How Banks Use VaR Internally

At major financial institutions, VaR is not just a number calculated once a week—it's the backbone of daily risk governance. Banks use VaR to enforce position limits, allocate capital to business units, stress-test portfolios, and report to regulators. Every trading desk has a VaR limit. Exceed it, and you face a conversation with senior management or get shut down entirely. Understanding how banks use VaR internally reveals both its power as a risk control tool and its real-world pitfalls. A retail trader or analyst can learn from these bank practices, adapting the discipline of institutional VaR management to smaller portfolios.

Quick definition: Bank var risk management is the institutional practice of calculating VaR daily, comparing actual to limit, enforcing trading restrictions, and using VaR to allocate capital and calculate regulatory requirements.

Key takeaways

• VaR is the primary trading limit: Most banks cap daily VaR per desk, portfolio, or trading book at a fixed dollar amount or percentage of capital.
• Two-level governance: Desks monitor intraday VaR; senior risk management reviews daily VaR; regulators review 10-day and stressed VaR.
• VaR backtest failures trigger action: When actual losses exceed VaR more than expected, risk managers investigate and adjust position limits.
• Capital allocation uses VaR: Banks allocate capital to business units based partly on VaR. Higher VaR = higher capital requirement = fewer resources allocated.
• Stressed VaR is equally mandatory: Since 2008, banks must calculate VaR twice—once on recent data and once on crisis-period data. The larger number drives regulatory requirements.
• Model validation is continuous: Banks have teams dedicated to testing VaR models, comparing methods, and checking assumptions.

The structure of bank risk governance

Inside a large bank, risk management is hierarchical. The structure typically looks like:

• Trading desk: Traders and portfolio managers execute positions. They monitor 1-day VaR intraday (sometimes hourly).
• Desk risk manager: A dedicated risk officer on or near the trading floor watches real-time VaR and alerts traders if they're approaching limits.
• Middle office (Market Risk Management): Independent risk team that calculates daily VaR for each desk, compares to limits, and escalates breaches.
• Senior management (Chief Risk Officer, Chief Financial Officer): Reviews daily risk reports, approves risk appetite, and sets overall VaR limits for the firm.
• Internal audit and compliance: Validates that risk models work, risk limits are enforced, and controls aren't circumvented.
• Regulators (Federal Reserve, OCC, SEC): Receive regular VaR reports, require stress testing, and impose minimum capital based on VaR and expected shortfall.

Each level uses VaR differently, but the goal is the same: catch excessive risk before it becomes a catastrophic loss.

How daily VaR limits work

A typical bank might set a daily VaR limit for a trading desk like this:

Equities desk: Daily 95% VaR limit = $5 million
Fixed Income desk: Daily 95% VaR limit = $3 million
FX desk: Daily 95% VaR limit = $2 million
Derivatives desk: Daily 95% VaR limit = $8 million
Total firm daily VaR limit: $20 million

Each morning, the risk management team calculates the current VaR for each desk given its positions. If the equities desk holds positions that imply a VaR of $4.2 million, it's within limit. If VaR rises to $5.8 million, the desk has breached. Traders are then told to reduce risk: sell some positions, hedge with derivatives, or reduce leverage.

The limit is not a hard physical stop. Traders cannot directly hit a limit and be unable to execute the next trade. Rather, the limit is a control. If you breach, your head trader is called, and you must justify why you're above limit. If you can't, you're told to reduce. If you ignore the warning, you face escalation to department heads, and eventually, senior management will forcibly reduce your positions.

In practice, breaches are rare because traders internalize the limit. A trader who consistently approaches or hits limits gets less capital allocation next quarter and loses face. Most traders stay well below their limit as a safety margin.

How intraday VaR monitoring works

Modern trading floors have real-time risk dashboards. A desk's VaR is recalculated throughout the day as positions change.

9:30 AM (market open): The risk team publishes the morning VaR report. Equities desk's current VaR is $3.2 million, well below the $5 million limit. Green light.

11:45 AM: A big client calls wanting to buy $50 million of technology stocks. The traders discuss it with the desk risk manager. They calculate what the desk's new VaR would be if they took the trade. If VaR would rise to $5.3 million (above limit), they either reject the trade, hedge it, or ask the CRO for a temporary limit increase. Often, they'll do a partial trade: $30 million instead of $50 million.

1:15 PM: The S&P 500 drops 2%. The desk's VaR rises from $3.2 million to $4.1 million due to higher volatility. Still within limit, but the desk now has less capacity for new trades. They pause new position-taking and focus on servicing existing clients without growing risk.

2:45 PM: Market volatility spikes further. The desk's VaR hits $4.8 million, just $200,000 from limit. The desk risk manager tells traders to stop initiating new long positions. They can only hedge or reduce.

4:00 PM (close): VaR settles at $4.7 million. The desk has stayed in control all day by being proactive. If VaR had hit $5.1 million, the CRO would be called, and forced selling would begin.

This process repeats on every trading desk every single day at most major banks.

