ESMA's 2026 Risk Management CSA: The Bigger Supervisory Pattern for AIFMs and UCITS ManCos

ESMA's 2026 Risk Management CSA: The Bigger Supervisory Pattern for AIFMs and UCITS ManCos

ESMA's latest Common Supervisory Action is about the risk management function of UCITS management companies and AIFMs. The exercise was announced on 3 July 2026, will run throughout 2026 and 2027, and is expected to result in a final ESMA report in 2028.

The announcement matters in its own right. But it matters more when placed next to the CSAs that came before it.

Since 2020, ESMA has used CSAs to examine liquidity risk management, costs and fees, valuation, sustainability risks and disclosures, compliance and internal audit, and now risk management. That sequence tells us something important. ESMA is not only looking at individual regulatory topics. It is gradually testing the governance and control framework behind fund management.

For UCITS management companies and AIFMs, the practical question is simple: if the regulator asked tomorrow how the risk management function operates, challenges the business and reports to the board, would the evidence be ready?

1. What a Common Supervisory Action is, and is not

A CSA is a coordinated supervisory exercise. ESMA develops a common assessment framework that sets out the scope, methodology, supervisory expectations and timeline. NCAs then apply that framework to fund managers in their own jurisdictions, which may involve questionnaires, document reviews, supervisory meetings or deeper inspections for selected firms.

The important thing to understand is that a CSA is not itself an enforcement action. It is closer to a market-wide stocktake. Because regulators are working to the same framework at the same time, ESMA ends up with a comparable picture across the EU and EEA. It then publishes findings, usually including an annex of good and poor practices, and NCAs follow up bilaterally with the entities where they found weaknesses.

For a fund manager, the output of that process is effectively a benchmark. When ESMA describes good and poor practices, it is telling the whole market what supervisory expectations look like in concrete terms. Reading those annexes against your own arrangements is one of the cheapest forms of inspection preparation available.

2. The CSA timeline since 2020

Since 2020, ESMA has run a series of CSAs on the asset management sector. Placed in order, the topics show ESMA working through the fund manager's control framework rather than picking unrelated subjects.

2020 — UCITS liquidity risk management. Launched on 30 January 2020, with results published on 24 March 2021. NCAs assessed whether UCITS managers complied with their liquidity risk management obligations. Compliance was broadly satisfactory, but the exercise flagged shortcomings in documentation, pre-investment liquidity analysis, and the strength of second and third line controls.

2021 — Costs and fees of UCITS. Launched on 6 January 2021, with the final report published on 31 May 2022. The CSA assessed compliance with cost-related provisions and the obligation not to charge investors undue costs, and also covered efficient portfolio management techniques. It later fed into ESMA's Opinion on undue costs of 17 May 2023, which proposed legislative clarification of the notion of undue costs under both the UCITS Directive and the AIFMD.

2022 — Valuation of UCITS and open-ended AIFs. Launched on 20 January 2022, with a final report on 24 May 2023. This exercise focused on the valuation of less liquid assets, the functional independence of the valuation function, the robustness of valuation methodologies, and the management of conflicts of interest where valuation tasks were delegated.

2023–2024 — Sustainability risks and disclosures. Launched on 6 July 2023 and conducted across 2023 and 2024, with a final report on 30 June 2025. NCAs assessed compliance with the Sustainable Finance Disclosure Regulation, the Taxonomy Regulation and the relevant UCITS and AIFMD implementing measures, with particular attention to greenwashing risk and the consistency between sustainability disclosures, risk integration and actual investment strategy.

2025 — Compliance and internal audit functions. Launched on 14 February 2025, with a final report on 11 May 2026. Most managers met core requirements, but the review identified governance weaknesses around the independence of control functions, the quality and implementation of internal policies, and senior management and board oversight. It also exposed divergent national practices on when third-party arrangements amount to delegation.

2026–2027 — Risk management function. Launched on 3 July 2026, running throughout 2026 and 2027, with a final report expected in 2028. This is the exercise ESMA has just announced.

Seen individually, these are six separate topics. Seen together, they trace a path through the fund manager's control framework: liquidity, costs, valuation, sustainability disclosure, the compliance and internal audit functions, and now risk management. This is where the 2026 CSA becomes more than a narrow review of one function. It is the latest stage in a longer supervisory look at how fund managers are actually governed and controlled.

3. What the risk management CSA will assess

According to ESMA, the objective is to assess how market participants comply with key risk-related provisions under the UCITS and AIFMD frameworks, with a focus on the effectiveness, independence and expertise of the risk management function. NCAs will concentrate on three areas.

