Management should implement a business risk management process to assess all the non - investment risks associated with the business, although the degree of formality of this process will vary widely dependent upon the regulatory environment and the size and complexity of the business.

The business risk management process may, for example, range from an informal process conducted at management meetings to, in the case of a larger firm, a formal, rigorous and fully documented process. The risk management process would typically encompass:
 

1. the identification of the key risks facing the business, across all areas, including risks such as reliance on key clients or investors, reliance on key staff and access to sufficient capital. The risk analysis should also consider “what if” scenarios for the business and management should anticipate how they might react. A formal risk assessment of the business should be carried out no less frequently than on an annual basis and should be approved by senior management. This process should be documented (whether formally or informally). In some jurisdictions, regulators require this risk assessment to be completed and for the Hedge Fund manager formally to consider the regulatory capital implications of the risks that are being taken;
2. the implementation of controls to mitigate those risks. For each risk, management should determine whether to accept the risk and mitigate it through controls or to avoid it. Controls should be embedded in normal business processes;
3. the design of a monitoring process to ensure effectiveness of those controls. Management should ensure that any internal or external monitoring exercise includes a review of the key risks;
4. reporting on both the effectiveness of controls and the changing risk profile of the business; and
5. effective controls to ensure that any significant weaknesses are reported to senior management as soon as they are detected.