Home

About Us

PnL Explained Professionals FAQ

Site Map

Glossary

Membership

Contact Us

           

Main Page by Topic

A. PnL Explained

B. CTRM Software

C. Statistics

 

 

Vendor Risk for CTRM Systems – Audit and Audit-Assist Checklist

 

See Also:  Vendor Risk Management

See Also:  Vendor Risk Mitigation

 

Overview

 

This page provides recommended practices for a firm using a Big CTRM system around the concept of a ‘Vendor Risk Audit’, also known as a ‘Vendor Risk Assessment’, and provides a must-see checklist to help with that. 

 

The Checklist helps you save time by giving you the best starting point for an easy, speedy and comprehensive review.

 

The results of following the Checklist, i.e., the responses that you get, form the contents of your Vendor Risk Registry and Mitigation Plan.

 

Background – The Initial Vendor Review

 

We are all familiar with the idea of a trading firm including a Vendor Risk Assessment as part of a Vendor Selection project for a CTRM system.  For example, asking about the financials of the Vendor to make sure they are well capitalized.

 

It especially important for firm when there is a big-budget project or there is a long term strategic decision at stake.  Firms want to ensure that the significant resources they dedicate to a particular CTRM software package are not wasted. 

 

Period Vendor Risk Audit

 

The risk profile of a particular Vendor and their software can change over time.  So if it has been a few years since your initial implementation, now is the time for you to review the current situation with your Vendor.

 

Industry best practices call for a Vendor Risk Audit every two years.  Or sooner in the case of a material event, such as if your CTRM Vendor is acquired.

 

The idea is to revisit your initial Vendor Risk Assessment and update it to keep it current as times and situations change.

 

Vendor Risk Registry

 

The Vendor Risk Registry document is what you when you complete the Checklist below.  It contains your assessment of your risk level as well the Risk Mitigation strategies you are pursuing.

 

Vendor Risk Registry and Mitigation Plan as CYA

 

The primary purpose of having a Vendor Risk Registry document and Mitigation Plan is avoiding unwanted and unwelcome outcomes in the first place. 

 

However, if a Vendor Risk Event happens, such as the Vendor de-supporting a certain software package that your firm has invested significate resources in extending and customizing, having an up-to-date Vendor document, with the information covered by the Vendor Risk Audit-assist checklist can help a person in the systems-ownership hot seat. 

 

Vendor Risk Checklist and Planning: Benefits

 

Benefits include:

1) By understanding with more clarity your firm’s Vendor Risk Profile, your firm can hopefully avoid issues in the first place, i.e., issued caused by a Vendor Risk Event or similar situation.

2) If there is a Vendor Risk Event, having a better understanding of things as well as following appropriate Vendor Risk Mitigation strategies will help a firm move forward.

3) Help avoid ‘gotchas’ from a Vendor’s licensing terms.

4) Help avoid wasting resources by putting too much resources into a product that has limited Vendor and/or future market support.

 

Vendor Risk Checklist

 

Note: The full description for the Checklist Items including instructions and comprehensive and clarifying information follows, just after the Checklist below.

 

Checklist Section 1) CTRM Vendor Health  

 

Section 1 items are the ones you simply ask the Vendor for Info.  A well-run Vendor Firm should have this information at the ready, meaning it shouldn’t take much time on their end to get this to you for your records, i.e., your Periodic Vendor Risk Assessment/Audit.

 

#

Item

Instructions/Notes

1.1

Financial Health Check

Ask for the same sort of Financials you would ask in an Initial Vendor Selection. 

1.2

Product Road Map

Ask for a Production Road Map of the planned features.

1.3

User Conferences

Get the planned user conferences schedules and note if the trend is stable or negative.

1.4

Product Development Resources

Ask about and look for negative changes to either the number of people or the quality

1.5

Technical Support

Ask about and look for negative changes to the level of support and the Help Desk

1.6

‘Nickle and Diming’

‘Nickle and Diming’ in the practice of charging for things that used to be or are expected to be free.

