Risk management for smaller AIFMs
European rules ask a manager for an effective, documented risk process: identification, measurement, limits, monitoring and a record that survives review. What that means operationally for a boutique, and where the process usually breaks.
What the rules ask for
Article 15 of the AIFMD requires a risk management function functionally separated from portfolio management, systems that identify, measure, manage and monitor the material risks of each strategy, an assessment of how every position affects the whole portfolio, and stress tests. ESMA's common supervisory action on the risk management function, launched for 2026, examines the same qualities in practice: effectiveness, independence and knowledge.
The scope of these duties depends on the manager's status and jurisdiction: authorised managers carry the directive's full requirements, registered managers below its thresholds a lighter regime. The operational core is common to both: a risk process that exists in practice, runs on a rhythm and leaves a record. This page describes that core. Educational material, and no legal advice.
A working process, on a rhythm
A written policy is the start. Supervisors read for whether the function works: whether risks are identified before they bind the portfolio, measured against the whole of it, held against limits, escalated when a limit is crossed and reported to the people accountable. Each of those verbs needs a date attached to survive a later review.
A spreadsheet can hold the arithmetic. The difficulty lives in the rest of the chain: keeping event assessment in the same rhythm as measurement, recording why a matter was escalated or left alone, and being able to show, months later, what was known at the time of a decision.
Where the chain breaks
In small teams the same pattern repeats. Measurement lives in one tool and event assessment in another, so the judgment that connects a headline to an exposure never gets written down. Limits are checked at month end while markets move inside it. The record is reconstructed before an inspection instead of kept as the work happens, and reconstruction costs weeks.
Good teams meet this pattern too. The cause is workload: data quality, entity mapping, point-in-time history and validation run alongside the actual investment work, and large institutions staff that stack with separate teams.
Five elements of a record that survives review
First, dated observations: what was seen, when, and what was decided, including the decision to do nothing. Second, limits written as rules, with a log of every breach and its resolution. Third, a periodic report the governing body and investors can read, with its data date stated. Fourth, named sources and known limitations for every number. Fifth, a correction policy: changes are recorded, never silently overwritten.
A process with those five properties answers a supervisor's questions in hours. It also answers an investor's, and that is the quieter benefit: the same artefact that satisfies an inspection documents the discipline of the manager.
An independent layer above an existing process
Hawk Thorne adds an independent reading to a manager's own process. It does not replace the risk function and takes no investment decisions. The layer joins the mathematical view of the whole portfolio with an assessment of whether new information changes the assumptions behind an exposure, and it keeps the dated record as it goes.
AEGIS, the system Hawk Thorne runs this process on, registers a portfolio as weights only and holds exposures, scenarios, events and the manager's own limits with a dated breach log in one place. It currently runs in private preview, offered by introduction. Educational material, and no legal or investment advice.
