Banks must have an adequate system of internal controls over their interest rate risk management process. A fundamental component of the internal control system involves regular independent reviews and evaluations of the effectiveness of the system and, where necessary, ensuring that appropriate revisions or enhancements to internal controls are made. The results of such reviews should be available to relevant supervisory authorities.

1. Banks should have adequate internal controls to ensure the integrity of their interest rate risk management process. These internal controls should be an integral part of the institution's overall system of internal control. They should promote effective and efficient operations, reliable financial and regulatory reporting, and compliance with relevant laws, regulations and institutional policies. An effective system of internal control for interest rate risk includes:

• a strong control environment;
• an adequate process for identifying and evaluating risk;
• the establishment of control activities such as policies, procedures and methodologies;
• adequate information systems; and,
• continual review of adherence to established policies and procedures.

With regard to control policies and procedures, attention should be given to appropriate approval processes, exposure limits, reconciliations, reviews and other mechanisms designed to provide a reasonable assurance that the institution's interest rate risk management objectives are achieved. Many attributes of a sound risk management process, including risk measurement, monitoring and control functions, are key aspects of an effective system of internal control. Banks should ensure that all aspects of the internal control system are effective, including those aspects that are not directly part of the risk management process.

2. In addition, an important element of a bank's internal control system over its interest rate risk management process is regular evaluation and review. This includes ensuring that personnel are following established policies and procedures, as well as ensuring that the procedures that were established actually accomplish the intended objectives. Such reviews and evaluations should also address any significant change that may impact the effectiveness of controls, such as changes in market conditions, personnel, technology, and structures of compliance with interest rate risk exposure limits, and ensure that appropriate follow-up with management has occurred for any limits that were exceeded. Management should ensure that all such reviews and evaluations are conducted regularly by individuals who are independent of the function they are assigned to review. When revisions or enhancements to internal controls are warranted, there should be a mechanism in place to ensure that these are implemented in a timely manner.

3. Reviews of the interest rate risk measurement system should include assessments of the assumptions, parameters, and methodologies used. Such reviews should seek to understand, test, and document the current measurement process, evaluate the system's accuracy, and recommend solutions to any identified weaknesses. If the measurement system incorporates one or more subsidiary systems or processes, the review should include testing aimed at ensuring that the subsidiary systems are well-integrated and consistent with each other in all critical respects. The results of this review, along with any recommendations for improvement, should be reported to senior management and/or the board and acted upon in a timely manner.

4. The frequency and extent to which a bank should re-evaluate its risk measurement methodologies and models depends, in part, on the particular interest rate risk exposures created by holdings and activities, the pace and nature of market interest rate changes, and the pace and complexity of innovation with respect to measuring and managing interest rate risk.

5. Banks, particularly those with complex risk exposures, should have their measurement, monitoring and control functions reviewed on a regular basis by an independent party (such as an internal or external auditor). In such cases, reports written by external auditors or other outside parties should be available to relevant supervisory authorities. It is essential that any independent reviewer ensure that the bank's risk measurement system is sufficient to capture all material elements of interest rate risk, whether arising from on- or off-balance sheet activities. Such a reviewer should consider the following factors in making the risk assessment:

• the quantity of interest rate risk, e.g.
• the volume and price sensitivity of various products;
• the vulnerability of earnings and capital under differing rate changes including yield curve twists;
• the exposure of earnings and economic value to various other forms of interest rate risk, including basis and optionality risk.
• the quality of interest rate risk management, e.g.
• whether the bank's internal measurement system is appropriate to the nature, scope, and complexities of the bank and its activities;
• whether the bank has an independent risk control unit responsible for the design and administration of the risk measurement, monitoring and control functions;
• whether the board of directors and senior management is actively involved in the risk control process;
• whether internal policies, controls and procedures concerning interest rate risk are well documented and complied with;
• whether the assumptions of the risk measurement system are well documented, data accurately processed, and data aggregation is proper and reliable;
• whether the organisation has adequate staffing to conduct a sound risk management process.

6. In those instances where the independent review is conducted by internal auditors, banks are encouraged to have the risk measurement, monitoring and control functions periodically reviewed by external auditors.