Energy Credit Best Practices – Chapter: Information Technology http://ccro.org © Copyright 2022, CCRO. All rights reserved. 27 3.4.2 Controls A vital component of a Credit Information Ecosystem is the ability to create a robust control environment. This system should be used to capture credit ratings, manage limits, document approvals, provide credit documentation, and calculate exposure and return metrics. The actual system may vary by the company because of differences in business objectives and the markets in which a company makes transactions. Best practices for controls include: • Employee access to the system should be limited, and Security should be established by location, application, function, and data • Security clearances should be approved by direct supervision • Formal procedures should be established whereby a single system owner, independent of the front office, sets up counterparties, commodities, products, books, and locations • Reference data (contract information, exposure, models, limits, etc.) should be reviewed periodically as appropriate (at least annually) to verify accuracy and should be linked to or coded into the system to minimize human error • The Credit Informational Ecosystem should be able to capture all transactions or provide credit rating, disaggregate risks by contractual obligation, credit terms, capture GL information, calculate PFE, concentration risk in the portfolio, calculate credit charge, set user Security by portfolio segmentation, and contain a detailed audit trail/changelog by user ID • Controls should be established to ensure that changes to counterparty data, confirmations, and other deal terms are not changed without proper authorization once captured. Alternatively, if these terms are changed, the system should alert the middle office that confirmation is needed • All mission-critical systems should have 24-hour availability and should be backed up systematically once a day at a minimum • All data storage be kept in a secure location. and • Complete business continuity plans should be maintained and tested and should include a site to continue operations if events prevent access to the trading floor. 3.4.3 System Documentation Modern Systems are not static, and they evolve over time. A review should occur regularly to ensure that all the critical system documentation is up to date. This eases the onboarding of new credit analysts and ensures operational continuity in a disaster or the normal churn of staff over time. 3.4.4 Auditable Change Record Monitoring all changes in the system (configuration, business data, etc.) is necessary for most audits and assists in troubleshooting business and technical problems. Particular to credit, being