Enterprise Risk Management and the Vernal Equinox
Marcus Cree, vice president, SunGard’s Capital Markets Risk Solutions
In a time long forgotten, seven days before the third full moon of the year, a drum beats a slow and terrible accompaniment to the death march of the sacrifices to a god whose satisfaction is needed to guarantee a good harvest and the survival of the tribe for another 12 months. As the mid-afternoon sun moves through the sky, the deity himself appears – a winged snake – and makes his way down the steps of the temple built to honor him. At the base of the temple, a carved statue of Kukulkan’s head meets the shadowy shape of his body, bringing together his astral and physical form. At that moment, the human sacrifices are made, and the people pray in terrified silence that it is enough.
An eon later, and March 20 sees the 2013 vernal equinox, signifying the end of winter and the astronomical start of spring. This annual event carries with it echoes of legends and rituals from ancient cultures that have direct relevance to our approach to financial risk management today.
Within the Mayan city of Chichén Itzá lies the pyramid temple of Kukulkan, a deity who took the shape of a winged serpent. On the vernal (and autumnal) equinox each year, the god can be seen descending the temple steps in the form of light and shadows, meeting his own carved head at the base. This astonishing feat of architectural design is generally thought to be associated with Mayan agricultural rites. There is also pictorial evidence of the god overseeing human sacrifice.
What is striking about the pyramid, the visage of the ancient god and its linkage to a successful agricultural season, is that in many ways this is similar to the development and build out of much modern enterprise risk architecture.
Just as the Mayan structured their lives and rituals around balancing risks which included not angering their gods, financial firms of today must also use risk assessment as a key decision-making tool. The basic purposes and aims of a modern risk system being:
- Allow the risks being taken by the firm, both market and credit, to be understood by the risk management department
- Enable the CRO, or whoever is responsible for developing the overall risk appetite, to see that the defined risk-taking aims are being adhered to
- Empower the risk takers, the portfolio managers or traders, to understand the impacts of their positions on both their and the institution’s risk profile
- Ensure that all regulatory requirements are fully met with regards to risk management
The danger comes when the regulatory needs overshadow the other considerations, and the creation of those numbers becomes the only end-point of the system. This, essentially, creates a large, often dislocated system where the firm will:
- Run all parts of the system once the trading day has finished
- Combine those results and produce a series of regulatory reports and numbers
- Allocate capital in accordance with those numbers and reports
- Sign off for the day
As long as there are no unexpected catastrophes throughout the following period, and the regulatory numbers are supplied, the risk system is presumed to be working. In many ways, this is exactly the situation accepted by the Mayans, where a technically brilliant design created a result that would be verified by a successful harvest, regardless of the scientific non-connectedness of the temple equinox event to the actual agricultural outcome.
Of course, in the case of financial risk management today, one required outcome is met entirely. The regulatory requirements could be said to be the most important, as without them, the firm’s ability to perform its business is threatened. The key to understanding regulatory requirements, though, is that they are primarily designed to ensure that the financial system is protected from specific bank failures, not to protect individual institutions from failing.
Regulatory reporting is a result of the positioning of the bank. While referred to in the reports, risk appetite and the adherence to that appetite tend to be secondary considerations. The risk appetite is a forward-looking plan of action, designed to ensure that in a business where financial risk-taking is the core business, there is a C-suite control of the activity, and a grass-roots understanding of that strategy. Any enterprise-wide risk system should see the regulatory reporting as a starting point for deeper analysis and understanding.
The Mayans focused on appeasing and venerating the winged serpent god Kukulkan, and did so by creating an awe-inspiring pyramid and making human sacrifices. Of course, with the value of hindsight and more modern farming knowledge, we know this approach cannot guarantee or even improve the chances of a good growing season. Financial failures also bear out that simply calculating and correctly reporting risk numbers to regulatory bodies cannot guarantee financial stability.
It is always a risk to be in awe of technical achievement and to mistake that achievement for success in the overall task. It is a necessity, when architecting a risk system, to bear in mind the full scope of the requirements of the system.
These system requirements include the ability to define the risk appetite within the C-suite, and for the risk takers to work within that appetite. Analysts and risk takers need to be able to explore both regulatory and non-regulatory measures in pursuit of the adherence of the risk appetite. That can only be achieved by taking the most granular approach possible, and building, through user-defined aggregation, a series of answers to risk questions that include but are certainly not limited to regulatory reporting. Once those questions are being asked, there is a natural feedback loop that develops through the firm, enabling both a validation of the risk production and the development of a risk culture.
Technical architects should aim for greatness, for systems that are fast and accurate, and for systems that create and strengthen the cultural nervous system of risk-taking organization. The priests and the architects of the temple of Kukulkan at Chichén Itzá achieved technical greatness, but focused solely on veneration. On March 20, 2013, as the winged serpent makes its way down the pyramid constructed in its honor, we should make sure that we are looking at our enterprise risk systems through a wider angle lens.