Platform Platform overview Modules Solutions Industries Commodities Roles Quant More Pricing Customers Knowledge Center Blog Company Request Demo
Knowledge Center · Whitepaper

Cloud-native ETRM: an architecture whitepaper

Why a single governed data model, event-driven processing, API-first access, and elastic compute are the defining shift in trading technology, and what it means for cost, change, and trust.

35 min read · Back to Whitepapers · Data dictionary

Abstract

For thirty years, the architecture of energy and commodity trading and risk management (ETRM/CTRM) systems has been an afterthought, hidden beneath discussions of features, asset-class coverage, and vendor reputation. This paper argues that architecture is now the decisive factor. The systems that trading organisations struggle with most are not deficient in features; they are deficient in structure. They are collections of separately built modules, each with its own copy of the truth, held together by a permanent, expensive, error-prone activity: reconciliation.

A cloud-native ETRM is not simply an old system moved to a cloud data centre. It is a system designed around a different set of principles: a single governed data model that every function reads from, event-driven processing that keeps the whole system current in real time, API-first access so that every capability is a programmable interface rather than a locked screen, and elastic compute that scales to the burst nature of valuation and risk. These principles are not independent features to be checked off; they reinforce one another, and their combination changes the economics of running a trading desk.

This paper sets out those principles in depth, examines the architectural patterns that implement them, and connects each to a concrete business consequence: lower total cost of ownership, faster change, cleaner integration, and analytics that can be trusted because they are computed from the same governed model as the book. It is written for the people who must evaluate, buy, build, or modernise trading technology, and it aims to give them a durable framework for judging architecture rather than a snapshot of any one product.

Who this paper is for, and how to read it

This paper is written for four overlapping audiences. Chief technology officers and heads of trading technology will find an argument they can use to justify architectural investment to a board that is used to thinking in features. Enterprise and solution architects will find the patterns, with enough detail to evaluate a vendor claim or design an in-house build. Heads of trading, risk, and operations will find the connection between an architectural choice and the daily experience of their desks: how fresh the numbers are, how long a change takes, how much effort is spent reconciling rather than deciding. And selection teams running a formal evaluation will find a structure they can turn into evaluation criteria.

How the paper is organised

The paper is built as a sequence of modules that can be read in order or consulted individually. The early modules establish the problem and the principles; the middle modules go deep on each architectural pillar; the later modules address the practical questions of security, migration, and economics that determine whether an architecture can actually be adopted.

  1. The reconciliation tax. Why the dominant cost of legacy ETRM is structural, not featural.
  2. Principles of cloud-native systems. What cloud-native actually means, beyond the marketing.
  3. The single governed data model. The canonical model, the source of truth, and bitemporal history.
  4. Event-driven architecture. Streaming, event sourcing, and how a booked trade fans out in real time.
  5. API-first design. Why every capability should be an interface, and what that unlocks.
  6. Compute and the two-speed valuation architecture. Elastic risk and valuation at the right cadence.
  7. The data and analytics layer. Governed marts, the semantic layer, and trustworthy BI.
  8. Security, resilience, and multi-tenancy. The properties that make an architecture safe to run.
  9. Migration. Moving from a legacy landscape without a big-bang cutover.
  10. The economics. A total-cost-of-ownership model and the build-versus-buy question.

A note on scope: this paper is about architecture, not about any single vendor. Where it describes the Gravitas approach, it does so as a worked example of the principles, not as the only way to realise them. The principles are what matter; they can be implemented well or badly by anyone.

Module 1, The reconciliation tax

Begin with the daily experience of a trading organisation running a typical legacy landscape. A trade is agreed on the phone or a platform. It is entered, or flows, into a front-office system. That system has its own database and its own representation of the trade. Overnight, or several times a day, an extract of that trade is sent to a risk system, which has a different database and a different representation. A separate feed goes to a settlements or back-office system, with yet another representation. Finance takes another extract into the general ledger. Regulatory reporting takes another. Each of these systems was, very likely, bought or built at a different time, from a different vendor, on a different data model.

Now ask a simple question: what is the net position of the desk in a given contract, right now? In a landscape like this, there is no single answer. There is the front office answer, the risk answer, and the back office answer, and they routinely differ, because they are computed from different copies of the trade population, captured at different times, transformed by different logic. The work of making them agree is reconciliation, and it is not a marginal activity. In many organisations it is the single largest consumer of operational effort in the middle and back office.

Why reconciliation is a tax, not a feature

Reconciliation produces nothing that a customer or a trader values. It does not improve a price, reduce a risk, or win a trade. It exists solely to correct for the fact that the same information is stored in several places that were never designed to agree. That is why it is best understood as a tax: a levy on every trade, paid in staff time, in delayed numbers, and in the mistrust that grows when two systems disagree and no one is sure which is right.

