Our hedge fund clients often have to go through due diligence with new investors, who ask about the risk controls (and systems!) they have in place.
Risk control goes beyond just software, and there are excellent risk control frameworks that consultants like Deloitte, Accenture, and Slalom Consulting provide. A lot of ink has been spilled on the two primary sources of information that must flow into a risk management system. These two sources, trades and market data, are required to perform risk management reporting such as exposure reports, VaR, etc.
Our view comes from how easy software controls can help you quickly get started. These are the salient points from our experience. Notably:
Trades: Traditional ETRM software defaults to allowing traders to enter the deals they've already made, into the software. The standard approach should be to have a system download the trades directly from the exchange (like NYMEX, ICE, NASDAQ, EEX). The idea is that no human ever touches the trade before it hits results.
Market Data: Market data should also arrive with as little human involvement as possible. Then the system can mark untouched deals against untouched data, and generate up to the minute exposure, VaR, and other reports.
FCM/Member Statements: Comparing system-generated positions and P&L, against bank statements can also be a helpful control; confirming that the reports sent to investors match positions and cash at the bank.
There is much more operational, process, and organizational control that can be built around this, of course -- but not letting people fat finger or manipulate data goes a long way. And it's easy.