1.7

Sales Resources

Ask about and look for Sales Resources jumping ship.  This can be a forward-looking indicator of a future Vendor Risk Event.

1.8

Older Tech

Make an assessment if the technology used by the software is considered modern and up-to-day.

1.9

‘Spaghetti Code’

Ask about the maintainability of the code base.  Hard-to-maintain software limits the productivity of the development resources.

1.10

Relationship with Consulting Firms

Ask your Vendor about their relationship with Consulting Firms in general as a matter of philosophy and with specific firms.  Look for negative changes as increasing Vendor Risk.

 

 

Checklist Section 2) Licensing

#

Item

Instructions/Notes

2.1

License Key

Document the license key situation with your Vendor, especially with regard to expiration dates.

2.2

Licensing Type. Perpetual?  Term?

Describe the Type of Licensing you have with your Vendor. Is it perpetual?  Or for a limited term?

2.3

Term License Renewal Terms and ‘Gotchas’

For firms who have a term license, e.g., for certain number of years.  Document the details.   Including any ‘Gotchas’.

 

Checklist Section 3) Firm-specific Risks and Planning

#

Item

Instructions/Notes

3.1

Create a Plan

Create a documented Plan describing the Vendor-risk mitigation strategies you are employing

3.2

Risky Software Features

Identify the top 3 to 5 parts of the system that are risky to the firm. 

3.3

Custom code

Document the extent of your custom code.  This applies to CTRM systems that have a built-in programming language. 

3.4

Consequences

Describe and document the consequences for your firm if the Vendor goes out of business or if you otherwise lose support for your CTRM system.

a) in a 2-year time Horizon

b) in a 5-year time Horizon

3.5

Strategic versus Tactical

Document for internal-to-your-firm consensus and planning if the CTRM system is viewed as ‘Strategic’ or ‘Tactical’. 

 

 

Vendor Risk Checklist – Full Description of Each Item in the List

 

Checklist Section 1) CTRM Vendor Health

 

1.1) Vendor Financials

Ask for the same sort of Financials you would ask in an Initial Vendor Selection.  Check Capitalization and if the Vendor is not carrying a risky debt load.

 

1.2) Product Road Map     

Ask for a Production Road Map of the planned features.  With a healthy vendor, they should be able to provide you with a good plan for the product’s future. 

 

If they don’t have a good plan, that could mean their product is at risk.  For example, if the Vendor acquired multiple similar products, there is a question if they’ll favor one over the other.  You’ll want to avoid the case where the software your firm is using is the one left to atrophy away.

 

As a side benefit, getting the Product Road Map can help your firm feel good about your annual investment in maintenance payments, i.e., feel that you are getting your money’s worth.

 

1.3) User Conferences

Typically Vendor will have period user conferences, customer roundtable and/or similar type events to allow for their clients to

a) Share experiences with other users

b) Interact with the Software Designers and Developers and

b) Coordinate and/or vote on preferences for future enhancements

 

As part of a Vendor Risk assessment, see if such activities have been and continue to be stable.  An example of a ‘negative event’ would be if the software your firm uses previously got a dedicated user conference and now gets a shared user conference with other software packages that the Vendor supports, perhaps from an acquisition.

 

1.4) Product Development Resources

Ask about and look for changes to either the number of people or the quality.

a) For example, if the number of people working on your software packaged dropped from 100 to 20 since the last Vendor Risk Assessment. 

b) The headcount number only tells part of the story.  There is also the quality of the people.  Has the firm experienced a Brian Drain where the original designers and builders of the software have left, leaving a new set of people who don’t understand things so well?

c) What you are interested in here is how many people have a Working Knowledge of each particular area of the system.  People with a Working Knowledge already understand how it is designed and coded and can get right to work on bug fixes and enhancements.  New people who don’t have such a good understanding will need to spend some time upfront researching things, reducing their productivity and effectiveness. 