The tax has three components. The first is the direct labour: teams whose job is to run reconciliations, investigate breaks, and correct them. The second is latency: because reconciliation is usually a batch process, the numbers a desk relies on are as of the last run, not as of now. A position taken this morning may not be fully reflected in risk until tonight. The third, and most corrosive, is the erosion of trust. When the front office and risk disagree about a number, the organisation cannot act with confidence until the disagreement is resolved, and every such disagreement is a small tax on decision-making.

The hidden scale of the problem

Because reconciliation is spread across many teams and systems, its true cost is rarely measured in one place. It appears as headcount in operations, as delays in reporting, as project cost whenever a new instrument or market has to be threaded through every system, and as risk whenever a break goes undetected. A feature comparison of two ETRM systems will never surface this cost, because it is not a feature; it is a property of the architecture. Two systems with identical feature lists can differ by an order of magnitude in the reconciliation burden they impose, depending entirely on whether their functions share one model or maintain many.

Where the tax comes from, precisely

It is worth being precise about the mechanism, because the precision points directly at the cure. The reconciliation tax arises whenever the same business fact is represented independently in more than one place. A trade is a business fact. A position is a business fact derived from trades. A valuation is a business fact derived from positions and market data. In a fragmented landscape, each of these facts is recomputed, and stored, independently in several systems, from inputs that are themselves independently maintained. Every independent representation is an opportunity to disagree, and every opportunity to disagree eventually becomes an actual disagreement that someone must investigate.

This observation is the seed of the entire paper. If the tax comes from independent representation of shared facts, then the cure is to represent each shared fact once, in a model that every function reads from. That single idea, a governed data model shared across the whole trade lifecycle, is the foundation on which every other property of a cloud-native ETRM is built. The remaining modules develop it and its consequences.

Fragmented landscapeFront officeowncopyRiskowncopyBack officeowncopyreconciliationOne governed modelgoverneddata modelFrontRiskBackReporting
Left: every function keeps its own copy of the trade, and a reconciliation layer exists only to make the copies agree. Right: every function reads and writes one governed model, so there is nothing to reconcile.

Module 2, Principles of cloud-native systems

The phrase cloud-native is used loosely, and often dishonestly, in trading technology. A system that has been moved, unchanged, from a company data centre to a rented virtual machine in a cloud region is not cloud-native; it is merely cloud-hosted. It carries all the structural limitations of its original design, now with a monthly cloud bill. To evaluate architecture honestly, it is essential to be precise about what cloud-native actually means.

Cloud-native is a design stance, not a hosting location

Cloud-native describes systems designed to exploit the properties that cloud platforms make available: elastic and effectively unlimited compute and storage, managed services that remove undifferentiated operational work, and the ability to treat infrastructure as disposable and reproducible. A cloud-native system is built to scale horizontally, to tolerate the failure of any individual component, to be deployed and redeployed continuously, and to be reproduced exactly in any environment. None of these properties follows automatically from running in a cloud region; they follow from design choices.

The building blocks

Several building blocks recur in cloud-native systems, and each has a specific relevance to trading technology.

  • Containers. Packaging each service with its dependencies into a container makes it reproducible and portable. The same container runs identically on a developer laptop, in a test environment, and in production, which removes an entire class of works-on-my-machine failures and makes environments trustworthy.
  • Orchestration. A container orchestrator such as Kubernetes schedules containers across a pool of machines, restarts failed ones, and scales services up and down. For a trading system, this is what turns elastic compute from a promise into an operational reality: a risk calculation can claim a hundred machines for ten minutes and release them.
  • Managed services. Using a managed database, message broker, or object store removes the work of patching, backing up, and scaling that infrastructure. The engineering effort saved is redirected to the trading logic that actually differentiates the business.
  • Infrastructure as code. Defining infrastructure in version-controlled code means an entire environment can be created, destroyed, and recreated identically and on demand. For a regulated trading business, this is also an audit and disaster-recovery capability: the environment is a reviewable, reproducible artefact.
  • Horizontal scalability. Designing services so that capacity is added by running more instances, rather than by buying a bigger machine, matches the burst nature of trading workloads and removes the hard ceiling of vertical scaling.

The twelve-factor heritage

Many of these ideas were codified in the twelve-factor methodology for building software-as-a-service applications: treat configuration as environment, keep services stateless and share nothing, treat backing services as attached resources, build and release in clean stages, and dispose of processes freely. These principles are not academic. A stateless, share-nothing risk service can be scaled to a hundred instances during a stress run and back to two afterwards precisely because it holds no state that would be lost. The methodology is the practical grammar of elasticity.

