The IRR policy: what it must contain

The Interest Rate Risk Policy: Your Balance Sheet's North Star

The IRR policy is not a thrilling read. It's not supposed to be. It's a Board-approved constraint on how much interest rate risk your bank can take. For a junior ALM professional, it might feel like a pile of limits and numbers. But it's actually the most important document you'll work with. Every major balance sheet decision either comes from the policy or is constrained by it.

Here's what the policy is: a written authorization from your Board that says, "Our bank will deliberately take interest rate risk, up to these limits, in pursuit of net interest income and capital management." It's an authorization and a constraint. Without it, Treasury can't do much. With a weak one, Treasury does whatever it wants and nobody can stop it.

What the IRR Policy Must Contain

A complete IRR policy has five core sections:

1. Risk Appetite Statement

This is usually 2-3 paragraphs. It describes how much interest rate risk the bank is willing to take. Not a number yet—a philosophy. For example:

"The bank recognizes that managing interest rate risk is essential to earnings stability and capital preservation. We will position the balance sheet to benefit from expected changes in interest rates while maintaining prudent limits to protect against adverse rate movements. Our primary objective is to stabilize net interest income across various interest rate scenarios."

This matters because it frames all the specific limits that follow. Are you an aggressive bank positioning for rate cuts? Or a conservative bank hedging most of the risk? The appetite statement sets the tone.

2. Measurement and Reporting Metrics

The policy must specify how you measure interest rate risk. The big two are:

• Economic Value of Equity (EVE): The present value of the bank's net cash flows across different rate scenarios. When rates rise, EVE typically falls (especially if you're asset-sensitive). When rates fall, EVE rises (especially if you're liability-sensitive). EVE captures the full impact of a rate move, not just the next year.

• Net Interest Income (NII): The dollar impact on annual net interest income under different rate scenarios. The Fed publishes rate scenarios—typically up 200 basis points, down 200 basis points, and sometimes a "twist" (short rates up, long rates down). You model how your NII changes under each.

The policy should specify: Which metrics do we use? Under which scenarios? Over what horizon? For example:

"The bank will measure IRR using: (1) EVE impact under the Fed's three standard scenarios (up 200, down 200, twist); (2) NII impact over 12 months under the same scenarios. Measurement is conducted monthly and reported to ALCO."

3. Limits

Now the actual constraints. These typically look like:

• EVE limit: "EVE will not decline by more than 15% of capital under a 200 basis point rate shock."
• NII limit: "NII will not decline by more than 5% under a 200 basis point down scenario."
• Duration limit (alternative): Some banks use duration directly: "The bank's rate-sensitive assets minus rate-sensitive liabilities will not exceed 2 years of duration."

Why multiple limits? Because they measure different things. EVE captures mark-to-market risk. NII captures earnings risk. They can point in different directions. For example, a bank with a lot of short-duration securities and floating-rate loans might have low EVE risk but high NII sensitivity to rate cuts.

Limits should be:

• Specific: Not "don't take too much risk." Instead, "EVE decline will not exceed X% of capital."


• Measurable: You must be able to calculate them every month.


• Reasonable: Limits that are always breached are useless. Limits that are so loose they constrain nothing are also useless. The sweet spot is a limit you expect to hit occasionally (maybe once a year) but not regularly.

4. Governance and Accountability

The policy must specify:

• Monitoring: Who measures the risk? (Usually the ALM or Risk team)
• Reporting: How often and to whom? (Usually ALCO monthly; Board Risk Committee quarterly or if breached)
• Breach protocol: What happens if you hit the limit? Can you go 5% over temporarily? Who has to approve an overage? What is the remediation plan?
• Annual review: The policy should say it's reviewed annually and adjusted as needed (e.g., if you've changed the business model significantly).

5. Exclusions and Special Cases

Most policies include language like:

• "Hedging activities in place as of [date] are recognized and excluded from EVE measurement."
• "The policy applies to the balance sheet in the 'run-to-maturity' case; it does not constrain intraday funding trades."
• "Client-initiated foreign exchange swaps are excluded from EVE measurement."

