The Interest Rate Risk Policy: Your Balance Sheet's North Star
The IRR policy is not a thrilling read. It's not supposed to be. It's a Board-approved constraint on how much interest rate risk your bank can take. For a junior ALM professional, it might feel like a pile of limits and numbers. But it's actually the most important document you'll work with. Every major balance sheet decision either comes from the policy or is constrained by it.
Here's what the policy is: a written authorization from your Board that says, "Our bank will deliberately take interest rate risk, up to these limits, in pursuit of net interest income and capital management." It's an authorization and a constraint. Without it, Treasury can't do much. With a weak one, Treasury does whatever it wants and nobody can stop it.
What the IRR Policy Must Contain
A complete IRR policy has five core sections:
1. Risk Appetite Statement
This is usually 2-3 paragraphs. It describes how much interest rate risk the bank is willing to take. Not a number yet—a philosophy. For example:
"The bank recognizes that managing interest rate risk is essential to earnings stability and capital preservation. We will position the balance sheet to benefit from expected changes in interest rates while maintaining prudent limits to protect against adverse rate movements. Our primary objective is to stabilize net interest income across various interest rate scenarios."
This matters because it frames all the specific limits that follow. Are you an aggressive bank positioning for rate cuts? Or a conservative bank hedging most of the risk? The appetite statement sets the tone.
2. Measurement and Reporting Metrics
The policy must specify how you measure interest rate risk. The big two are:
- Economic Value of Equity (EVE): The present value of the bank's net cash flows across different rate scenarios. When rates rise, EVE typically falls (especially if you're asset-sensitive). When rates fall, EVE rises (especially if you're liability-sensitive). EVE captures the full impact of a rate move, not just the next year.
- Net Interest Income (NII): The dollar impact on annual net interest income under different rate scenarios. The Fed publishes rate scenarios—typically up 200 basis points, down 200 basis points, and sometimes a "twist" (short rates up, long rates down). You model how your NII changes under each.
The policy should specify: Which metrics do we use? Under which scenarios? Over what horizon? For example:
"The bank will measure IRR using: (1) EVE impact under the Fed's three standard scenarios (up 200, down 200, twist); (2) NII impact over 12 months under the same scenarios. Measurement is conducted monthly and reported to ALCO."
3. Limits
Now the actual constraints. These typically look like:
- EVE limit: "EVE will not decline by more than 15% of capital under a 200 basis point rate shock."
- NII limit: "NII will not decline by more than 5% under a 200 basis point down scenario."
- Duration limit (alternative): Some banks use duration directly: "The bank's rate-sensitive assets minus rate-sensitive liabilities will not exceed 2 years of duration."
Why multiple limits? Because they measure different things. EVE captures mark-to-market risk. NII captures earnings risk. They can point in different directions. For example, a bank with a lot of short-duration securities and floating-rate loans might have low EVE risk but high NII sensitivity to rate cuts.
Limits should be:
- Specific: Not "don't take too much risk." Instead, "EVE decline will not exceed X% of capital."
- Measurable: You must be able to calculate them every month.
- Reasonable: Limits that are always breached are useless. Limits that are so loose they constrain nothing are also useless. The sweet spot is a limit you expect to hit occasionally (maybe once a year) but not regularly.
4. Governance and Accountability
The policy must specify:
- Monitoring: Who measures the risk? (Usually the ALM or Risk team)
- Reporting: How often and to whom? (Usually ALCO monthly; Board Risk Committee quarterly or if breached)
- Breach protocol: What happens if you hit the limit? Can you go 5% over temporarily? Who has to approve an overage? What is the remediation plan?
- Annual review: The policy should say it's reviewed annually and adjusted as needed (e.g., if you've changed the business model significantly).
5. Exclusions and Special Cases
Most policies include language like:
- "Hedging activities in place as of [date] are recognized and excluded from EVE measurement."
- "The policy applies to the balance sheet in the 'run-to-maturity' case; it does not constrain intraday funding trades."