VaR and position limits: The relationship

Banks often set both VaR limits and notional position limits. They serve different purposes:

• Notional limit: You can't hold more than $100 million notional in tech stocks. This is a hard constraint based on nominal exposure.
• VaR limit: You can't have more than $2 million VaR. This accounts for both size and volatility/correlation.

A trader might hold $100 million in low-volatility dividend stocks with little correlation to other holdings, resulting in $800,000 VaR. The same trader holding $50 million in highly volatile tech stocks with high correlation to other holdings might have $1.5 million VaR. Both are within notional limits, but VaR is more sensitive to actual risk.

This is one reason VaR is superior to simple notional limits. A trader can't hide risk by gaming the position-size rule. Higher volatility automatically triggers a higher VaR, which tightens the constraint.

Visualizing the daily VaR governance process

Capital allocation based on VaR

Banks allocate capital to business units partly based on VaR. This creates a financial incentive for traders to manage risk well.

Example bank allocation model:

Minimum capital requirement = 8% × Risk-weighted assets (from Basel rules)
Additional capital for VaR = 10-day VaR × 3 × Scaling factor
Total capital buffer = Min capital + VaR capital

If the equities desk has a 10-day VaR of $10 million, the bank must hold capital of roughly 10 × 3 = $30 million to cover that risk with a safety margin. This capital is "assigned" to the equities desk. If the desk generates $50 million in annual profit but consumes $30 million of capital, its return-on-capital is 50/30 = 1.67.

Compare to the fixed income desk: $40 million profit, $15 million VaR-based capital, RoC = 40/15 = 2.67. The fixed income desk is more profitable per unit of risk. When the bank decides where to allocate growth capital next year, the fixed income desk gets priority.

This creates powerful incentives. A trader who reduces VaR gets access to more capital, enabling bigger trades and higher profits (assuming the market cooperates). A trader who consistently breaches limits gets capital cut and eventual termination.

Stress testing and scenario analysis: Complementing VaR

VaR is useful for daily risk management, but banks know it's incomplete. They supplement with stress testing.

Every quarter (or more frequently during crises), banks run stress tests:

• Historical stress: "What would happen to our portfolio if markets moved like they did in March 2008 or March 2020?" Banks overlay historical crisis market moves onto current positions and calculate losses.
• Hypothetical stress: "What if the S&P 500 fell 20%, yields rose 50 basis points, credit spreads widened 150 bps, volatility spiked to 60, and correlations moved to crisis levels?" Banks calculate portfolio loss under this scenario.
• Reverse stress test: "What magnitude of market move would cause us to post a loss greater than our capital?" If the answer is "a 5% market move," that's unacceptable—a 5% move is not rare. Banks adjust positions until the answer is "only a 40% crash would wipe us out," which is rare enough to be tolerable.

These stress tests often reveal risks that VaR misses. A portfolio with low VaR but high exposure to a particular tail scenario (e.g., a credit event in an emerging market) will show up in stress testing. The risk team then either hedges the exposure or imposes position limits specific to that scenario.

Backtesting: How banks validate VaR

Every major bank backtests its VaR models. Backtesting means comparing predicted VaR to actual daily losses and checking if the predictions are accurate.

Simple backtest:

• Calculate 95% daily VaR each day (predicted).
• At end of day, observe actual loss.
• If actual loss exceeds predicted VaR, it's a "breach" or "exception."
• Under a well-calibrated 95% VaR, breaches should occur on about 1% of days (once per 100 trading days, or about 2–3 times per year for a 250-day trading year).

If a bank backtests and finds 20 breaches per year instead of 2–3, something is wrong. Either:

• The VaR model is systematically underestimating risk (model is biased).
• The market is more volatile than historical data suggests (regime shift).
• The risk manager is not updating the model frequently enough.

When a bank finds excess breaches, regulators require them to increase their capital buffer. Under Basel III, too many backtesting exceptions trigger a "multiplier," forcing the bank to hold even more capital.

This creates accountability. A bank CRO cannot hide behind a VaR model forever. Eventually, backtesting reveals truth.

Real-world example: JPMorgan's London Whale

In 2012, a derivatives trader named Bruno Iksil at JPMorgan's London office built a massive credit derivatives position. On paper, the position was hedged (matched with offsetting trades). The VaR appeared low.

But the "hedge" was imperfect. Correlations shifted, and losses began. The position grew to a $6.2 billion loss over several months. The risk management team's VaR model had underestimated the tail risk in the position. The hedge looked like it would work in normal markets, but in stressed markets, it failed.

Post-incident analysis revealed several failures:

• The desk's risk manager didn't fully understand the position (it was complex).
• The VaR model assumed normal correlations that broke during the stress.
• Senior management didn't enforce position limits strictly.
• The trader was able to circumvent or redefine limits by claiming the position was "hedged."

JPMorgan's damage was limited by:

• Daily VaR monitoring (losses were detected and eventually stopped).
• Stress testing (which would have caught the tail risk if properly run).
• Capital buffers (JPMorgan had enough capital to absorb the loss without failing).

The London Whale case shows both VaR's power (daily monitoring caught the problem within months, not years) and its limits (VaR alone didn't prevent the crisis because it missed tail risk in the "hedge").

