The Unwritten Rule: Why Treasury Policies Are No Longer Optional

TREASURY GOVERNANCE · RISK MANAGEMENT · BEST PRACTICES

No regulation compels you to write them. Every incident that could have been prevented will ask why you did not.

Treasury policies are not a regulatory obligation — they are something more important: a professional discipline, a governance statement, and a protective shield for both the company and the treasurer personally. From the General Treasury Policy that frames the department's mandate to the granular rules of an FX or Interest Rate policy, these documents define what is permitted, what is prohibited, and who decides in between. They give comfort to CFOs, credibility to rating agencies, and assurance to auditors. They also draw a clear line between policy and procedure — between the principles that govern action and the instructions that describe how. This article argues that in today's environment, a treasury without documented policies is not a lean operation. It is an exposed one.

1. No Regulation — Yet More Necessary Than Ever

Let us start with what is often used as a reason not to write treasury policies: there is no law requiring it. No EU directive, no IFRS standard, no central bank circular mandates that a corporate treasury function must maintain a written FX policy or a formally approved interest rate risk framework. In the absence of a regulatory gun to the head, the temptation to treat policy documentation as an optional administrative exercise — something to get to eventually, once the real work is done — is understandable.

It is also profoundly mistaken. The absence of a regulatory obligation does not mean the absence of consequences. It means the consequences are deferred — to the moment when a rogue derivative position appears in the accounts, when an auditor asks who authorised a payment that bypassed all controls, when a rating agency analyst asks what limits govern the treasury's counterparty exposure, or when a treasurer is asked to explain a significant FX loss to a board that had no idea the exposure existed. At that moment, the question is not 'did the regulation require a policy?' It is 'why did you not have one?'

No external regulation forces you to document your treasury framework. But every incident, every audit finding, and every rating review will ask the same question: what were the rules, and who approved them?

Treasury policies exist precisely because the treasury function operates at the intersection of large financial flows, complex instruments, counterparty relationships, and accounting frameworks — an environment where the cost of ambiguity is not theoretical. A treasury that has never defined its permitted hedging instruments, its authorisation thresholds, or its approach to FX exposure is not operating in a grey area. It is operating in the dark.

2. Policy as Protection: The Treasurer and the CFO

There is a dimension of treasury policy that is rarely discussed openly but is understood by every experienced practitioner: policies protect people, not just companies. Consider the position of a Group Treasurer who executes a cross-currency interest rate swap on behalf of the company. The transaction is legitimate, competitively priced, and commercially appropriate. Twelve months later, markets have moved, the mark-to-market is negative, and someone — a new CFO, a board member, an auditor — asks why the instrument was used, who authorised it, and whether it was within the company's risk framework. If there is a treasury policy that listed cross-currency swaps in the approved instrument list, defined the authorisation level required, and documented the risk management objective, the answer to every question is clear. If there is no policy, the treasurer is answering without a net.

The CFO faces an equivalent exposure. Treasury is typically one of the most significant financial risk management functions in a group — managing liquidity, FX, interest rate, and counterparty exposures that can materially affect the P&L and balance sheet. A CFO who has not ensured that a documented framework governs that function has not delegated; they have abdicated. A well-structured treasury policy suite gives the CFO three things: visibility (I know what rules apply), comfort (those rules were approved at the right level), and defence (those rules were followed when things went wrong).

A treasury policy does not constrain the treasurer's professional judgement. It creates the documented context within which that judgement can be exercised — and defended.

This protective function extends to the company itself. Documented policies demonstrate that the Board and senior management have given conscious, considered approval to the framework within which financial risks are managed. This matters for directors' liability purposes, for insurance coverage assessments, and for the governance disclosures that increasingly appear in annual reports and sustainability statements.

3. What Auditors, Rating Agencies, and Boards Actually Look For

Internal and external auditors are not primarily looking for errors. They are looking for evidence of a control environment — the documented framework within which transactions occur and risks are managed. A treasury without written policies is an audit finding waiting to be written. Conversely, a treasury with a comprehensive, Board-approved policy suite, last reviewed within the last twelve months, answers the auditor's first three questions before they are asked. External auditors increasingly focus on treasury as a source of financial statement risk — particularly in relation to derivative fair values, hedge accounting designations under IFRS 9, and the completeness of IFRS 7 disclosures. Each of these requires not just that the right transactions were executed but that they were executed within a documented framework that supports the accounting treatment. A forward contract that has been designated as an IFRS 9 cash flow hedge requires formal hedge documentation at inception — and that documentation is an output of a functioning FX policy, not a substitute for one.

Credit rating agencies — and the internal credit analysis teams at relationship banks — conduct their own assessments of treasury governance. The presence of a formally documented treasury framework, communicated publicly (at least in outline) in the annual report or investor presentation, signals that the company's financial risk management is professional, structured, and supervised. The absence of any reference to treasury policies in the annual report is not neutral — it is a data point that analysts note. For listed companies and those with public debt outstanding, the annual report is increasingly the arena in which treasury governance is communicated to the market. A clear statement that the company operates a Board-approved treasury policy covering FX risk, interest rate risk, liquidity risk, and counterparty risk — with defined limits, approved instruments, and annual Board review — adds measurable credibility. It costs nothing to include. It costs considerably more not to.