Why this matters for trading specifically

Trading workloads have a particular shape that makes cloud-native design unusually valuable. Risk and valuation are bursty: end-of-day and stress runs demand enormous compute for short windows, then almost none. Market data is spiky and event-driven. Regulatory deadlines create hard, periodic peaks. A system that must be sized for its peak, and that peak sits idle most of the time, is enormously wasteful; a system that scales elastically to the peak and shrinks afterwards pays only for what it uses. The economic argument for cloud-native design is strongest exactly where trading lives: in workloads that are bursty, latency-sensitive, and periodically enormous.

The distinction to hold onto: cloud-hosted asks where the machines are; cloud-native asks how the system is designed. Only the second changes the economics, and only the second is worth paying for.

Module 3, The single governed data model

If the reconciliation tax comes from representing shared facts many times, the governed data model is the cure. It is the most important idea in this paper, and the one from which the rest follow. The principle is simple to state and demanding to implement: every business fact is represented once, in a model that every function of the system reads from and writes to. A trade captured once is the same trade that valuation prices, that risk aggregates, that scheduling operates on, that settlement invoices, and that reporting submits. There is no second copy to reconcile against, because there is no second copy.

Canonical model versus point representations

A canonical data model is a single, authoritative representation of each entity in the domain: the counterparty, the instrument, the trade, the position, the cashflow, the curve. Point representations, by contrast, are the ad hoc shapes each system invents for its own convenience. A canonical model is harder to design, because it must serve every function rather than one, but it is the only structure that removes reconciliation at the source. The design effort is real: a proper canonical model for ETRM spans the legal and contractual layer, reference and master data, market data, the trade and its lifecycle, physical operations, position, valuation, risk, collateral, settlement, accounting, and regulatory reporting. Each of these is a domain in its own right, and the canonical model must represent each faithfully while keeping them consistent with one another.

The payoff for that effort is that consistency becomes a property of the model rather than an outcome of nightly jobs. When valuation and risk read the same position, computed from the same trades, against the same market data, they cannot disagree about the position, because there is only one. Disagreements that remain are genuine differences of method, which is exactly what a risk manager wants to see, rather than differences of bookkeeping, which is what wastes their time.

The source of truth

Closely related is the idea of a single source of truth for each data element. Master and reference data, the counterparties, instruments, books, calendars, and locations that trades validate against, are governed centrally and consumed everywhere. When a counterparty is onboarded once and every function reads that one record, an entire category of error disappears: the error of trading against a counterparty that risk has not yet heard of, or settling to an account that the front office does not recognise. The source of truth is not a database table; it is a governance commitment, enforced by architecture, that there is one authoritative record and everything else references it.

History, versioning, and bitemporality

A trading system must be able to answer questions about the past exactly, not approximately. What was our position as of the close three Tuesdays ago? What curve did we use to value this trade on the day it was struck? What did the risk report say before last week’s correction? Answering these reliably requires that the model retain history, and specifically that it be bitemporal: it must track both when something was true in the world (business time) and when the system came to know it (system time).

Bitemporality sounds like an academic nicety until the first time a regulator, an auditor, or a dispute requires the exact reproduction of a past state. A system that overwrites data as it changes can only tell you what it believes now; a bitemporal system can tell you what it believed then, and when it changed its mind, and why. In a regulated trading business, that is not a luxury; it is the difference between being able to answer a regulator and not. The practical implementation uses slowly changing dimensions that keep full history, effective-dated records with valid-from and valid-to, and immutable versioning of trades, curves, and configuration, so that any historical valuation or report reproduces exactly.

Lineage

The final property of a governed model is lineage: the traceable path from any output back to the inputs and the exact versions that produced it. When a number in a report can be traced to the positions, the market data, the model, and the configuration that produced it, and each of those to its own sources, the organisation can answer the question that reconciliation exists to answer, namely where a number came from, without running a reconciliation at all. Lineage turns the governed model from a static store into an auditable, explainable system of record.

The governed model is the hinge of the whole architecture. Every later property, real-time processing, trustworthy analytics, safe AI, depends on it. A system without it can bolt on streaming and APIs and dashboards, but it will still pay the reconciliation tax underneath, because the shared facts are still represented many times.

sql-- Bitemporal history: reproduce any past state exactly.
-- valid_from/valid_to = business time; sys_from/sys_to = system (knowledge) time.
SELECT trade_id, price, quantity
FROM   trade_versions
WHERE  trade_id = :id
  AND  valid_from <= :as_of_business_date  AND valid_to > :as_of_business_date
  AND  sys_from   <= :as_of_knowledge_time AND sys_to  > :as_of_knowledge_time;
Bitemporality. tracking both when a fact was true in the world (business time) and when the system recorded it (system time), so any past state, and any past belief about the past, can be reproduced exactly.