How regulated capital rules use VaR

Under Basel III and Dodd-Frank, banks must hold capital partly determined by VaR:

Minimum capital = max(
  Standardized approach capital,
  Internal VaR models capital,
  Stressed VaR capital
)

Standardized approach: Regulators assign risk weights to assets (e.g., 100% of equity exposure, 20% of Treasury exposure) and require capital = 8% × risk-weighted assets.

Internal VaR models: Banks calculate 10-day 99% VaR and 10-day 99% stressed VaR. Minimum capital = 3 × max(current VaR, average VaR over past 60 days).

Stressed VaR: Same as VaR but calculated using a 250-day historical window that includes a significant market stress (e.g., Sept 2008 to Aug 2009).

The "3×" multiplier is a safety factor. If a bank's 10-day 99% VaR is $50 million, it must hold at least $150 million in capital to cover that risk. The multiplier gives a cushion for model uncertainty and tail risk beyond VaR.

This regulatory approach incentivizes banks to:

• Reduce VaR (smaller positions = lower capital requirement = better return on capital).
• Diversify (lower correlations = lower VaR).
• Use less leverage (smaller gross exposure = lower VaR).

However, it also creates incentives to game the model. A bank might structure positions to have low VaR while maintaining high risk in scenarios outside the model. This is one reason why regulators also require stress testing, expected shortfall, and regular audits.

Common mistakes banks make with VaR

Mistake 1: Over-relying on a single model. If all VaR calculations use the variance-covariance method, and that method has a flaw, the entire risk system fails. Best practice: use multiple VaR models and compare. If they diverge significantly, investigate.

Mistake 2: Not updating VaR models frequently enough. A bank might recalibrate VaR models once per year. In fast-moving markets, this is too slow. Many banks now update correlations and volatility weekly or daily. Some use real-time models that update intraday.

Mistake 3: Assuming VaR limits are immutable. During extreme market stress, VaR can spike faster than traders can reduce positions. Senior management must be prepared to adjust limits temporarily or face a forced blow-up. JPMorgan, for instance, would probably have closed the London Whale position much earlier if it had enforced limits with no exceptions.

Mistake 4: Mixing 1-day and 10-day VaR. A bank might set a 1-day VaR limit for daily risk management and a 10-day VaR for regulatory reporting. But if traders don't understand the difference, they might game the 1-day limit knowing the 10-day limit is higher. Clear communication about time horizons is essential.

Mistake 5: Failing to backtest regularly. A bank that backtests once a year is not serious about risk control. Backtesting should happen at least monthly, with rapid escalation if exceptions spike.

FAQ

How frequently do banks recalculate VaR?

Large banks calculate daily VaR every morning before market open (using end-of-day positions from the previous close). Some also calculate intraday VaR several times per day as positions change. Very sophisticated banks run real-time or continuous VaR updates. Smaller banks might update VaR weekly or monthly.

What happens if a trader breaches the VaR limit?

In theory, the trader's positions are forcibly reduced by the risk team. In practice, it depends on the bank's culture and the severity. A small breach (101% of limit) might just be a warning. A 10% breach (110% of limit) triggers senior management involvement and forced reduction. In crisis scenarios, the CRO has authority to liquidate positions immediately.

Are VaR limits set in dollar terms or as a percentage of capital?

Both. A bank might set a limit as "$50 million daily VaR" (dollar term) or "0.5% of tier-1 capital" (percentage term). Percentage limits automatically scale if the bank's capital changes. Dollar limits are simpler but require periodic adjustment if capital grows.

How do banks decide what VaR limit to set for a desk?

Several factors: (1) Expected profitability of the desk, (2) Historical volatility and losses, (3) Strategic importance of the desk, (4) Overall risk appetite of the firm, (5) Regulatory requirements. A desk expected to generate $100 million in profit might get a $5 million VaR limit. A desk expected to generate $10 million might get $1 million.

Why do banks use stressed VaR in addition to regular VaR?

Because regular VaR is based on recent-period volatility and correlations, which can be benign. Stressed VaR forces the model to use volatility and correlations from a real crisis period (e.g., 2008), ensuring the bank holds enough capital to survive if a crisis occurs. Regular VaR fails during crises (by definition), so stressed VaR is a way to force the model to respect tail risk.

Can a bank's VaR limit be so high that it's useless?

Yes. If the bank sets a $100 million daily VaR limit but the entire firm typically operates with only $10 million of VaR, the limit is not constraining and provides no real risk control. Effective limits are set close enough to expected operating ranges that breaching requires action.

Related concepts

• What Is Value at Risk?
• 1-Day vs. 10-Day VaR
• Stressed VaR Explained
• LTCM Full Story

Summary

Banks use VaR as their primary tool for daily risk governance, enforcing position limits, allocating capital, and satisfying regulators. A well-implemented VaR system catches excessive risk before it becomes catastrophic loss. However, VaR alone is insufficient. Banks supplement VaR with stress testing, expected shortfall, backtesting, and limit enforcement to create a comprehensive risk management framework. Understanding how banks use VaR reveals both its power as a control tool and the discipline required to make it work.

Next

→ Why VaR Failed in 2008