 

1.5) Technical Support

Ask about and look for negative changes to the level of support and the Help Desk.

 

For example, in previous years the front line person that you would call and talk with would have some product knowledge and be able to help directly.  And maybe that deteriorates such that when you call in you just get a call center.  Or perhaps the Vendor takes away the ability for firms to call in to a Help line.

 

1.6) ‘Nickle and Diming’

‘Nickle and Diming’ in the practice of charging for things that used to be or are expected to be free.

 

Here is an example of that practice. 

Previously: Your firm used to be able to contact the Vendor’s Technical Support Help Desk and the front line support person could bring in the original developer onto the call to help answer a question or resolve an issue.

Currently: The Vendor stops that friendly practice and instead makes your firm pay an hourly rate for everything, including basic questions about functionality.

 

1.7 Sales Resources  

Ask about and look for Sales Resources jumping ship.  This can be a forward-looking indicator of a future Vendor Risk Event.

 

1.8 Older Tech    

Make an assessment if the technology used by the software is considered modern and up-to-day.

 

1.9 ‘Spaghetti Code’  

Ask about the maintainability of the code base.  Hard-to-maintain software limits the productivity of the development resources.

 

1.10 Relationship with Consulting Firms      

Ask your Vendor about their relationship with Consulting Firms in general as a matter of philosophy and with specific firms.  Look for negative changes as increasing Vendor Risk.

 

In fact, there is no bigger single indicator of a CTRM Vendor where ‘the walls are closing in’ than having the situation where they shut out the Consulting firms, i.e., System Integrators and System Customizers, so that the CTRM firm can try to make a bit more cash in the current fiscal year.

 

In other for a CTRM system to be successful in the long term, you need an ecosystem of consultants around it, trained up in the system and with a corresponding knowledge of a trading firm’s business. 

 

This is especially true for Commodities due to the strong localizations needed by market.  For example, how you trade Mexican Power can be quite different than the European markets for Power, e.g. Nord Pool.  Or variations by commodity, e.g., special considerations for Softs, e.g., Cocoa, versus Natural gas.

 

No CTRM firm is going to have subject matter expertise in all of the commodities and of the localized way that they trade.  That is one of the key areas where consulting firms fill the gaps.

 

If you think of the total costs for a Big CTRM implementation as ‘a Pie’ and each slice represents a part, including

a) the licensing fees

b) the consulting fees around configuring and customizing the software

c) other items such as building interfaces for downstream consumers, trade feeds and prices feeds

d) hardware costs, such as for hosting, e.g. managed service for hosting in the Cloud.

 

Then having a vendor switch to a strategy of trying to get ‘the whole pie’ for themselves it one of the biggest ‘red flags’ in terms of Vendor Risk. 

 

When a firm shuts out consultants, what happens is that the consultants in the industry, valued because of their market and locality-based knowledge of commodities, shift to coalesce around competing systems, and there are many in this market. 

 

That leaves the short-sighted Vendor, yes, getting more of ‘the pie’, but, for them, it is not good news, since their ‘Pie’ get smaller and smaller over time, relative to what it would be if ‘software companies focus on the software and consulting companies focus on the hardware’.

 

 

Checklist Section 2) Licensing

 

2.1) License Key

 

Does your CTRM system require a license key from the Vendor?  Does it have an expiration date?  Such that the system will stop working after that date?  What would happen if the Vendor is not around to provide an updated key?

 

2.2) Licensing Type – Perpetual or Term

Software licensing will come in two flavors:

 

A) Perpetual: One original licensing Payment.  And then, typically, annual maintenance payments of 15% to 30% of the original License Cost.   E.g., if the original license is $50k per person, maintenance at 20% would be $10k/year. 

 

With a Perpetual License, firms can continue to use the CTRM software forever, even if they stop paying the annual (or periodic) maintenance.  However, if they do stop paying the periodic maintenance fees, they would typically lose access to the Vendor’s Technical Support Desk and lose access to new versions of the Software. 

