Derivatives Risk Management Program

Rule 18f-4 requires an investment company that uses derivatives to adopt and maintain a written Derivatives Risk Management Program (DRMP), designate a board-approved Derivatives Risk Manager (DRM), comply with a VaR-based risk limit framework, and provide board reporting as required. Limited derivatives users may follow a simplified path if they stay under the rule’s exposure threshold. (17 CFR § 270.18f-4)

Key takeaways:

• If your fund uses derivatives, you need a written DRMP and a designated, board-approved DRM. (17 CFR § 270.18f-4)
• You must operationalize VaR-based risk limits (and related testing) or qualify as a limited derivatives user under the rule’s conditions. (17 CFR § 270.18f-4)
• Exams will focus on whether the program is real: documented governance, repeatable processes, evidence of monitoring, and board reporting. (17 CFR § 270.18f-4)

A Derivatives Risk Management Program is not a policy you file away. Under the SEC’s derivatives rule, it is an operating system for identifying, measuring, managing, and reporting the risks created by derivatives in a registered fund. The rule ties together governance (a board-approved Derivatives Risk Manager), risk measurement (VaR-based limits), and ongoing oversight (board reporting and program review). (17 CFR § 270.18f-4)

For a CCO or GRC lead, the fastest path to compliance is to translate the rule into a small set of “always-on” routines: inventory your derivatives and related instruments, determine whether you qualify as a limited derivatives user, implement VaR testing and escalation logic (or the limited-user controls), and set a board reporting cadence with consistent content. (17 CFR § 270.18f-4)

This page breaks the requirement into implementable steps, specifies the artifacts you need to retain, and lists the exam questions that typically expose weak programs. Where teams struggle, it is rarely the math alone; it is unclear accountability, missing thresholds and escalation paths, and gaps between what the DRMP says and what portfolio teams do day to day. (17 CFR § 270.18f-4)

Regulatory text

Requirement (operator view): Investment companies that use derivatives must adopt a derivatives risk management program. (17 CFR § 270.18f-4)

What the rule requires in practice: Rule 18f-4 requires funds using derivatives to (1) adopt a written DRMP, (2) appoint a Derivatives Risk Manager approved by the board, (3) comply with a VaR-based limit framework (including either a VaR-based leverage limit or a relative VaR test, as described by the rule’s structure), and (4) provide quarterly reporting to the board on program operations. The rule also describes a limited derivatives user pathway for funds with aggregate exposure below the rule’s threshold, with a simplified compliance approach. (17 CFR § 270.18f-4)

Plain-English interpretation (what this means day to day)

If your fund uses derivatives, the SEC expects you to run a formal program that:

• Assigns a single accountable owner (the DRM) with board backing.
• Sets a measurable risk limit framework (VaR) and continuously checks it.
• Defines what happens when limits are approached or breached, including escalation and remediation.
• Produces consistent reporting that allows the board to exercise oversight. (17 CFR § 270.18f-4)

A DRMP fails in practice when it reads like a risk textbook but cannot answer basic questions: What is our VaR limit? Who reviews exceptions? What did we do last time we had a breach? Where is that documented? (17 CFR § 270.18f-4)

Who it applies to

Entity scope: Registered investment companies (funds) that use derivatives, and the portfolio management and risk functions operating those strategies. (17 CFR § 270.18f-4)

Operational context (where it shows up):

• Portfolio teams trading derivatives for hedging, efficient portfolio management, or directional exposure.
• Funds using derivatives indirectly through instruments that create embedded derivatives risk or derivatives-like exposure, where your program still needs to capture the risk measurement and monitoring expectations under the rule’s framework. (17 CFR § 270.18f-4)
• Service-provider operating models where portfolio management is internal but risk analytics, middle office, or derivatives operations are performed by third parties; you still own the DRMP and must evidence oversight. (17 CFR § 270.18f-4)

Key scoping decision: Are you a limited derivatives user under the rule’s conditions, or do you need the full VaR program? This is the first gate because it drives the rest of your control design and reporting depth. (17 CFR § 270.18f-4)

What you actually need to do (step-by-step)

1) Establish scope and classify the fund

1. Inventory derivatives activity across the fund(s): instrument types, strategies, trading venues, counterparties, and any structural exposures your risk team treats as derivatives risk for monitoring.
2. Determine whether the fund qualifies as a limited derivatives user under the rule’s framework and document the basis for that conclusion. (17 CFR § 270.18f-4)
3. Lock the perimeter: define what “counts” for purposes of the program in a written scoping memo (owned by Compliance/Risk, reviewed with portfolio leadership).