- "Client-initiated foreign exchange swaps are excluded from EVE measurement."
These exclusions matter because they can create loopholes. If you exclude all hedging, then the Treasurer can build a gigantic hedge and claim it's not subject to the IRR policy. Smart boards are tightening these up.
Why You Need These Elements
Without a clear appetite statement, business lines will say, "You're being too conservative." Without measurement metrics, you can't calculate if you're breaching. Without limits, there is no constraint. Without governance, nobody knows who's accountable. Without a breach protocol, you'll have surprises at the Board.
The IRR Policy vs. Strategic Repositioning
One key tension: the IRR policy is meant to be stable (approved annually) but the balance sheet is dynamic. What if you want to materially change the bank's risk profile—say, de-risk EVE by selling long-duration securities?
The answer: that's a strategic decision, and it may require a policy amendment. For example, if you're currently at 12% EVE sensitivity and you want to move to 8%, that's a policy change. ALCO discusses it, decides, and the Board approves an amendment.
This is different from tactical management within the policy. Tactical: selling some MBS to rebalance duration. Strategic: selling all the MBS to fundamentally change the risk profile.
The best policies have language like: "Material changes to the bank's interest rate risk profile require Board approval. Tactical rebalancing within this policy is delegated to the Treasurer."
A Real Example: The Policy Limit Breach
Imagine your bank approved this policy:
- EVE will not decline by more than 12% of capital under a 200 basis point shock
- NII will not decline by more than 4% under a 200 basis point down shock
Your current EVE sensitivity is 10% of capital. Your current NII sensitivity is 3%.
Then rates fall 150 basis points in a month (unexpectedly). Your updated model shows EVE would decline 13% under the 200 basis point shock scenario. You're in breach.
What now?
The protocol matters. If the policy says "ALCO approval required for any overage," you bring it to ALCO with a mitigation plan. If it says "Treasurer has authority to exceed by up to 2%, with ALCO notification," you stay in the overage for one month and fix it. If it says "Zero tolerance," you're in breach-and-escalate mode.
Post-SVB, regulators expect to see that the breach was identified, reported, and remediated. A documented breach with a fix is far better than a hidden breach.
The Takeaway
The IRR policy is your balance sheet constitution. It needs:
- Clear appetite statement
- Measurable metrics (EVE and NII)
- Specific limits
- Governance and accountability
- Defined breach protocol
If your policy has these, you have a real constraint. If it has vague language and loose limits, it's a document that gets written and then ignored. Neither the Board nor Treasury should want that.
The IRR Policy: Anatomy, Implementation, and Edge Cases
Building the Complete Policy Framework
A comprehensive Interest Rate Risk (IRR) policy lives in a Board-approved document, typically 15 to 20 pages, that articulates how the bank will measure and manage interest rate risk across the balance sheet. Let me walk through what a realistic, complete policy looks like and why each section matters.
Section 1: Risk Appetite and Philosophy
The policy opens with a statement of risk appetite that frames everything else. A thoughtful statement might read: "The bank recognizes that interest rate risk is inherent in banking. We manage this risk actively to support earnings and capital growth. Our strategy is to position for stable net interest income across rate scenarios while maintaining economic value of equity within prudent bounds. We seek to benefit from expected rate movements but avoid outsized exposure to adverse shocks."
Notice what this language does. It's neither aggressively bullish ("we will position for rate cuts") nor defensively cautious ("we will hedge everything"). It's balanced and honest about what the bank is trying to accomplish. That maturity of tone matters because it sets the expectation that the bank views interest rate risk management as strategic and proportional, not reckless or paranoid.
