• OM-2.4 OM-2.4 Risk Assessment

    • OM-2.4.1

      Licensees must undertake a thorough risk assessment of an outsourcing proposal, before formally submitting a request for prior approval to the CBB and committing itself to an agreement.

      January 2014

    • OM-2.4.2

      The risk assessment must – amongst other things – include an analysis of:

      (a) The business case;
      (b) The suitability of the outsourcing provider including but not limited to the outsourcing provider's financial soundness, its technical competence, its commitment to the arrangement, its reputation, its adherence to international standards, and the associated country risk; and
      (c) The impact of the outsourcing on the licensee's overall risk profile and its systems and controls framework.
      Amended: October 2017
      January 2014

    • OM-2.4.3

      [This paragraph was deleted in October 2017].

      Deleted: October 2017
      January 2014

    • OM-2.4.4

      Once an outsourcing agreement has been entered into, licensees must regularly review the suitability of the outsourcing provider and the ongoing impact of the agreement on their risk profile and systems and controls framework. Such reviews must take place at least every year.

      January 2014

    • OM-2.4.5

      A licensee must nominate a relevant approved person with day-to-day responsibility for handling the relationship with the outsourcing provider and ensuring that relevant risks are addressed. The name of this person must be communicated to the CBB as part of the request for prior approval required under Section OM-2.3 or if any change occurs thereafter. Any subsequent replacement of such person must also be notified to the CBB.

      Amended: October 2017
      January 2014