Do you know where your risks are? And why “Audit” is not a dirty word…

Companies with commodity production, merchandising and marketing, trading or hedging operations routinely operate in financial and physical commodities markets to manage commodity risk and to drive financial performance. 

This is commonly achieved by using a variety of strategies that are fit-to-purpose for the individual company. However, persistent risks associated with commodity market activities are embedded throughout the commodity transaction life cycle and may result in significant economic, financial, regulatory or reputational consequences if they are not properly controlled. Internal audit functions are also increasingly focused on addressing a number of related high-profile risks.

Market price risk 

Given the historic level of commodity price fluctuation, inadequate market risk management controls may lead to unacceptable market price risk. 

Fraud and rogue-trader risk 

The risk of fraud and rogue-trader activities is ever-present; inadequate controls across the commodity transaction life cycle may enable fraud and rogue-trader activities. 

Credit and liquidity risk 

The challenging economic environment in commodities markets has impacted the credit and liquidity standing of companies and their counterparties; inadequate controls may lead to unacceptable credit and liquidity risk. 

Model risk 

Complex spreadsheet models are widely used as operational tools within the system landscapes of commodities market participants; inadequate controls may lead to the use of incorrect data when transacting in markets and monitoring the related risks. 

Business transformation risk 

Business transformations driven by the dynamic economic environment can create process and control gaps and introduce risk in otherwise well-controlled organizations. 

Commodity trading and risk management (CTRM) system implementation risk 

The implementation of a CTRM system may introduce significant risks through the inadequate implementation of system-based or system-enabled controls. 

Cybersecurity risk 

Critical and proprietary financial and operational data is maintained in CTRM systems; inadequate cybersecurity controls may lead to financial and operational risks.

Audits that have +ve Impact Key questions to consider
Business transformation risk 

Objective: Assess current state and future state processes and controls

  • How have policies and controls been adapted to manage the risks of new business activities — are more robust policies and controls required to keep up with more complex activities? 
  • How have organizational changes impacted the segregation of duties across key front, middle, and back-office processes?
Commodity trading and risk management (CTRM) system implementation risk 


Objective: Assess the risks in the future state of business processes and the use of a CTRM package’s native functionality to support the design of future state controls

  • Has the CTRM’s full suite of native control functionality been assessed for applicability to future state processes and controls?
  • Have future state processes been reviewed, both system- and non-system-based, for risk and control implications?
Cybersecurity risk 


Objective: Assess the process and technology controls to protect data in the CTRM and related technology ecosystem

  • Have the CTRM, key spreadsheets and other sensitive transaction data been secured from both internal and external threats? 
  • Have the risks of a cybersecurity incident been considered for both the ability to transact competitively in markets and the ability to operationally manage transactions across the transaction life cycle?
Full-scope front-to-back-office review 


Objective: Assess design or operational effectiveness of the processes and controls across the transaction life cycle

  • Do the front, middle and back-office controls reflect industry practices? 
  • Are policies being complied with and are the related controls designed and functioning as management expects?

Nevertheless, despite all its benefits, modernisation is often met with resistance.

Considering the challenges and risks

Two major arguments are typically used when talking about a software modernisation initiative. Those are the time and costs involved.

Indeed, a solution that took a team of developers years to implement cannot be re-created in a week, even if you hire twice as many developers to handle the task. 

Challenges that derive from legacy modernisation include the following:

  • Personnel is usually unwilling to adjust to management changes. Motivation, training, and coaching will press them in that direction but will entail additional risk and cost.
  • If there are multiple legacy systems within one corporation, their modernisation should be articulated and prioritised in a corporate program that considers the required effort and time window for each system individually. On the contrary, simultaneous modernisation may lead to a catastrophic impact that is not easily absorbed. Come up with a sound strategy & roadmap and do not, do not, do not have knee-jerk reactions that lead to re-prosecuting your strategic decisions!! Everyone needs to be on board and on the same page. Flip-flopping is a major risk so be mindful of it.
  • If you are not doing a full replacement of an app, legacy code should be handled with extra care, even if some pieces of it can appear to be no longer relevant and in need of replacement. For the same reason, it is important to make sure while migrating that the underlying software will comply with the new data interchange rules and requirements dictated by client applications and support resources.
  • Having to deal with countless lines of code that only address a given corporate process can be a real headache, especially if there is a skills shortage.

Besides these challenges, there are multiple risks to avoid. Here are some of the reasons for legacy modernisation effort failure:

  1. The organisation inadvertently adopts a flawed or incomplete strategy.

  2. The organisation makes inappropriate use of outside consultants and outside contractors.

  3. The workforce is tied to old technologies with inadequate training programs.

  4. The organisation does not have its legacy system under control.

  5. There is too little elicitation and validation of requirements.

  6. Software architecture is not a primary modernisation consideration.

  7. There is no notion of a separate and distinct “modernisation process.”

  8. There is inadequate planning or inadequate resolve to follow the plans.

  9. Management lacks long-term commitment.

  10. Management predetermines technical decisions far too prematurely.

Successful modernisation programs require a solid strategy and great attention to detail. 


Today’s post has been a light touch focused on preparation for a modernisation strategy. My next post will start to point you toward some additional best practices on how to execute a well-founded strategy.

Regardless of your chosen approach and techniques, software modernisation is a complex, labour-intensive, and risky process. If done well, the results are well worth the risk.

Top analysts are predicting that digital modernisation will attain macroeconomic scale over the next three to four years, changing the way enterprises operate and reshaping the global economy. 

More than half the global economy turns digital by 2023 requiring new species of enterprise to compete and thrive.”

To live up to the demands of the new digital modernisation economy, organisations have to cease relying on outdated software and modernise their core technologies. Enterprises will benefit only when they stop seeing modernisation as a one-time project and embrace it as a continuous improvement cycle.

“Change is now the norm. Just as our clients set a course based on their understanding of the technology landscape, that landscape changes. CXOs must accept that change is constant and work out how to get on the front foot – to shape change rather than being controlled by it.” 

Jason Novobranc, Chief Operating Officer, Implementary

How can we help?

Taking advantage of third-party expertise might be of great help. We at Implementary handle every aspect of legacy-system modernisation: from analysing the current solution, developing a solid business strategy, and prioritising the features to rebuilding your product from scratch, using the latest technologies and architecture solutions.

How can you connect with us?

We’d love to hear about your journey. Did reflecting on legacy system modernisation help?

Please select a relevant option

About the Author

Jason Novobranec is Implementary’s Chief Operating Officer.

With over 20 years of Consulting, Program Management & Senior Leadership experience, Jason has delivered initiatives for large multi-national / multi-regional organisations as well as SME’s and is an expert in shaping solutions to fit a customer’s project needs.