These exclusions matter because they can create loopholes. If you exclude all hedging, then the Treasurer can build a gigantic hedge and claim it's not subject to the IRR policy. Smart boards are tightening these up.

Why You Need These Elements

Without a clear appetite statement, business lines will say, "You're being too conservative." Without measurement metrics, you can't calculate if you're breaching. Without limits, there is no constraint. Without governance, nobody knows who's accountable. Without a breach protocol, you'll have surprises at the Board.

The IRR Policy vs. Strategic Repositioning

One key tension: the IRR policy is meant to be stable (approved annually) but the balance sheet is dynamic. What if you want to materially change the bank's risk profile—say, de-risk EVE by selling long-duration securities?

The answer: that's a strategic decision, and it may require a policy amendment. For example, if you're currently at 12% EVE sensitivity and you want to move to 8%, that's a policy change. ALCO discusses it, decides, and the Board approves an amendment.

This is different from tactical management within the policy. Tactical: selling some MBS to rebalance duration. Strategic: selling all the MBS to fundamentally change the risk profile.

The best policies have language like: "Material changes to the bank's interest rate risk profile require Board approval. Tactical rebalancing within this policy is delegated to the Treasurer."

A Real Example: The Policy Limit Breach

Imagine your bank approved this policy:

• EVE will not decline by more than 12% of capital under a 200 basis point shock
• NII will not decline by more than 4% under a 200 basis point down shock

Your current EVE sensitivity is 10% of capital. Your current NII sensitivity is 3%.

Then rates fall 150 basis points in a month (unexpectedly). Your updated model shows EVE would decline 13% under the 200 basis point shock scenario. You're in breach.

What now?

The protocol matters. If the policy says "ALCO approval required for any overage," you bring it to ALCO with a mitigation plan. If it says "Treasurer has authority to exceed by up to 2%, with ALCO notification," you stay in the overage for one month and fix it. If it says "Zero tolerance," you're in breach-and-escalate mode.

Post-SVB, regulators expect to see that the breach was identified, reported, and remediated. A documented breach with a fix is far better than a hidden breach.

The Takeaway

The IRR policy is your balance sheet constitution. It needs:

• Clear appetite statement


• Measurable metrics (EVE and NII)


• Specific limits


• Governance and accountability


• Defined breach protocol

If your policy has these, you have a real constraint. If it has vague language and loose limits, it's a document that gets written and then ignored. Neither the Board nor Treasury should want that.

The IRR Policy: Anatomy, Implementation, and Edge Cases

The Complete Policy Framework

A comprehensive IRR policy lives in a Board-approved document (usually 15-20 pages). Let me walk through a realistic example.

Section 1: Appetite and Philosophy

"The bank recognizes that interest rate risk is inherent in banking. We manage this risk actively to support earnings and capital. Our strategy is to position for stable NII across rate scenarios while maintaining EVE within prudent bounds. We seek to benefit from expected rate movements but avoid outsized exposure to adverse shocks."

Notice: this is neither aggressive ("we will position for rate cuts") nor passive ("we will hedge everything"). It's balanced. That matters.

Section 2: Measurement Framework

The policy specifies:

• EVE Methodology: "EVE is calculated using the Fed's standard three scenarios: immediate 200 bp up, immediate 200 bp down, and a twist (short rates +200 bp, long rates +100 bp). All cash flows are discounted at the new rate curve. The 'No Change' scenario serves as the base."

• NII Methodology: "NII is modeled for 12 months under the same rate scenarios, assuming no balance sheet management actions (i.e., the 'static' balance sheet). We also calculate 'management case' NII that incorporates planned funding and hedging actions."

• Horizon: "Both metrics are calculated as of month-end and reported within 10 business days of month-end close."