Operator tip: Treat “limited derivatives user” as a status you must re-justify through monitoring and evidence, not a one-time election. Your procedures should say who re-checks it and what triggers reclassification. (17 CFR § 270.18f-4)

2) Appoint a Derivatives Risk Manager (DRM) with board approval

1. Draft a DRM role description: responsibilities, authority, independence expectations, and access to data/systems.
2. Identify the named individual(s) serving as DRM consistent with the rule’s governance expectations, and prepare the board materials to support approval. (17 CFR § 270.18f-4)
3. Document decision rights: the DRM must be able to escalate issues, require remediation, and enforce the program procedures in a practical way.

Common hangup: Firms assign the title but not the authority (for example, the DRM cannot compel changes to models, limits, or trading practice). Exams tend to probe that gap through exception handling and escalation records. (17 CFR § 270.18f-4)

3) Write the DRMP as an operating procedure, not a narrative

Your DRMP should read like a playbook that a risk analyst can run and a PM can follow. Include:

• Risk identification: what risks you track (market, liquidity, counterparty, operational, model risk) and where they arise in your strategies.
• Risk guidelines and limits: the VaR-based risk limit approach required by the rule, and how you calibrate it for each fund/strategy. (17 CFR § 270.18f-4)
• Testing and monitoring: how often you calculate VaR, validate inputs, review outputs, and check limits.
• Escalation and remediation: thresholds, breach definition, notifications, and required actions.
• Governance: DRM responsibilities, committee touchpoints, and board reporting content/cadence. (17 CFR § 270.18f-4)

Practical structure that works in exams:

• One page: roles and RACI
• One page: limit framework and breach taxonomy
• One page: monitoring workflow and evidence produced
• Appendices: model documentation, data sources, templates, board report outline

4) Implement VaR-based compliance workflows (or limited-user controls)

If not a limited derivatives user:

1. Stand up the VaR measurement process: data feeds, models, assumptions governance, and calculation frequency consistent with your trading activity and risk profile. (17 CFR § 270.18f-4)
2. Implement pre-trade and/or post-trade checks aligned to how trading occurs. If you cannot do reliable pre-trade checks, document compensating controls and show tight post-trade monitoring with escalation.
3. Create an exceptions register: every breach/override, owner, root cause, remediation, closure evidence.
4. Build an attestation routine where the DRM signs off that required reviews occurred and that breaches were handled per procedure.

If a limited derivatives user:

1. Document the exposure monitoring method used to remain within the rule’s limited-user condition and who reviews it. (17 CFR § 270.18f-4)
2. Define triggers that force migration to the full program (for example, sustained growth in derivatives activity, new strategies, or market stress that changes risk).
3. Retain evidence that monitoring occurred and that changes were escalated.

5) Board reporting and oversight mechanics

The rule calls for quarterly reporting to the board on program operations. (17 CFR § 270.18f-4) Treat this as a standard packet with consistent sections:

• Current period derivatives activity summary (high level)
• VaR metrics and limit status (by fund/strategy as applicable)
• Breaches and exceptions (what happened, why, what changed)
• Model changes or data issues
• Planned enhancements and open risks
• DRM attestation and management responses

Make the board pack auditable: Every number should trace back to a system report or calculation file retained under recordkeeping.

6) Ongoing program maintenance

• Run periodic effectiveness reviews: compare the DRMP’s stated steps to what your teams actually did (tickets, logs, committee minutes, and approvals).
• Reassess service-provider controls if a third party provides VaR analytics, risk engines, or derivatives operations; maintain oversight evidence.
• Refresh training for PMs and traders when limits, models, or strategies change.

Required evidence and artifacts to retain

Keep artifacts in a single DRMP evidence folder per fund (or per complex, with clear mapping). Typical artifacts:

• Board materials approving the Derivatives Risk Manager and program governance. (17 CFR § 270.18f-4)
• Final, version-controlled written DRMP, plus change history and approvals. (17 CFR § 270.18f-4)
• VaR methodology documentation: model description, assumptions, data sources, and validation/change-control records.
• Ongoing VaR calculation outputs and limit monitoring logs.
• Breach/exception register with remediation and closure evidence.
• Quarterly board reports and supporting workpapers. (17 CFR § 270.18f-4)
• Limited derivatives user eligibility memos and monitoring evidence, if applicable. (17 CFR § 270.18f-4)
• Third-party oversight artifacts (SLAs, SOC reports if obtained, issue logs, service review minutes) where third parties support the program.

Daydream fit (earned mention): If you manage multiple funds and service-provider inputs, Daydream can serve as the system of record for DRMP artifacts, exception workflows, approvals, and board-report production tasks, so you can show a clean audit trail without stitching together email threads.