Section 2: Measurement Framework—The Methodology Backbone
The measurement section is critical because it specifies how EVE and NII will be calculated, removing ambiguity and preventing arguments later. A solid measurement framework will specify:
For EVE methodology: "Economic Value of Equity is calculated using the Federal Reserve's standard three scenarios. These are an immediate 200 basis point parallel shift up, an immediate 200 basis point parallel shift down, and a twist scenario where short rates move plus 200 basis points and long rates move plus 100 basis points. All cash flows are discounted at the new interest rate curve. The 'No Change' scenario serves as the baseline." Spelling this out prevents debates later about which scenarios count or whether management can cherry-pick favorable methodologies.
For NII methodology: "Net Interest Income is modeled for a 12-month forward horizon under the same rate scenarios. Importantly, we model a 'static' balance sheet scenario where we assume no management actions—no additional funding or hedging activity. We separately calculate a 'management case' NII that incorporates planned funding and hedging actions to show the impact of our intended portfolio adjustments." This distinction between static and management cases is important because it shows ALCO what happens naturally versus what happens if management acts.
The framework also specifies: "Both metrics are calculated as of month-end and reported within 10 business days of month-end close." This creates a predictable reporting cadence that ALCO can rely on.
Why be this specific about methodology? Because measurement is inherently subjective. Do you include NIM compression from competitive deposit repricing in your scenarios? Do you assume deposits reprice immediately or with a lag? Do you model customer behavior realistically or assume balance sheets stay perfectly static? Do you use Fed stress test assumptions or your own? Defining the framework prevents endless arguments about whether the reported number is accurate.
Section 3: Limits and Tolerances—Actionable Guardrails
Limits should be specific, calibrated, and tied to the bank's capital. A realistic set might look like this:
"EVE sensitivity limit: The impact of a 200 basis point immediate shock will not exceed 12% of Tier 1 capital. Current: 10%." This specifies both the limit and where the bank currently is, showing headroom for management action.
"NII sensitivity limit (12-month): Net interest income will not decline by more than 5% under a 200 basis point down scenario. Current: 3%." Again, specific number and current position.
"Optional earnings-at-risk limit: Unexpected NII volatility from rate moves will not exceed 2% of expected annual net income." This focuses on what you can't predict—the volatility rather than the average.
"Optional duration limit: The gap between rate-sensitive asset duration and rate-sensitive liability duration will not exceed 2.5 years." This is a more technical limit and is rarely used as the primary driver of decisions anymore, but some boards want it as a secondary indicator.
These limits should be calibrated thoughtfully to account for several factors. Does your business model concentrate in mortgages? Mortgage lenders are naturally asset-sensitive and will need higher limits. What's your stakeholder tolerance for volatility? Boards focused on earnings stability want tighter limits. How do you compare to peers? Knowing what peer banks are doing informs whether your limits are reasonable. And remember that capital matters: larger banks with more capital can take more absolute risk.
Section 4: Governance and Accountability
This section makes clear who does what and when. For measurement, you specify: "The ALM team measures EVE and NII monthly, using month-end balance sheet data and month-end market rates. The CIO provides securities portfolio data and valuations; Treasury provides funding positions and deposit data." Clarity about data flow prevents miscommunication.
For reporting: "Results are reported to ALCO monthly. If any metric reaches the warning level (80% of the limit), the Treasurer presents a remediation plan. If any metric exceeds the hard limit, escalation to the Board Risk Committee occurs within one business day." This creates the trigger points that force action.
For accountability: "The Treasurer is accountable for maintaining metrics within policy. The CIO is accountable for securities positions. The Chief Credit Officer is accountable for loan production and portfolio mix, which affects the loan book's repricing characteristics." Accountability should be distributed based on who controls what.
For review cadence: "The policy is reviewed annually by ALCO and approved by the Board. Material changes—for example, EVE or NII limits adjusted by more than 1% of capital, or new measurement methodologies—require Board approval. Tactical rebalancing within the policy is delegated to the Treasurer." This distinguishes between policy-level changes (Board level) and operational management within policy (Treasurer level).
