

OSFI defines third-party arrangements as any type of business or strategic arrangement between the FRFI and an entity(ies) or individuals, by contract or otherwise, excluding arrangements with FRFI customers (e.g., depositors and policyholders) and employment contracts. Such arrangements include, among other things, critical services for the FRFI, minor support arrangements and strategic arrangements where no service is actually being provided. OSFI expects the FRFI to manage the risks related to all third-party arrangements and retain accountability for business activities, functions and services outsourced to a third party. Critical operations are those services, products or functions of a FRFI which could put the continued operation of the FRFI, its safety and soundness, or its role in the financial system at risk if disrupted. Third-party arrangements should be in alignment with the FRFI's risk appetite and managed proportionate to the level of criticality and risk. FRFIs are expected to have contingency plans for critical third-party arrangements. Please refer to Guideline B-10 for additional considerations with respect to criticality and third-party arrangements.

Scenario testing

OSFI has proposed that FRFIs develop and regularly conduct scenario testing to assess the potential impact of severe risk events and evaluate their ability to deliver critical operations within established tolerances for disruption. Scenario testing should be conducted for, among other things, large-scale technology failures and power outages, critical third-party interruptions, pandemics, natural disasters and cyber incidents. Please refer to Draft Guideline E-21 for additional information as to OSFI's expectations in this regard.

Next steps

Over the next 18 months, OSFI intends to issue questionnaires to select groups of FRFIs seeking general information on their BCPs, disaster recovery plans, relevant critical third parties and related testing.

In light of the foregoing and Guidelines B-10 and B-13 coming into effect in 2024, we recommend that FRFIs carefully review and determine whether any enhancements are necessary to their disaster recovery plans, BCPs, third-party risk management framework and/or scenario testing to keep pace with the rapid evolution of threats and to address a range of severe but plausible scenarios.

About Dentons

Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances. Specific Questions relating to this article should be addressed directly to the author.