Why specify all this? Because measurement can be subjective. Do you include NIM compression in your scenario? Do you assume deposits reprice? Do you model customer behavior or assume balance sheets stay static? Defining the framework prevents arguments.

Section 3: Limits and Tolerances

Here's a realistic set:

• EVE sensitivity: "The EVE impact of a 200 basis point shock will not exceed 12% of Tier 1 capital." Current: 10%
• NII sensitivity (12-month): "NII will not decline by more than 5% under a 200 basis point down scenario." Current: 3%
• Earnings-at-risk (optional): "Unexpected NII volatility from rate moves will not exceed 2% of expected annual net income." (This is a way to focus on what you can't predict)
• Duration (optional, as a secondary metric): "The gap between rate-sensitive asset duration and rate-sensitive liability duration will not exceed 2.5 years." (This is more of a technical limit, rarely used as the primary driver anymore)

These limits should be calibrated to:

• Your business model (does mortgage lending dominate? You'll be asset-sensitive; higher limits make sense)
• Your stakeholder tolerance (does your board want stability? Tighter limits)
• Your peer group (what are peer banks doing?)
• Your capital (limits are often expressed as a percentage of capital, so larger banks can take more absolute risk)

Section 4: Governance

• Measurement: "The ALM team measures EVE and NII monthly, using month-end balance sheet and market rates. The CIO provides securities portfolio data; Treasury provides funding and deposit data."

• Reporting: "Results are reported to ALCO monthly. If any metric exceeds the warning level (80% of limit), the Treasurer presents a remediation plan. If any metric exceeds the hard limit, escalation to the Board Risk Committee within one business day."

• Accountability: "The Treasurer is accountable for maintaining metrics within policy. The CIO is accountable for securities positions. The Chief Credit Officer is accountable for loan production (which affects the loan book's repricing characteristics)."

• Review cadence: "The policy is reviewed annually by ALCO and approved by the Board. Material changes (EVE or NII limits adjusted by more than 1% of capital, new measurement methodologies) require Board approval. Tactical rebalancing within the policy is delegated to the Treasurer."

Section 5: Hedging and Derivatives

This is crucial and often poorly written:

• "Hedging activities undertaken to manage interest rate risk are incorporated into EVE and NII measurement after the hedge is implemented. Proposed hedges are modeled before approval."

• "Interest rate swaps, swaptions, caps, and floors are permitted for balance sheet risk management. Speculative trading is prohibited."

• "The Treasurer has authority to enter into hedges up to 500 million notional per quarter without ALCO approval, provided the hedge reduces EVE or NII sensitivity. Hedges larger than 500 million require ALCO approval."

Without this clarity, a Treasurer can argue that a "hedge" isn't subject to the IRR limit because it's not really on the balance sheet (swaps are off-balance-sheet). Smart boards don't allow that.

Section 6: Breach Protocol

This is often omitted and it's a mistake. Specify:

• "If any metric hits the warning level (80% of hard limit), the Treasurer reports to ALCO with a mitigation plan within 5 business days."

• "If any metric exceeds the hard limit, the Treasurer reports to the Board Risk Committee immediately and proposes remediation. The bank will reduce the metric to below the limit within 30 days unless the Board Risk Committee approves a temporary overage."

• "Repeated breaches (more than twice in a rolling 12 months) trigger a policy review and potential limit tightening."

• "Any intentional breach or concealment of a breach is grounds for escalation to the Chief Audit Officer and potential disciplinary action."

Post-SVB, this section is scrutinized heavily. Regulators want to see that breaches are identified, escalated, and remediated.