Module 4, Event-driven architecture

A governed model removes duplication; an event-driven architecture makes the system current. Together they are what turn a trading platform from a set of overnight batch jobs into a system that reflects the present. The idea is that significant occurrences in the business, a trade booked, a price updated, a nomination confirmed, a limit breached, are published as events, and the parts of the system that care about them react immediately.

From batch to stream

Legacy landscapes are overwhelmingly batch: data is collected, then processed in scheduled runs. Batch is simple and has its place, but it imposes latency by construction. If risk is recomputed overnight, then intraday risk is always stale. If positions are aggregated hourly, then for up to an hour the position is wrong. Streaming inverts this: instead of periodically asking what changed, the system is told, as it happens. A booked trade emits an event; valuation, position, risk, and analytics consume it and update. The desk manages the present rather than reconstructing yesterday.

The event backbone

At the centre of an event-driven system is a durable, ordered log of events, commonly implemented with a streaming platform such as Apache Kafka. Producers publish events to the log; consumers read from it at their own pace. The log is the integration fabric: it decouples the producer of an event from its consumers, so that new consumers can be added without touching the producer. A new analytics feed, a new regulatory report, a new real-time dashboard, each simply subscribes to the events it needs. This decoupling is what lets an event-driven system grow without the brittle point-to-point integrations that make legacy landscapes so hard to change.

Event sourcing and CQRS

Two patterns often accompany an event backbone. Event sourcing records the state of the system as the sequence of events that produced it, rather than only the current state. The current state is a projection of the event history, and because the history is retained, any past state can be reconstructed and any projection can be rebuilt. This dovetails with the bitemporal requirement of the governed model: the event log is, in effect, the system-time history of the business.

Command Query Responsibility Segregation, or CQRS, separates the path that changes state (commands) from the path that reads it (queries). This matters in trading because the two have utterly different shapes: writes are transactional and must be correct and ordered; reads are often analytical, aggregating across huge position sets, and benefit from being served by purpose-built read models. Separating them lets each be optimised independently, so that a heavy risk query does not slow down trade capture, and trade capture does not block analytics.

Fan-out: the booked trade

The clearest way to see the value of event-driven design is to follow a single booked trade through the system. In a batch landscape, that trade sits in the front-office database until the next scheduled extract, then travels, hours later, to risk, then later still to settlement, arriving in each as a slightly different copy. In an event-driven system on a governed model, the booking emits one event. Valuation prices the new trade and updates the book’s value. Position aggregation updates the net position. Risk updates exposure and limit utilisation, and if a limit is breached, emits its own event that alerts the desk. Scheduling picks up any physical obligation. Analytics marts update. All of this happens in seconds, from one event, against one model. The trade is never copied; it is referenced.

Ordering, idempotency, and exactly-once concerns

Event-driven systems introduce their own engineering discipline. Events must often be processed in order, or at least in a way that respects causal dependencies, because a trade amendment that arrives before the trade it amends is meaningless. Consumers must be idempotent, able to process the same event twice without double-counting, because at-least-once delivery is far easier to guarantee than exactly-once. These are solved problems, but they are real work, and a serious event-driven ETRM must address them explicitly. The reward for that discipline is a system whose every part is current, and whose integration surface is a clean, append-only log rather than a web of fragile extracts.

Trade bookedevent logValuationPositionRisk & limitsAnalytics martsseconds,not hours
One booking emits a single event to the log; valuation, position, risk, and analytics each consume it and update within seconds. The trade is referenced, never copied.
python# A booked trade emits ONE event; consumers react. No copies, no reconciliation.
def on_trade_booked(trade):
    event = TradeEvent(type="TRADE_BOOKED", trade_id=trade.id, version=trade.version)
    event_log.publish(event)          # single append to the durable log

# Each consumer subscribes independently and updates from the same event.
@subscribe("TRADE_BOOKED")
def valuation_consumer(event):
    position = positions.apply(event)  # one governed position
    npv, greeks = pricer.value(position, market.snapshot())
    book_value.update(event.trade_id, npv, greeks)   # live book stays current

Module 5, API-first design

The third pillar is API-first design: the principle that every capability of the system is exposed as a programmable interface, and that those interfaces are designed first, as the primary product, rather than bolted on afterwards. In an API-first system, the user interface is just one consumer of the same APIs that external systems, analytics, and automation use. Nothing is locked behind a screen.

Why the screen is the wrong boundary

In many legacy systems, a capability exists only as a screen. To get the data behind it, an integrator must scrape the screen, export a file, or reach into the database directly, each of which is fragile and unsupported. The screen is the wrong boundary because it was designed for a human, not a program, and because it hides the capability behind a presentation. API-first inverts this: the capability is the interface, and the screen is one way of driving it. Anything the screen can do, a program can do, through a supported, versioned, documented API.

