OM-2.4.2
The risk assessment should — amongst other things — include an analysis of:
(a) the business case;
(b) the suitability of the outsourcing provider; and
(c) the impact of the outsourcing on the licensee's overall risk profile and its systems and controls framework.