We’re using cookies, but you can turn them off in Privacy Settings.  Otherwise, you are agreeing to our use of cookies.  Accepting cookies does not mean that we are collecting personal data. Learn more in our Privacy Policy.

2024 Curriculum CFA Program Level I Portfolio Management and Wealth Planning


Risk—and risk management—is an inescapable part of economic activity. People generally manage their affairs to be as happy and secure as their environment and resources will allow. But regardless of how carefully these affairs are managed, there is risk because the outcome, whether good or bad, is seldom predictable with complete certainty. There is risk inherent in nearly everything we do, but this reading will focus on economic and financial risk, particularly as it relates to investment management.

All businesses and investors manage risk, whether consciously or not, in the choices they make. At its core, business and investing are about allocating resources and capital to chosen risks. In their decision process, within an environment of uncertainty, these organizations may take steps to avoid some risks, pursue the risks that provide the highest rewards, and measure and mitigate their exposure to these risks as necessary. Risk management processes and tools make difficult business and financial problems easier to address in an uncertain world. Risk is not just a matter of fate; it is something that organizations can actively manage with their decisions, within a risk management framework. Risk is an integral part of the business or investment process. Even in the earliest models of modern portfolio theory, such as mean–variance portfolio optimization and the capital asset pricing model, investment return is linked directly to risk but requires that risk be managed optimally. Proper identification and measurement of risk, and keeping risks aligned with the goals of the enterprise, are key factors in managing businesses and investments. Good risk management results in a higher chance of a preferred outcome—more value for the company or portfolio or more utility for the individual.

Portfolio managers need to be familiar with risk management not only to improve the portfolio’s risk–return outcome, but also because of two other ways in which they use risk management at an enterprise level. First, they help to manage their own companies that have their own enterprise risk issues. Second, many portfolio assets are claims on companies that have risks. Portfolio managers need to evaluate the companies’ risks and how those companies are addressing them.

This reading takes a broad approach that addresses both the risk management of enterprises in general and portfolio risk management. The principles underlying portfolio risk management are generally applicable to the risk management of financial and non-financial institutions as well.

The concept of risk management is also relevant to individuals. Although many large organizations formally practice risk management, most individuals practice it more informally and some practice it haphazardly, oftentimes responding to risk events after they occur. Although many individuals do take reasonable precautions against unwanted risks, these precautions are often against obvious risks. The more subtle risks are often ignored. Unfortunately, many individuals do not view risk management as a formal, systematic process that would help them achieve not only their financial goals but also the ultimate goal, or maximum utility as economists like to call it, but they should.

Although the primary focus of this reading is on institutions, we will also cover risk management as it applies to individuals. We will show that many common themes underlie risk management—themes that are applicable to both organizations and individuals.

Although often viewed as defensive, risk management is a valuable offensive weapon in the manager’s arsenal. In the quest for preferred outcomes, such as higher profit, returns, or share price, management does not usually get to choose the outcomes but does choose the risks it takes in pursuit of those outcomes. The choice of which risks to undertake through the allocation of its scarce resources is the key tool available to management. An organization with a comprehensive risk management culture in place, in which risk is integral to every key strategy and decision, should perform better in the long-term, in good times and bad, as a result of better decision making.

The fact that all businesses and investors engage in risky activities (i.e., activities with uncertain outcomes) raises a number of important questions. The questions that this reading will address include the following:

  • What is risk management, and why is it important?

  • What risks does an organization (or individual) face in pursuing its objectives?

  • How are an organization’s goals affected by risk, and how does it make risk management decisions to produce better results?

  • How does risk governance guide the risk management process and risk budgeting to integrate an organization’s goals with its activities?

  • How does an organization measure and evaluate the risks it faces, and what tools does it have to address these risks?

The answers to these questions collectively help to define the process of risk management. This reading is organized along the lines of these questions. Section 2 describes the risk management process, and Section 3 discusses risk governance and risk tolerance. Section 4 covers the identification of various risks, and Section 5 addresses the measurement and management of risks. Section 6 provides a summary.

Learning Outcomes

The member should be able to:

  1. define risk management;

  2. describe features of a risk management framework;

  3. define risk governance and describe elements of effective risk governance;

  4. explain how risk tolerance affects risk management;

  5. describe risk budgeting and its role in risk governance;

  6. identify financial and non-financial sources of risk and describe how they may interact;

  7. describe methods for measuring and modifying risk exposures and factors to consider in choosing among the methods.