Governance and organisation of the risk management function. This goes to how the function is positioned within the firm, whether it is genuinely independent of portfolio management, and whether it has the authority and expertise to do its job. Independence that exists on an organisation chart but not in daily practice is a familiar supervisory concern, and it surfaced in both the valuation CSA and the compliance and internal audit CSA.

Identification, measurement and monitoring of risks. ESMA references market, credit, liquidity, counterparty and operational risks. The supervisory question is not whether a firm has a risk policy. It is whether the firm can show that material risks are actually identified, measured with appropriate methodologies, and monitored on an ongoing basis.

Reporting to senior management and governing bodies. This is the escalation and oversight dimension. In supervisory reviews of control functions, reporting is often where weaknesses become visible: reports may be too generic, too infrequent, or not sufficiently connected to board-level challenge and decision-making. The risk management CSA will test whether the function's output genuinely informs decisions at the top of the firm.

The real issue is not whether the policy exists. It is whether the firm can evidence how the function works: what it looked at, what it flagged, and what happened next. Each of the three focus areas above is, in effect, a test of that evidence.

4. Preparing for the review

The final report is not due until 2028, but NCAs will be issuing questionnaires and, for selected entities, conducting deeper reviews across 2026 and 2027. The time to prepare is now, not when the results are published. For firms, this points to a set of concrete checks across the same ground the CSA will cover.

On independence and authority, be ready to show where the head of risk management sits, who they report to, and how their remuneration is set, so that independence from portfolio management is real rather than presentational. Be clear about escalation: who the function escalates to, how quickly, and what the reporting lines to senior management and the board actually look like in practice. Where the same people wear more than one hat, whether through dual-hatting or reliance on group functions, be able to explain how the resulting conflicts are identified and managed.

On the substance of risk work, the risk management policy should be current and specific to the firm, not a generic template. Behind it, there should be an evidence trail: how each material risk is identified, the data and systems used, the limits, thresholds and methodologies applied, and the monitoring that is actually performed rather than merely described. The gap between a policy that reads well and a function that can prove what it did is exactly where earlier CSAs found problems.

On reporting and follow-through, look at what the function puts in front of senior management and the board, and whether that reporting is clear enough to support oversight. Just as important is the trail that shows issues were challenged, escalated, acted on and followed up, rather than noted and left. A supervisor reviewing the function will be looking for that loop to close.

The 2025 compliance and internal audit CSA is a useful companion here. Its published good and poor practices give a concrete sense of how NCAs distinguish an effective control function from a nominal one, and the same distinctions are likely to shape how the risk management function is assessed.

5. Why the pattern matters

ESMA's 2026–2027 CSA on the risk management function should not be treated as a standalone supervisory exercise. It is the latest step in a sequence of coordinated reviews that have gradually moved through the main control areas of fund management.

For UCITS management companies and AIFMs, the point is not only to have a risk management framework. The point is to show that the function has independence, expertise, authority and a clear evidence trail.

The firms that will be best placed are not necessarily those with the longest policy. They will be the firms that can show what risk management monitored, what it challenged, what it escalated, and how senior management or the board responded.

The final ESMA report is expected in 2028. The supervisory questions will arrive much earlier.

Know what supervisors are looking for. Our seminars translate supervisory frameworks like the ESMA CSA programme into practical, inspection-ready controls for compliance, risk and internal audit teams.

Explore seminars at cpds.academy

Sources

ESMA, press release: ESMA launches Common Supervisory Action with NCAs on the risk management function (3 July 2026). ESMA, Common Supervisory Action on UCITS liquidity risk management: launch 30 January 2020; results 24 March 2021. ESMA, Common Supervisory Action on the supervision of costs and fees of UCITS: launch 6 January 2021; final report 31 May 2022; Opinion on undue costs of UCITS and AIFs 17 May 2023. ESMA, Common Supervisory Action on valuation of UCITS and open-ended AIFs: launch 20 January 2022; final report 24 May 2023. ESMA, Common Supervisory Action on sustainability risks and disclosures: launch 6 July 2023; final report 30 June 2025. ESMA, Common Supervisory Action on compliance and internal audit functions of fund managers: launch 14 February 2025; final report 11 May 2026. Legal frameworks: Directive 2009/65/EC (UCITS) and Directive 2011/61/EU (AIFMD),with their relevant implementing measures.

Nikolas Demetriades

Article by Nikolas Demetriades

Published 09 Jul 2026