Volume 2 — Governance and ControlsGovernance and Controls © Copyright 2002, All rights reserved 44 2.0 Energy Trading Systems Process Overview One of the key components of a sound energy trading and marketing infrastructure is a risk management system. This system should be used to capture deal terms, document and manage physical scheduling, value transactions, document approvals and validations, and calculate risk and return metrics. The actual system used may vary by company because of differences in business objectives and the markets in which a company makes transactions. Objective Ensure that the information systems used to support trading and risk management operations have the capability, security, and data integrity to properly serve the business. Best Practices and Controls • Employee access to the system should be limited, and security should be established by location, application, function and data. • Security clearances should be approved by direct supervision. • Formal procedures should be established whereby a single system owner, independent of the front office, sets up counterparties, commodities, products, books, and locations. • Reference data (names, curves, models, limits, etc.) should be reviewed periodically as appropriate (at least annually) to verify accuracy and should be linked to or coded into the system to minimize human error. • The risk systems should be able to capture all energy transactions or positions, disaggregate risks by component parts, capture forward curves, capture volatilities and correlations, calculate MTM and P&L, value optionality in the portfolio, set user security by book of business and functionality, and contain a detailed audit trail/change log by user ID. • Controls should be established to ensure that changes to prices, volumes, and other deal terms are not changed without proper authorization once captured. Alternatively, if these terms are changed, the system should alert the middle office that a confirmation is needed. • All mission-critical systems should have 24-hour availability and should be backed up systematically once a day at a minimum. • Hard copies should be retained for all transaction data not stored electronically. • All data storage (electronic and hard copy) should be kept offsite in a secure location. • Complete business continuity plans should be maintained and tested and should include a site at which to continue operations if events prevent access to the trading floor.