The interface styles and where each fits

A complete API-first platform offers several interface styles, because different integration needs have different shapes.

  • REST for request-and-response over resources: fetch a trade, submit a trade, list positions. It is the workhorse, simple and universally understood.
  • GraphQL for flexible querying, where a consumer needs to fetch a specific shape of data across several entities in one round trip without the server having to anticipate every query. It suits analytical and UI consumers that need to ask precise questions.
  • Webhooks and event APIs for push-based, real-time integration: instead of polling for changes, a consumer registers to be notified when something happens. This is the external face of the event backbone.
  • Streaming interfaces for continuous data, where a consumer needs a live feed of prices, positions, or risk rather than periodic snapshots.

The same APIs serve the UI

The discipline that makes API-first real, rather than aspirational, is that the platform’s own user interface is built on the same public APIs. When the UI has no privileged back door, the APIs are necessarily complete, because anything the product itself needs is available through them. This is the difference between a system with an API and an API-first system: in the former, the API is a partial afterthought; in the latter, it is the whole surface, proven by the fact that the product runs on it.

What API-first unlocks

The consequences reach across the whole lifetime of the system. Integration with enterprise systems, an ERP such as SAP or Oracle, a data warehouse, a treasury system, becomes a matter of calling supported interfaces rather than commissioning a bespoke, brittle project each time. Automation becomes possible: straight-through processing, automated hedging, programmatic reporting, all built on the same interfaces. And the cost of integration falls across the platform’s whole life, because each new integration reuses the same stable surface rather than inventing a new one. In a landscape where integration is often the largest hidden cost of ownership, this is a first-order economic effect, not a convenience.

API-first is also what makes an ETRM composable: because every capability is an interface, an organisation can assemble the platform it needs from best-of-breed parts that speak to one another through APIs, rather than accepting a monolith. Composability is a direct consequence of taking interfaces seriously.

Governed coreRESTGraphQLWebhooksStreamingOwn UIERP / SAPAnalyticsAutomation
Every capability is exposed as REST, GraphQL, webhook, and streaming interfaces over one governed core. The product’s own UI is just another consumer of the same APIs, which is what proves they are complete.

Module 6, Compute and the two-speed valuation architecture

Valuation and risk are the most compute-intensive activities in a trading system, and their demands are profoundly uneven. A continuous stream of small updates, revalue this book as the curve ticks, coexists with periodic enormous batches, compute portfolio VaR, run a full stress suite, calculate xVA across every counterparty. Designing compute for this shape is where cloud-native elasticity pays off most directly, and where a well-designed architecture separates itself from a merely hosted one.

The two-speed pattern

A robust design splits valuation and risk into two cadences. The fast path produces frequent, incremental updates: as trades book and prices move, net present value and the primary Greeks are recomputed for affected positions, keeping the live book current for the desk. This path is optimised for latency and runs more or less continuously. The slow path runs scheduled, compute-heavy batches: full-portfolio VaR and Expected Shortfall, stress and scenario suites, PFE and xVA, regulatory measures. This path is optimised for throughput and correctness, and it is where elasticity matters, because it can claim a large pool of compute for a bounded window and release it.

The two speeds serve different questions. The fast path answers what is my risk right now, well enough to trade on. The slow path answers what is my risk to a regulatory or board standard, computed thoroughly. A system that tries to serve both from one cadence either makes the live book too slow or the regulatory numbers too approximate. Separating them lets each be right.

Elasticity in practice

The slow path is the canonical case for elastic compute. A full historical-simulation VaR across a large portfolio, or a Monte Carlo xVA calculation, is embarrassingly parallel: the same revaluation is performed across thousands of scenarios or paths, and those can be spread across many machines. A cloud-native system schedules that work across a pool that scales up for the run and down afterwards, so the organisation pays for a hundred machines for the ten minutes it needs them, not for a hundred machines standing idle all day. This is the concrete form of the economic argument made earlier: the workload is bursty, so elastic compute converts a large fixed cost into a small variable one.

Valuation as a stateless service

The pattern that makes this possible is treating valuation and risk as stateless services: given a position, a market snapshot, and a model, compute a value or a sensitivity, holding no state between calls. Statelessness is what allows a service to be scaled to a hundred instances and back, because no instance holds anything that would be lost. It also allows valuation to be reproduced exactly, because a valuation is a pure function of its inputs, the position, the versioned market snapshot, and the model, all of which the governed model can supply as of any date. Reproducibility and elasticity turn out to be the same property viewed from two angles.