Success in business and investing requires the skillful selection and management of risks. A well-developed risk management process ties together an organization’s goals, strategic competencies, and tools to create value to help it both thrive and survive. Good risk management results in better decision making and a keener assessment of the many important trade-offs in business and investing, helping managers maximize value.

  • Risk and risk management are critical to good business and investing. Risk management is not only about avoiding risk.

  • Taking risk is an active choice by boards and management, investment managers, and individuals. Risks must be understood and carefully chosen and managed.

  • Risk exposure is the extent to which an organization’s value may be affected through sensitivity to underlying risks.

  • Risk management is a process that defines risk tolerance and measures, monitors, and modifies risks to be in line with that tolerance.

  • A risk management framework is the infrastructure, processes, and analytics needed to support effective risk management; it includes risk governance, risk identification and measurement, risk infrastructure, risk policies and processes, risk mitigation and management, communication, and strategic risk analysis and integration.

  • Risk governance is the top-level foundation for risk management, including risk oversight and setting risk tolerance for the organization.

  • Risk identification and measurement is the quantitative and qualitative assessment of all potential sources of risk and the organization’s risk exposures.

  • Risk infrastructure comprises the resources and systems required to track and assess the organization’s risk profile.

  • Risk policies and processes are management’s complement to risk governance at the operating level.

  • Risk mitigation and management is the active monitoring and adjusting of risk exposures, integrating all the other factors of the risk management framework.

  • Communication includes risk reporting and active feedback loops so that the risk process improves decision making.

  • Strategic risk analysis and integration involves using these risk tools to rigorously sort out the factors that are and are not adding value as well as incorporating this analysis into the management decision process, with the intent of improving outcomes.

  • Employing a risk management committee, along with a chief risk officer (CRO), are hallmarks of a strong risk governance framework.

  • Governance and the entire risk process should take an enterprise risk management perspective to ensure that the value of the entire enterprise is maximized.

  • Risk tolerance, a key element of good risk governance, delineates which risks are acceptable, which are unacceptable, and how much risk the overall organization can be exposed to.

  • Risk budgeting is any means of allocating investments or assets by their risk characteristics.

  • Financial risks are those that arise from activity in the financial markets.

  • Non-financial risks arise from actions within an organization or from external origins, such as the environment, the community, regulators, politicians, suppliers, and customers.

  • Financial risks consist of market risk, credit risk, and liquidity risk.

  • Market risk arises from movements in stock prices, interest rates, exchange rates, and commodity prices.

  • Credit risk is the risk that a counterparty will not pay an amount owed.

  • Liquidity risk is the risk that, as a result of degradation in market conditions or the lack of market participants, one will be unable to sell an asset without lowering the price to less than the fundamental value.

  • Non-financial risks consist of a variety of risks, including settlement risk, legal risk, regulatory risk, accounting risk, tax risk, model risk, tail risk, and operational risk.

  • Operational risk is the risk that arises either from within the operations of an organization or from external events that are beyond the control of the organization but affect its operations. Operational risk can be caused by employees, the weather and natural disasters, vulnerabilities of IT systems, or terrorism.

  • Solvency risk is the risk that the organization does not survive or succeed because it runs out of cash to meet its financial obligations.

  • Individuals face many of the same organizational risks outlined here but also face health risk, mortality or longevity risk, and property and casualty risk.

  • Risks are not necessarily independent because many risks arise as a result of other risks; risk interactions can be extremely non-linear and harmful.

  • Risk drivers are the fundamental global and domestic macroeconomic and industry factors that create risk.

  • Common measures of risk include standard deviation or volatility; asset-specific measures, such as beta or duration; derivative measures, such as delta, gamma, vega, and rho; and tail measures such as value at risk, CVaR and expected loss given default.

  • Risk can be modified by prevention and avoidance, risk transfer (insurance), or risk shifting (derivatives).

  • Risk can be mitigated internally through self-insurance or diversification.

  • The primary determinants of which method is best for modifying risk are the benefits weighed against the costs, with consideration for the overall final risk profile and adherence to risk governance objectives.

Share on Facebook Share on Weibo Share on Twitter Share on LinkedIn