Successfully implementing risk management requires taking a business model approach. Risk management should focus on avoiding unintended risks and assuring that intended risks are aligned with investment decisions. The governance model should be built around a risk board, a team of risk measurement experts, independent risk controllers, and investment risk managers. It should be combined with a sound five step process based on i) measuring, ii) monitoring, iii) controlling, iv) managing, and v) communicating risk.

With the 2011 turmoil in the financial markets risk management has become an even hotter topic than it already was before. Implementing sound investment risk management practices for managing client assets requires having an in-depth understanding of what the outcome of risk management should be (product/service), who should be the beneficiary (client), and how it should be delivered (service channel). This means sound investment risk management requires developing and implementing a business model for risk management.


Taking investment risks is at the core of managing client assets. It is only through taking financial risks that a return in excess of the risk-free rate, the portfolio’s alpha, can be achieved. But not all financial risks taken will lead to a positive alpha. Therefore, it is important to understand and manage the risks taken. Formally this means

  • avoid unintended risks, and
  • ensure that the investment risks taken are aligned with the investment decisions.

Investment risks taken by the investment manager should be such that he (or she) expects a majority of the risks not to materialize, and thus translate into positive alpha.


There exist three major players interested in sound risk management:

  • Clients/investors – They wants to make sure that their assets are managed according to the agreed upon specification.
  • Senior management – They want to make sure that the factory managing client assets runs as smoothly as possible and that the produced product quality comes as close as possible or even exceeds the agreements with the investors.
  • Investment managers – Their goal is to ensure that the risk universe is optimally exploited. Rather than limit or avoid risk, their goal is to maximize the risk taken, given the agreed upon guidelines, so as to maximize the alpha generated. In addition, they want to avoid risks that are not rewarded.


There exist two categories of risk, i) the intended risks, risk for which the investment manager expects to be rewarded, and ii) unintended risks, which are those risks that should be avoided as they are not rewarded with return by the markets.


Intended risks are market risks, credit risk, market liquidity risks (risks stemming from holding assets for which potentially insufficient buyers exist at a given point in time), and most important information risks (risks of incorrect forecasts).


Unintended risks are diversifiable market risks, cash liquidity risks (so called margin call risks), investment process risks, operational risks, model risks, and legal and reputational risks.


The governance structure forms a key pillar of a successful risk management business model. It should be composed of four bodies,

  • the risk board,
  • the risk measurement team,
  • the risk controllers, and
  • the investment risk managers.

Exhibit 1 illustrates a possible organizational structure reflecting a sound risk management governance structure.

Exhibit 1 – Organizational governance structure (only risk related functions are shown)

Exhibit 1 – Organizational governance structure (only risk related functions are shown)


The risk board is in charge of deciding on all aspects regarding risk related to managing client assets. It has a strategic role and as such must have final authority on all risk topics, unless they are explicitly handled by the board of directors or other senior executives not involved in managing or monitoring portfolio risks. It defines guidelines for managing intended and avoiding unintended risk, and delegates the authority to enforce them to the risk controllers. It must not be involved in the day to day management of risk, roles which are delegated to the three other risk functions.


The risk measurement team is responsible for the development of in-house and implementation of all quantitative and qualitative risk models used. It is also responsible for the results of all day to day risk calculations. It should play the role of subject matter expert with respect to risk and take a consulting stance. It should not have any controlling or enforcement responsibilities to ensure independence and avoid conflicts of interest between the producer and the consumer of risk data.


The risk board delegates the day to day controlling of unintended risks as well assuring that all intended risks stay within the defined limits to the risk controllers. The risk controllers must be authorized to enforce corrective measures when risk breaches are detected. They should also have responsibility to approve risk guidelines at the client portfolio level, under the assumption that they do not violate any firm or product specific guidelines. They should be in the lead of executing the risk management process, approved by the risk board.


The investment risk managers, whether a dedicated role or part of the portfolio management role are responsible for managing the portfolio risk by

  • ensuring that only risks that are expected to generate positive alpha are taken,
  • using risk limits according to the product or client guidelines, and
  • ensuring that no risk limits are breached.

They are the primary point of contact for the risk controllers. Any risk data they use should be provided by the risk measurement team to ensure independence.


The risk management process should focus on taking a forward-looking stance, rather than be backward looking. There exist five steps in a sound risk management process as shown in Exhibit 2.

  • Measuring risks – Risks are assessed by the risk measurement team using quantitative as well as qualitative methods
  • Monitoring risks – Risk figures are monitored and interpreted by the risk controllers according to a pre-defined and approved process
  • Controlling risks – If monitoring has shown irregularities, remedies are decided, enforced and reviewed by the risk controllers
  • Managing intended risks – Risk is steered as part of the investment process assuring that only risks aligned with investment decisions are taken
  • Communicating about risks – Risk results are communicated to all stakeholders after the fact.

To avoid any front-running or conflicts of interest, communication in steps 1) to 4) needs to be on a need-to-know basis.

Exhibit 2 – Process implementing sound risk management

Exhibit 2 – Process implementing sound risk management


There exist numerous tools for measuring and monitoring risk at the firm, product, client, portfolio, and instrument level. The most important tool and model selection criteria should be that they focus on best assessing the specific risks to be tracked and monitored. Therefore, the methods used for measuring intended risks should be aligned with the way the portfolios are managed. There does not exist a one-size-fits-it-all solution.


  • Avoid unintended risks and ensure that intended risks taken are aligned with the investment decisions
  • Define a sound risk ownership governance structure that avoids any potential conflicts of interests
  • Implement a five-step risk management process based on i) risk measurement, ii) risk monitoring, iii) risk controlling, iv) risk management, and v) risk communication.