Engines and the separation of concerns

A mature design separates the pricing engine, the risk engine, and the scheduling of runs into distinct services with clear interfaces. The pricing engine values instruments; the risk engine aggregates sensitivities and computes portfolio measures; the scheduler orchestrates when and how runs happen. This separation lets each evolve independently, lets pricing models be added without touching risk aggregation, and lets the compute strategy change without rewriting the analytics. It is the same principle of clean interfaces that runs through the whole architecture, applied to the most demanding workload.

Governed positions + marketFast path: NPV + Greekscontinuous, low latencyticksSlow path: VaR, ES, xVAscheduled, elastic batchbatchscale out, then release
The fast path keeps the live book current with frequent NPV and Greeks; the slow path runs the heavy, parallel measures (VaR, Expected Shortfall, xVA) on elastic compute that scales out for the run and releases afterwards.

Module 7, The data and analytics layer

A trading organisation does not only need to run; it needs to understand itself. P&L attribution, risk analytics, regulatory reporting, management dashboards, and increasingly the data foundation for machine learning all sit on top of the operational system. In a fragmented landscape, this analytical layer is built from extracts of the many operational systems, and it inherits all their inconsistencies: the analytics disagree with the book because they were built from a different copy. On a governed model, the analytical layer is built from the same source as the book, and the disagreement disappears.

Marts on the governed model

The standard shape for analytics is the data mart: a subject-area dataset, trade, position, P&L, risk, back office, modelled for query rather than for transaction. The important architectural point is not the marts themselves, which are conventional, but that they are built over the governed model, from conformed dimensions defined once and shared across every mart. When the book dimension, the counterparty dimension, and the date dimension are the same in the P&L mart and the risk mart, numbers align across subjects by construction. A figure in a management dashboard ties to a figure in a regulatory report because both descend from the same governed facts.

The semantic layer

Above the marts sits a semantic layer: a business-friendly mapping of named measures and dimensions over the physical tables, so that any business-intelligence tool queries consistent definitions. The value of a semantic layer is that P&L means the same thing in every tool and every report, because it is defined once, centrally, rather than reimplemented in each dashboard. This is governance applied to analytics: the definitions of the numbers are themselves a governed asset. Without it, every analyst reinvents the measures, and the organisation drifts back toward the very inconsistency the governed model was meant to remove.

Lineage and drill-down

Because the analytical layer descends from the governed model, it inherits lineage: a number in a dashboard can be traced down through the mart, to the positions and market data, to the trades. Drill-down is not a special feature; it is a consequence of the analytics being built on the same model as the operational system, along conformed dimensions, with full lineage. An executive can move from a firm-wide P&L figure to the desk, to the book, to the individual trade, because the path is present in the model.

The foundation for AI

The same governed, lineage-tracked analytical layer is what makes machine learning trustworthy, a theme developed at length in a companion paper. A model trained or prompted on inconsistent data inherits the inconsistency; a model built on a governed analytical layer inherits its consistency and its lineage. The analytical layer is thus not only the reporting surface of the system but the data foundation for everything that comes after it. This is why, in an AI-enabled operation, a single governed model and a trustworthy analytical layer matter more, not less.

Module 8, Security, resilience, and multi-tenancy

An architecture is only adoptable if it is safe to run. Trading systems hold commercially sensitive positions, move large sums, and operate under regulation; the properties that make them secure, resilient, and correctly isolated are not optional extras but preconditions. A cloud-native design addresses these as first-class concerns rather than as afterthoughts, and does so in ways that a lifted-and-shifted legacy system usually cannot.

Security as a property, not a perimeter

The old model of security was the perimeter: a hardened boundary around a trusted internal network. That model fails in a world of APIs, cloud services, and remote access. Cloud-native security is built on identity and least privilege instead: every request, from a user or a service, is authenticated and authorised, and granted the minimum access it needs. Authentication integrates with enterprise single sign-on; authorisation is role-based and fine-grained; secrets are managed centrally rather than embedded in configuration. Encryption is applied both in transit and at rest, as a default rather than a decision. And every consequential action, a trade booked, a limit changed, a configuration edited, is recorded in an immutable audit trail. Security is thus woven through the architecture rather than wrapped around it.

The audit trail as a first-class artefact

For a regulated business the audit trail deserves particular attention. A complete, tamper-evident record of every change to a trade, a price, or a configuration is the backbone of both compliance and reproducibility. It is also, not coincidentally, a natural output of the event-sourced, bitemporal model described earlier: if the system already records every event and retains full history, the audit trail is not a separate subsystem to be built but a view onto the event log. Good architecture makes compliance cheaper by making the compliance artefacts fall out of the design.