Common exam/audit questions and hangups

Expect reviewers to ask:

• Show the current DRMP and how it maps to Rule 18f-4 requirements. (17 CFR § 270.18f-4)
• Who is the DRM, where is board approval, and what authority does the DRM have in practice? (17 CFR § 270.18f-4)
• Demonstrate your VaR limit approach and provide monitoring evidence for selected dates.
• Provide the last set of quarterly board reports and the workpapers supporting the numbers. (17 CFR § 270.18f-4)
• Walk through the last breach/exception end-to-end: detection, escalation, remediation, documentation.
• If you claim limited derivatives user status, prove your exposure monitoring and governance around staying in scope. (17 CFR § 270.18f-4)

Hangups that slow exams:

• VaR results exist, but no documented threshold logic or escalation.
• Board reporting is high level and not tied to measurable program operation.
• Program says “daily monitoring,” but logs show gaps with no explanation.

Frequent implementation mistakes (and how to avoid them)

1. Writing the DRMP as a policy instead of procedures.
   Fix: Add runbooks, named owners, systems-of-record, and required evidence outputs per step. (17 CFR § 270.18f-4)

2. DRM in name only.
   Fix: Document decision rights, escalation routes, and show examples where the DRM required action (model change, trading constraint, remediation).

3. Model governance is informal.
   Fix: Put VaR model changes through change control, retain approvals, and record back-testing/validation activities consistent with your governance model. (17 CFR § 270.18f-4)

4. Limited derivatives user status treated as permanent.
   Fix: Create periodic re-checks, triggers, and a documented escalation path to move into the full program when required. (17 CFR § 270.18f-4)

5. Board reporting without operational substance.
   Fix: Standardize the board pack with limit status, exceptions, and attestation. Keep workpapers.

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for this requirement, so this page does not cite specific actions.

Operational risk still matters: a weak DRMP increases the chance of undetected limit breaches, inconsistent risk measurement, and governance failures that can become exam findings and require remediation under time pressure. Rule 18f-4 also makes board oversight concrete, so documentation gaps often become governance gaps. (17 CFR § 270.18f-4)

Practical 30/60/90-day execution plan

First 30 days (stabilize governance and scope)

• Confirm which funds use derivatives and complete the derivatives inventory.
• Determine limited derivatives user status per fund and document the conclusion. (17 CFR § 270.18f-4)
• Draft DRM designation package, including role description and authority.
• Create the DRMP outline and evidence checklist; stand up a central repository (Daydream or equivalent).

Days 31–60 (build the repeatable workflows)

• Finalize the written DRMP with procedures, escalation logic, and templates. (17 CFR § 270.18f-4)
• Implement VaR monitoring workflow (or limited-user monitoring) with defined owners and evidence outputs. (17 CFR § 270.18f-4)
• Stand up the exception register and start logging events, even during pilot.
• Produce a mock quarterly board report using real data to test traceability. (17 CFR § 270.18f-4)

Days 61–90 (prove operating effectiveness)

• Run the program through a full cycle: monitoring, review, exceptions (if any), closure documentation.
• Deliver the board report in production format, retain workpapers, and capture feedback. (17 CFR § 270.18f-4)
• Perform an internal “exam simulation”: pick sample dates/trades and prove VaR monitoring, approvals, and escalation.
• Tighten third-party oversight where analytics or operations are outsourced; document service reviews and issue management.

Frequently Asked Questions

Do we need a DRMP if we only use derivatives for hedging?

If the fund uses derivatives, Rule 18f-4 drives the DRMP requirement, with potential eligibility for limited derivatives user treatment depending on exposure. Document your use case and classification decision. (17 CFR § 270.18f-4)

Who should be the Derivatives Risk Manager?

The rule requires appointment of a Derivatives Risk Manager approved by the board, so pick someone with the authority and competence to run the program and escalate issues. Document responsibilities, decision rights, and reporting lines. (17 CFR § 270.18f-4)

Can a third party run our VaR calculations?

A third party can support analytics, but you still own the DRMP and must retain oversight evidence, inputs/outputs, and governance records that show the program operates as written. (17 CFR § 270.18f-4)

What should the quarterly board report include?

Provide a consistent view of program operations: VaR limit status, exceptions/breaches and remediation, key model or data changes, and the DRM’s assessment. Retain the workpapers supporting the reported figures. (17 CFR § 270.18f-4)

We qualify as a limited derivatives user today. What controls do we still need?

You need documented monitoring that supports continued eligibility, clear triggers for escalation if exposure increases, and evidence that reviews occurred. Treat eligibility as a monitored condition, not a permanent label. (17 CFR § 270.18f-4)

What is the single easiest way to fail this requirement in an exam?

Having a written DRMP but no operational trail: missing monitoring logs, no exception tracking, unclear DRM authority, or board reports that cannot be tied back to source data. Build the evidence trail as you build the process. (17 CFR § 270.18f-4)