Section 5: Hedging and Derivatives—Clear Rules
This section is crucial and often poorly written, leaving ambiguity that business units exploit. A strong section will state: "Hedging activities undertaken to manage interest rate risk are incorporated into EVE and NII measurement after the hedge is implemented. Proposed hedges are modeled before approval to show their impact on both the risk metrics and the bank's profitability."
Next, specify what instruments are allowed: "Interest rate swaps, swaptions, caps, and floors are permitted for balance sheet risk management. Speculative trading is prohibited." This draws a clear line between hedging (allowed) and speculation (not allowed).
Finally, establish the delegation of authority: "The Treasurer has authority to enter into hedges up to 500 million notional per quarter without ALCO approval, provided the hedge reduces EVE or NII sensitivity. Hedges larger than 500 million require ALCO approval." Without this clarity, a Treasurer can argue that a derivative isn't subject to the IRR limit because it's off-balance-sheet and therefore not "really" part of the risk profile. Smart boards don't allow that interpretation.
Section 6: Breach Protocol—The Escalation Process
This section is often omitted and it's a significant mistake because it leaves room for discretionary judgment when clarity is needed. A strong protocol specifies:
"If any metric hits the warning level (80% of hard limit), the Treasurer reports to ALCO with a mitigation plan within 5 business days." This creates urgency without panic.
"If any metric exceeds the hard limit, the Treasurer reports to the Board Risk Committee immediately and proposes remediation within 30 days. The bank will reduce the metric below the limit within 30 days unless the Board Risk Committee approves a temporary overage with a defined remediation timeline." This distinguishes between a warning (managed at the ALCO level) and a breach (escalated to Board).
"Repeated breaches (more than twice in a rolling 12 months) trigger a mandatory policy review and potential limit tightening." This discourages casual breaching.
"Any intentional breach or concealment of a breach is grounds for escalation to the Chief Audit Officer and potential disciplinary action." This makes clear that honest governance is expected.
Post-SVB, regulators scrutinize the breach section heavily. They want to see that breaches are identified, escalated, and remediated. A strong breach protocol demonstrates commitment to governance.
Real Implementation: Monthly ALCO Reporting
Let's walk through what a realistic monthly ALCO report looks like when you put this policy into action. Imagine it's the third Friday of the month. The ALM team has just closed the books and calculated EVE and NII. Here's the state of the bank:
Current Balance Sheet State (Month-End Snapshot)
- Assets: 50 billion
- Deposits: 35 billion (55% of total funding; 5% are rate-sensitive within 12 months)
- Wholesale funding: 12 billion (24% of total; 80% reprices within 12 months)
- Equity: 3 billion
Scenario Analysis Results:
Your analysis models four scenarios and compares each to your limits:
| Scenario | EVE Change | NII Change (12m) | Status Against Limit |
|----------|-----------|-----------------|--------|
| No change (baseline) | 0% | 0% | Base case |
| Rates +200 bp | +8% of capital | +4% | Within 12% limit |
| Rates -200 bp | -11% of capital | -3% | Within 5% limit |
| Twist scenario | -2% of capital | +1% | Within limits |
Your EVE limit is 12% of capital. Your current EVE sensitivity to a -200 basis point down shock is 11%. You're at 92% of your limit, which is a yellow flag but not yet a red flag.
When you present this to ALCO, you provide context: "We're positioned at 92% of our EVE limit in the -200 down scenario. The primary drivers are our asset sensitivity from the floating-rate loan portfolio and the deposit beta assumption we're using. To mitigate, the CIO is examining whether we should shorten the securities portfolio by selling some MBS. Our preliminary estimate is that selling $200-300 million in MBS would reduce EVE sensitivity by 1 to 2 percentage points. My recommendation: we hold our current position for this month and reassess next month after the Fed meeting."
ALCO responds with guidance: "Approved. Bring updated metrics next month. If we approach the 95% threshold, bring a hedging proposal to the next meeting."