Resilience and disaster recovery

Resilience is the ability to keep operating through the failure of individual components, and to recover from larger failures within defined objectives. Cloud-native design contributes to both. Horizontal scaling means the failure of one instance is absorbed by the others; orchestration restarts failed components automatically; deploying across multiple availability zones means the loss of a whole data centre is survivable. Disaster recovery, the ability to restore service after a major event, is dramatically strengthened by infrastructure as code: if the entire environment is defined as reproducible code, it can be recreated in another region rather than laboriously rebuilt. The recovery-time and recovery-point objectives that a trading business must meet become achievable properties of the design rather than aspirations.

Multi-tenancy and isolation

Where a platform serves multiple entities, desks, legal entities, or, for a vendor, multiple client organisations, the architecture must isolate them correctly. Multi-tenancy done well means each tenant’s data and activity are strictly separated, with no possibility of one tenant seeing or affecting another, while still allowing the operational efficiency of a shared platform. The isolation is enforced at every layer: in the data model, where tenant is a governed dimension on every record; in the APIs, where every request is scoped to its tenant; and in the compute, where work is partitioned. For a trading business with several legal entities and strict information barriers, this is not merely a convenience but a regulatory requirement, and it is far easier to guarantee in a system designed for it than in one retrofitted.

Module 9, Migration without a big bang

The strongest architecture is worthless if an organisation cannot get to it. The history of trading technology is littered with big-bang replacement projects that ran for years, consumed enormous budgets, and failed. Any honest architectural argument must therefore address migration, and the good news is that the same properties that make a cloud-native ETRM valuable also make it migratable incrementally.

Why big-bang replacement fails

Big-bang replacement fails because it asks an organisation to switch its entire trading operation from one system to another on a single date, having tested the new system against a moving target while the old one kept changing. The risk is enormous and concentrated: everything must work on day one, and there is no easy way back. The scope grows without limit because every edge case in the old system must be replicated before cutover. The result is projects that are cancelled, de-scoped, or delivered years late.

The strangler-fig pattern

The alternative is incremental migration, often described with the strangler-fig metaphor: a new system grows around the old one, taking over functions one at a time, until the old one can be retired. Rather than replacing everything at once, the organisation stands up the new platform alongside the legacy landscape and moves capabilities across in a controlled sequence. Each move is a bounded, reversible step with its own value, rather than a bet on a single date.

API-first design and the event backbone are what make this practical. Because the new platform exposes and consumes events and APIs, it can coexist with the legacy systems, subscribing to their data and publishing back to them, so that during the transition the two operate together. A function, say, valuation, or a particular asset class, can be moved to the new platform while the rest remains on the old, with events keeping both consistent. The governed model is populated incrementally, and reconciliation against the legacy system during the transition provides the confidence to proceed.

Phasing a migration

A well-run migration typically proceeds along one or more of several axes, chosen to deliver value early and contain risk.

  • By asset class or commodity. Move one commodity’s trading, valuation, and risk to the new platform first, prove it, then extend. The blast radius of any problem is contained to one commodity.
  • By function. Move one function, market data, or valuation, or risk analytics, across all commodities, running it on the new platform while capture remains legacy, until each function has been migrated.
  • By desk or entity. Move one desk or legal entity at a time, so that each cutover affects a bounded population of users and trades.
  • Read-first. Stand up the new analytical layer over legacy data first, delivering better reporting immediately, before any operational function moves. This builds confidence and value with minimal risk.

Coexistence and the point of no regret

The aim throughout is that every step is valuable on its own and reversible if it fails, so that the organisation is never betting everything on a single event. Coexistence, the ability of the old and new systems to run together through events and APIs, is what makes this possible. The migration reaches a point of no regret not on a cutover date but gradually, as function after function proves itself on the new platform and the legacy system is left with less and less to do, until retiring it is an anticlimax rather than a crisis.

Module 10, The economics

The argument of this paper has been that architecture, not features, is the decisive factor in trading technology, and that the specific architectural choices of a cloud-native, governed, event-driven, API-first system change the economics of running a desk. This final analytical module makes the economic argument explicit, because it is the argument that ultimately justifies the investment to a board.

A total-cost-of-ownership framework

The true cost of a trading system is not its licence fee. A complete total-cost-of-ownership view spans several categories, and it is in the categories that a feature comparison ignores that architecture makes its difference.

  • Licence or subscription. The visible cost, and usually the smallest.
  • Infrastructure. Compute and storage, where elastic, cloud-native design converts a peak-sized fixed cost into a usage-based variable one.
  • Implementation. The cost of getting live, where incremental migration reduces the concentrated risk and cost of big-bang projects.
  • Integration. The cost of connecting the system to the enterprise, where API-first design turns each integration from a bespoke project into a call to a stable interface.
  • Operations. The ongoing cost of running the system, dominated in legacy landscapes by the reconciliation tax, which a governed model removes at its source.
  • Change. The cost of adapting the system to new instruments, markets, and rules, where configuration on a shared model replaces code across many systems.
  • Risk. The cost of errors, outages, and undetected breaks, reduced by consistency, auditability, and resilience.

