• OM-2.4 OM-2.4 Risk assessment

    • OM-2.4.1

      Licensees must undertake a thorough risk assessment of an outsourcing proposal, before formally notifying the Agency and committing itself to an agreement.

    • OM-2.4.2

      The risk assessment should — amongst other things — include an analysis of:

      (a) the business case;
      (b) the suitability of the outsourcing provider; and
      (c) the impact of the outsourcing on the licensee's overall risk profile and its systems and controls framework.

    • OM-2.4.3

      In assessing the suitability of the outsourcing provider, the licensee should amongst other things consider its financial soundness, its technical competence, its commitment to the arrangement, and its reputation.

    • OM-2.4.4

      Once an outsourcing agreement has been entered into, licensees must regularly review the suitability of the outsourcing provider and the on-going impact of the agreement on their risk profile and systems and controls framework. Such reviews should take place at least every year.

    • OM-2.4.5

      A licensee must nominate a member of senior management with day-to-day responsibility for handling the relationship with the outsourcing provider and ensuring that relevant risks are addressed. This person should be notified to the Agency as part of the notification required under section OM-2.3 above.