Notice what happened here: ALCO is not micromanaging the positions or the daily trading. ALCO is setting guardrails and ensuring the Treasurer understands what happens when you approach them. The Treasurer has flexibility to operate within the framework.
The Policy Amendment Process
Sometimes you need to change the policy itself. Perhaps you've exited the mortgage business and you're now less asset-sensitive, so a 12% EVE limit feels too tight given your new portfolio mix. Or you've acquired another bank and your risk profile has shifted materially.
The formal amendment process creates discipline. First, the Treasurer brings a written proposal to ALCO: "We recommend increasing the EVE limit from 12% to 15% because we've grown the floating-rate commercial loan book, which has reduced our overall asset sensitivity. Historical data shows we've been running 9-12% over the past three years; a 15% limit would give us flexibility without creating breach risk."
Second, the ALM team provides support through analysis. They show 12-month trending of where the metric has been sitting, what's driving any changes, and peer comparison data. "Over the last three years, we've been in a 9-12% band. The new 15% limit would allow us to manage the metric without constant breach management, while still maintaining prudent risk control."
Third, ALCO votes to recommend the amendment to the Board, and the discussion might surface concerns: "Are we being aggressive with this number? Have we stress-tested how quickly a new business line could create risk?"
Fourth, the Board Risk Committee and then the full Board formally approve the new limit and the updated policy.
Fifth, the updated policy is communicated to Treasury, the CIO, all business lines, and risk management.
Edge Cases and Judgment Calls
Bank Acquisition: You acquire another bank with a 15 billion balance sheet. Its loan book is much more asset-sensitive than yours, and the combined entity becomes more sensitive to rate cuts. Do you immediately amend the policy or operate with a temporary overage?
Best practice is to establish a 90-day integration plan. For 90 days, you run with a Board-approved temporary higher limit to allow orderly integration. On day 91, you've either amended the policy permanently or you've repositioned the balance sheet to bring the metric back into compliance.
Market Shock: Rates move 150 basis points in a single month (as happened after SVB). Your EVE metric jumps. Are you in breach?
It depends on how your policy is written. If the policy says "calculated at month-end," then yes, you're measured at month-end. You probably breach, you report it, and you develop a 30-day remediation plan. Smart policies acknowledge this reality by stating: "Intramonth movements are not considered breach events unless maintained through the month-end measurement date." This acknowledges market volatility while still holding management accountable for sustained positions.
New Business Initiative: Commercial lending wants to launch a "floating-rate small business loan program." This will materially increase your interest rate sensitivity. Where does the decision authority reside?
It should reside partially in ALCO. ALCO should model the impact on EVE and NII, confirm that the initiative stays within policy, and explicitly approve the program's balance sheet implications. Business lines shouldn't be able to launch new products that materially affect interest rate risk without ALCO governance.
The Hedging Gray Area: The Treasurer wants to enter a 2 billion notional interest rate swap to reduce asset sensitivity. The swap is off-balance-sheet from an accounting perspective. Does it count against the IRR policy limit?
Absolutely yes. A strong policy explicitly states: "All interest rate derivatives count toward measurement and limits, regardless of accounting treatment. The economic impact of the swap is incorporated into EVE and NII." If you don't state this clearly, you'll encounter endless arguments where business units try to claim that off-balance-sheet derivatives don't "count."
Takeaway: The Marks of a Strong IRR Policy
A mature IRR policy has several defining characteristics. It is clear about measurement methodology, preventing debates about calculation methods. It is realistic in its calibration, reflecting the bank's actual business model and risk appetite. It is explicit about accountability, assigning clear responsibility. It is strict about breach protocols, creating consequences for breaches. And it is reviewed and amended regularly when business conditions change materially.
If your policy is weak—vague on measurement, loose on limits, lacking a breach protocol, rarely reviewed—you should fix it. Bring it to ALCO, get board approval, and enforce it consistently. A strong IRR policy is one of the best tools you have to manage balance sheet risk systematically and to ensure that business decisions are made within a framework of disciplined risk management.