4. Policy vs. Procedure: A Distinction That Matters

One of the most important — and most frequently collapsed — distinctions in treasury governance is between a policy and a procedure. They are not the same document written at different levels of detail. They are fundamentally different instruments serving different purposes, and conflating them weakens both.

A treasury policy defines principles, limits, and boundaries. It answers the question: what are the rules? It specifies what is permitted (approved hedging instruments, authorised counterparties, accepted risk levels), what is prohibited (speculative positions, instruments with uncapped loss potential, accounts with non-approved banks), who may decide (CFO, Head of Treasury, Board), and what triggers escalation (limit breaches, rating downgrades, material exceptions). A policy is approved at the appropriate governance level — typically the Board or CFO — and is reviewed at least annually. It is relatively stable: it does not change every time a market rate moves or a counterparty is added to the approved list.

A treasury procedure explains how to apply those principles in practice. It answers the question: how do we do it? It describes the step-by-step process for executing a hedge request, the format required for the hedge relation report, the cut-off times for FX deal submission, the workflow for opening a new bank account, or the reconciliation process between the TMS and the ERP. Procedures are operational documents, typically owned by the Head of Treasury, updated more frequently, and reviewed as processes change.

The policy sets the boundaries of the field. The procedure describes how to play the game within them. You need both — and you should never mistake one for the other.

In practice, the most common failure mode is not the absence of procedures but the absence of policies — or the existence of documents that describe processes in detail without ever stating the principles and limits that govern them. A treasury that knows exactly how to execute a forward contract but has never defined which forward contracts are permitted, up to what tenor, for which purposes, and at what approval level, has procedures without governance.

5. The Essential Coverage of a Treasury Policy Suite

A comprehensive treasury policy suite need not be a library. But it should cover, at minimum, the following terrain — with each policy document approved at the appropriate level and reviewed annually.

Each of these documents should share a common architecture: a statement of purpose and scope, a definition of roles and responsibilities, the specific rules and limits that constitute the policy content, an approved instruments or counterparties list, and an escalation and exception process. The exception process is particularly important — no policy can anticipate every market condition, and a framework that provides no legitimate route to seek an exception will simply be bypassed informally.

6. What Policies Must Do: The Seven Functions

A treasury policy suite that works — that is genuinely used rather than filed — fulfils seven distinct functions simultaneously.

• Frame the department's mandate. A policy states what treasury is for — service centre, not profit centre; risk reducer, not risk taker — and gives every member of the team a shared understanding of the function's purpose.

• Set quantitative thresholds and limits. Hedge ratios by maturity horizon, maximum counterparty exposure, minimum liquidity buffers, maximum floating-rate debt percentage — these are the specific, measurable limits that make a policy operational rather than aspirational.

• Prohibit what must not be done. Explicitly listing prohibited instruments (uncovered written options, exotic derivatives, speculative positions) is as important as listing what is permitted. The absence of a prohibition is not an implicit permission — but it will be argued as one.

• Define escalation and arbitration paths. When a limit is breached, when a market event makes a hedge ratio temporarily unachievable, when a counterparty is downgraded below the minimum threshold — the policy must define who decides, within what timeframe, and on what terms.

• Support internal controls. A policy provides the framework against which internal audit can assess compliance. Without a policy, there is nothing to audit — only activity, with no benchmark against which to measure it.

• Enable accounting treatment. For IFRS 9 hedge accounting, for EMIR reporting, for IFRS 7 disclosure — the existence and content of a treasury policy is often a necessary precondition for the correct accounting treatment of financial instruments.

• Signal professionalism externally. To rating agencies, to banks assessing the quality of their corporate relationships, to investors reading the annual report — a documented treasury governance framework is a signal of maturity, discipline, and management quality that costs nothing to communicate and pays dividends in credibility.

7. The Cost of Not Having Them

Every significant treasury incident in corporate history — a rogue derivatives position, an undisclosed FX exposure, a payment fraud that bypassed controls, a hedge accounting restatement — has one element in common: the absence, inadequacy, or non-enforcement of a documented governance framework. The incident itself may have been caused by market movements, by human error, by fraud, or by complexity. But its impact — the financial loss, the reputational damage, the regulatory scrutiny, the personal liability — was always amplified by the absence of clear, approved, documented rules. Writing treasury policies is not a back-office administrative task. It is a strategic investment in the resilience, credibility, and professionalism of the treasury function. It takes time. It requires senior management engagement. It demands annual discipline to review and update. But it is, in every sense, work that pays for itself — not in normal times, when everything is going well, but in the moments that define how a treasury and a treasurer are judged. No regulation compels you to write them. That is precisely why writing them — and keeping them current — is one of the clearest signals of genuine professional excellence in corporate treasury.

Francois Masquelier, Chair of EACT - Luxembourg - May 2026