Resilience thinking for engineering leaders.

E-21 is the deadline everyone's watching, but OSFI's 2026 agenda goes further — E-23 model risk and AI governance, expanded cyber and integrity mandate, capital adequacy changes, crypto-asset rules, and revised penalties. Here's the full regulatory landscape in one place.

Ten things you should have done by now for OSFI E-21 compliance. Score yourself honestly — critical operations identified? Dependencies mapped? Tolerances set and defensible? Find out whether you're on track, behind, or in trouble.

OSFI E-21 full adherence is due September 1, 2026. If critical operations aren't identified, dependency maps aren't drawn, and disruption tolerances are just recycled RTOs — here's what you can realistically get done in five months, and what the UK's experience tells you about the pitfalls.

A single routing misconfiguration at Rogers took down a quarter of Canada's internet, disabled Interac debit payments for 18 million daily transactions, knocked out 911, and cost the economy $142 million. It reshaped how Canada regulates operational resilience — and created OSFI E-21.

Email looks like three components. Map the dependencies underneath and you'll find twenty systems, conflicting RTOs, and at least one single point of failure nobody knew about. Try this exercise with your team in 30 minutes.

The technical mapping is the easy part. The real reason every dependency map is outdated is governance — nobody wants to own it, nobody wants to fund what it reveals, and nobody wants to be accountable when it drifts.

Your team set a one-hour RTO for email. The outage lasted eleven hours. The email platform recovered in 45 minutes — nobody could reach it. RTOs are dependency chains, not single numbers. Here's why yours is probably fiction.

The BCM software market is projected to hit $2.2 billion. Most of that spend goes to tools that manage plans — not tools that test whether those plans are right. Here's what's missing and what the next generation looks like.

Every company has a process for keeping continuity docs in sync with infrastructure changes. We ask teams to submit updates at time of change. We all know that doesn't happen. Here's why sync breaks down and what actually fixes it.

85% of organizations have a BCP. The number who keep it current, tested, and aligned with what their infrastructure actually looks like today is much, much smaller. Here's what actually happens — and what it takes to fix it.

Operational resilience modeling builds a testable representation of how your organization delivers critical services, then stress-tests it against realistic failures. With DORA, FCA/PRA, and OSFI E-21 now demanding evidence over assertions, static plans are no longer enough.

Infrastructure dependency mapping discovers and visualizes how every service, database, and API in your stack connects. If this one thing fails, what else breaks? Most engineering teams can't answer that question. Dependency mapping exists to make the invisible web of connections visible — before something goes wrong.

AWS powers more than 90% of Fortune 100 companies. When it goes down, the internet doesn't just slow — entire industries stop functioning. Here is every major AWS outage since 2017, what cascaded, and what it cost.

If your organization operates in financial services, healthcare, government, or critical infrastructure, you are legally required to maintain a documented business continuity plan. The vast majority are fulfilling this obligation with Word documents and static spreadsheets that go stale the week they're published.

The concept of a Minimum Viable Company is gaining serious traction. Popularized by PwC's Global Centre for Crisis and Resilience, the idea is deceptively simple: if a major disruption hit your organization tomorrow, which services absolutely must keep running for the business to survive?