Real Implementation: The Monthly ALCO Metric

Let's say it's the third Friday of the month. The ALM team has just closed the books. EVE and NII are calculated. Here's what you're reporting:

Current Balance Sheet State:

• Assets: 50 billion


• Deposits: 35 billion (55% of funding; 5% are rate-sensitive within 12 months)


• Wholesale funding: 12 billion (24%; 80% reprice within 12 months)


• Equity: 3 billion

Scenario Analysis:

| Scenario | EVE Change | NII Change (12m) | Status |
|----------|-----------|-----------------|--------|
| No change | 0% | 0% | Base |
| Rates +200 bp | +8% of capital | +4% | Within limit |
| Rates -200 bp | -11% of capital | -3% | Within limit |
| Twist | -2% of capital | +1% | Within limit |

Your EVE limit is 12% of capital. Current EVE sensitivity to a -200 shock is 11%. You're at 92% of limit. Yellow flag but not yet red.

At ALCO, you report: "We're in a -200 bp scenario at 92% of limit. Drivers: (1) asset sensitivity from floating-rate loans; (2) deposit beta assumption. Mitigation: CIO is examining whether to shorten the securities portfolio by selling MBS. Estimated impact: 1-2 percentage points of EVE reduction. Recommend we hold position for this month and reassess next month after the next Fed meeting."

ALCO might respond: "Approved. Bring updated metrics next month. If we approach the 95% threshold, bring a hedging proposal."

Notice: ALCO is not micro-managing the positions. ALCO is setting the guardrails and the Treasurer operates within them.

The Policy Amendment Process

Sometime, you want to change the policy. Maybe you've exited the mortgage business and you're now less asset-sensitive, so a 12% EVE limit is too tight. Or you've acquired another bank and your risk profile has changed materially.

The process:

1. Proposal: The Treasurer brings a written proposal to ALCO: "We recommend increasing the EVE limit from 12% to 15% because we've grown the floating-rate commercial loan book, which has reduced our asset sensitivity."

2. Analysis: The ALM team provides a 12-month look-back at where the metric has been trending. "Over the last three years, we've been in a 9-12% band. The new 15% limit would allow for unexpected changes without constant breach management."

3. ALCO decision: ALCO votes to recommend the amendment to the Board.

4. Board approval: The Board Risk Committee and then the full Board approve the new limit.

5. Communication: The updated policy is communicated to Treasury, the CIO, and business lines.

Edge Cases and Judgment Calls

Acquired Bank: You buy another bank with a 15 billion balance sheet. Its loan book is much more asset-sensitive than yours. The combined entity is now more sensitive to rate cuts. Do you immediately amend the policy or live with a temporary overage?

Best practice: you have a 90-day integration plan. For 90 days, you run with a Board-approved temporary higher limit "until the entities are integrated." On day 91, you've either amended the policy or you've repositioned the balance sheet.

Market Shock: Rates move 150 bps in a month (like after SVB). Your EVE metric jumps. Are you in breach?

It depends on your policy. If the policy says "calculated at month-end," then yes, you're measured at month-end. You probably breach, you report it, and you have a 30-day remediation plan. Smart policies acknowledge this: "Intramonth movements are not considered breach events unless maintained through the month-end measurement date."

A New Business: Commercial lending wants to launch a "floating-rate small business loan program." This will increase rate sensitivity. Where does the decision live?

It should live partially in ALCO. ALCO should model the impact on EVE and NII, confirm it stays within policy, and approve the program's balance sheet implications. Business lines shouldn't be able to launch new products that materially affect IRR without ALCO sign-off.

The Hedging Gray Area: The Treasurer wants to enter a 2 billion notional interest rate swap to reduce asset sensitivity. The swap is off-balance-sheet. Does it count against the IRR policy limit?

Absolutely yes. The policy should say: "All interest rate derivatives count toward measurement and limits, regardless of accounting treatment. The economic impact of the swap is incorporated into EVE and NII." If you don't say this, you'll have endless arguments.

Takeaway

A mature IRR policy is:

• Clear on measurement and limits


• Realistic in calibration


• Accountable in governance


• Strict on breach protocol


• Reviewed annually and amended when needed

If your policy is weak (vague, loose limits, no breach protocol, rarely reviewed), fix it. Bring it to ALCO, get board approval, and enforce it. A strong IRR policy is one of the best tools you have to manage balance sheet risk systematically.