 

B) Term.  With a Term license, firms immediately lose the right to use the software at the end of the Term.  That could also mean losing access to the software, e.g., if the software is hosted on the Cloud by the Vendor, or if a License Key expires, limiting access to various features of the software.

 

2.3) Term License Renewal Terms and ‘Gotchas’

Carefully and attentively document any of the ‘Gotcha’ items from the Licensing Agreement with your CTRM Vendor.

This is often called ‘the fine print’, referring to provisions in the contract which are buried deep in the document and/or otherwise are not highly visible. 

This is especially when working with a Big CTRM vendor, where the relative power of each party often favors the Big CTRM Vendor.

 

As an example, if you have a multi-year Term licensing agreement with the Vendor, when would you need to give notice that you don’t plan to renew. 

 

As a very scary scenario for any firm, under some onerous terms, it may be possible for a firm to switch off a Bit CTRM vendor while in the middle of a multi-year licensing term and, not only have to pay for several years additional, even after they stopped using the system, the firm may be committed, unawares, for another term, if they don’t take the extra step of submitting the legal notice to the Vendor that they do not want to auto-renew.

 

Checklist Section 3) Firm-specific Risks and Planning

 

3.1) Create a Plan     

Create a documented Plan describing the Vendor-risk mitigation strategies you are employing

 

3.2) Risky Software Features  

Identify the top 3 to 5 parts of the system that are risky to the firm.

Common parts include:

a) Trade interfaces from an exchange

b) Confirmation interfaces, e.g., to ICE eConfirm

c) Support for third-party software like Windows, Citrix, Oracle or MS SQL.

d) Support for any Regulatory feeds, e.g., CFTC big trade, FERC reporting, etc.

 

3.3) Custom code

Document the extent of your custom code.  This applies to CTRM systems that have a built-in programming language. 

 

Some firms may have 100s of thousands of lines of custom code, written using a Vendor’s proprietary APIs. 

 

Of all of the items most at risk, for many firms, this is by far the biggest risk to their Vendor.

 

If they feel uncertain about the future of their Vendor, especially a Big CTRM vendor, firms should consider stop coding new business logic in the Vendor’s proprietary code and instead put that same business logic, e.g., for a report or extract, into one of the many other options available, such as Beacon. 

 

3.4) Consequences    
Describe and document the consequences for your firm if the Vendor goes out of business or if you otherwise lose support for your CTRM system.

a) in a 2-year time Horizon

b) in a 5-year time Horizon

 

3.5) Strategic versus Tactical  

Document for internal-to-your-firm consensus and planning if the CTRM system is viewed as ‘Strategic’ or ‘Tactical’.  You might be surprised how powerful it is it to simply do this labeling. 

 

For a system considered ‘Tactical’, it is understood that some work may be throwaway work until a better, long term, strategic solution is found.  And that is OK.  So long as it is understood and it is a choice.

 

For a system considered ‘Strategic’, a trading firm will view that system as

a) Something they’ll be committing significant resources to, in terms of budget for enhancements and upgrades and also in terms of hiring up resources skilled in that specific system, which are potentially extensive.

b) A system that they believe will give them a competitive advantage versus other firms that are taking a more middle-of-the-road type approach to their technology.


For a Tactical system

a) If you have some medium-sized project, e.g., for 3 months, perhaps you’ll get consultants to do the work, e.g., if your employees don’t have the time or the skill set. 

b) You may want to defer expensive, high-risk, all-or-nothing upgrades.  E.g., for a strategic system, you might want to upgrade every 3 years.  For a tactical system, you might be forced to upgrade every 5 years.  That is one upgrade cycle, and all of the costs and risk associated with it, saved, on average every 10 years. 

 

 

Introduction to CTRM

Click on this link for a great introduction to CTRM software: Introduction to CTRM Software

 

 

Home

Site Map

Contact Us