Where the savings actually come from

It is worth naming precisely where a cloud-native architecture saves money, because the savings are not evenly distributed. The largest structural saving is the removal of the reconciliation tax: the operations cost of making many copies agree simply disappears when there is one copy. The second is the collapse of integration cost across the platform’s life, as each new connection reuses a stable API surface. The third is the change cost: on a shared, configurable model, adding an instrument or a market is a configuration exercise rather than a coordinated code change across several systems. The fourth is infrastructure, as elasticity matches spend to use. And underlying all of them is the risk saving of numbers that agree and can be audited.

Build versus buy

The economic frame also clarifies the perennial build-versus-buy question. The principles in this paper are not proprietary; an organisation with sufficient engineering capability can build a governed, event-driven, API-first platform itself. The question is whether the architecture is differentiating enough to justify building. For most trading organisations, the trading strategy is the differentiator, not the plumbing, and the plumbing, however well-architected, is not where their advantage lies. The right question is therefore not build or buy in the abstract, but whether a bought platform embodies the architectural principles that matter, because a bought platform that does not is merely someone else’s legacy landscape, and a built one that does not is merely your own. The architecture is the thing to evaluate, whichever path is chosen.

The compounding effect

The economic case is strongest when the effects are seen as compounding rather than additive. A governed model removes reconciliation, which lowers operations cost; but it also makes analytics trustworthy, which improves decisions; and it makes change cheaper, which lets the business move faster; and it makes AI safe to apply, which opens new capability. Each architectural property reinforces the others, so the return is not the sum of individual savings but their product. This is why the paper has insisted that the principles are not independent features to be checked off: their value is in their combination.

$$ \text{TCO} = \underbrace{L}_{\text{licence}} + I_{\text{infra}} + I_{\text{impl}} + \sum_{k} G_k + O_{\text{ops}} + C_{\text{change}} + R_{\text{risk}} $$ Total cost of ownership, dominated by the terms a feature list ignores

Conclusion

The central claim of this paper is that the defining improvement in modern ETRM is architectural. The systems that trading organisations find most painful are not short of features; they are short of structure. They represent the same facts many times and pay a permanent reconciliation tax to make the copies agree. The cure is a single governed data model that every function reads from, made current by event-driven processing, made open by API-first design, and made economical by elastic cloud-native compute.

These are not four independent features but one coherent architecture, and their consequences compound: lower total cost of ownership as the reconciliation tax and integration cost fall, faster change as configuration replaces code, cleaner integration as every capability becomes an interface, trustworthy analytics as reporting descends from the same model as the book, and a safe foundation for artificial intelligence as governed, lineage-tracked data underpins everything. Cloud-native ETRM, understood properly, is less a feature set than an economic model for running a trading desk.

For the reader charged with evaluating, buying, building, or modernising trading technology, the practical recommendation is to evaluate architecture directly rather than by proxy. Ask how many times a trade is represented, and whether the functions share one model or reconcile many. Ask whether the system is current or batch, open or screen-bound, elastic or fixed. Ask how a past state is reproduced, and how a number is traced to its sources. These questions cut through feature lists to the structure underneath, and the structure is what will determine, for years, how much the system costs to run, how fast it can change, and whether its numbers can be trusted.

References and further reading

This paper draws on established bodies of practice in distributed systems, data management, and trading technology rather than on proprietary sources. Readers who wish to go deeper may find the following areas and works useful. Specific figures and standards should be checked against their current published versions.

  • The twelve-factor application methodology, for the principles of cloud-native, scalable services.
  • Foundational texts on domain-driven design and event-driven architecture, for the canonical model, event sourcing, and CQRS patterns discussed in Modules 3 and 4.
  • The literature on data warehousing and dimensional modelling, for the conformed dimensions and semantic layer of Module 7.
  • Regulatory texts relevant to the reader’s jurisdiction, EMIR, Dodd-Frank, REMIT, MiFID II, for the reporting and audit requirements referenced in Module 8.
  • Companion Gravitas whitepapers: Quantitative risk in commodities, for the risk methodology that runs on this architecture, and AI in commodity trading, for how governed data underpins machine learning.

The Gravitas ETRM and CTRM data dictionary sets out the canonical data model referenced throughout this paper in full, term by term, and is a practical companion for anyone designing or evaluating a governed model.

Download this paper

Full paper

Download this whitepaper as a PDF

Get the complete, formatted paper to read offline or share with your team. Enter your name and corporate email and we’ll send the download link to your inbox.

Related

See this on your own trades

A live walkthrough is the fastest way to connect this to your desk.

Request a demo Back to Whitepapers