Portfolio Concentration Risk: A Practical Guide for RIAs

Written by Akhil Lodha | 5/29/26 5:39 AM

Last updated: May 23, 2026 · By Akhil Lodha

Every RIA carries a few client portfolios that should keep the CCO up at night. The founder who will not sell the employer stock that funded the firm. The household that rode one semiconductor name from 4% of the portfolio to 22% without a single trade. The legacy position with an unrealized gain so large that trimming it feels like a tax event nobody wants to own. Portfolio concentration risk is the quiet exposure that sits inside a book that otherwise looks diversified — and it is the kind of risk an examiner can find faster than the firm can explain it.

This guide is written for the Chief Compliance Officer and risk lead at a mid-market RIA or broker-dealer — the person who has to show, at exam, that concentrated positions were identified, measured against a stated policy, and supervised over time. The framing reflects the SEC Division of Examinations' 2026 priorities, where the accuracy of disclosures and the supervision of client-specific strategies remain central to how registrants are tested.

TL;DR Portfolio concentration risk is the chance that a single security, sector, factor, or counterparty drives an outsized share of a portfolio's outcome. For an RIA, it is both an investment problem and a supervision problem: the firm has to set concentration limits in the investment policy statement, measure real exposure against those limits across every household, and keep a defensible record of the breaches it found and what it did about them. Most firms set the policy and never measure against it again — which is exactly the gap the concentration risk a continuous monitoring layer is built to close.

What portfolio concentration risk actually is

Portfolio concentration risk is the exposure created when a single position, sector, factor, or counterparty controls a disproportionate share of a portfolio's return and drawdown. A diversified-looking allocation can still be concentrated once you measure the underlying drivers.

Concentration is not just "one big stock." It shows up in four layers, and a portfolio can pass the first test while failing the others:

Single-security concentration — one ticker is an outsized share of the portfolio (the classic 10%-plus position).
Sector and industry concentration — five technology names that each look modest but sum to 40% of equity exposure. This is the layer the disclosed-policy enforcement cases tend to turn on.
Factor and correlation concentration — different tickers that move together because they share a factor (rate sensitivity, the same growth driver, the same supply chain).
Issuer and counterparty concentration — fixed income from one issuer, structured products from one bank, or alternatives tied to one sponsor.

A portfolio with 35 holdings can look diversified on a position-count basis and still be dangerously concentrated on a factor basis. That distinction is why risk tolerance conversations that stop at "how many stocks do you own" miss the actual exposure. The risk a client signed up for and the risk they hold can diverge silently as markets move — the same way a portfolio experiences portfolio drift away from its target allocation.

Why concentration risk is a compliance problem, not just an investment one

Concentration becomes a compliance problem the moment the firm states a limit and stops measuring against it. A breached policy the firm never detected is worse evidence at exam than no policy at all.

Under Rule 206(4)-7 of the Investment Advisers Act, every registered firm must adopt and implement written policies reasonably designed to prevent violations of the Act, reviewed at least annually. When a firm's investment policy statement sets a concentration cap — say, no single position above 10%, no single sector above 25% — that cap is a written policy. The implementation question an examiner asks is simple: show me you measured against it.

The enforcement record makes the stakes concrete. In March 2025, the SEC charged Upright Financial Corporation and its principal in connection with the Upright Growth Fund breaching its disclosed 25% industry-concentration policy across multiple years. The case was not about a bad investment thesis. It was about a stated limit that was not supervised — a disclosure that said one thing while the portfolio did another, year after year, with no documented detection or correction.

That is the pattern that should worry a CCO: the breach is not the failure the SEC penalizes hardest. The failure is the absence of a supervision record showing the firm caught the breach and acted. A concentration limit you cannot prove you monitored is a liability you put in writing yourself.

The diagnostic question

When an examiner pulls a concentrated client file, is the concentration limit documented in the policy, the breach history visible, and the supervision action attached — or is the rationale living in an advisor's memory?

The SEC's 2026 exam lens on concentration and disclosure accuracy

The 2026 Examination Priorities, released November 17, 2025, keep the focus on whether a firm's actual conduct matches its disclosures and whether advice is consistent with each client's stated objectives. Concentration sits squarely inside that lens. If the Form ADV and the IPS describe a diversified, risk-managed process, the portfolios have to be reconcilable with that description.

Two durable themes from the priorities apply directly:

Disclosure accuracy. The firm's stated approach to concentration and risk management has to match what the books show. A Form ADV that promises active risk oversight is a representation examiners can test against the portfolios.
Suitability and best interest. For accounts held to a best-interest or fiduciary standard, a concentrated position that is wrong for the client's suitability profile is a finding waiting to happen. Under Regulation Best Interest, the recommendation to hold a concentrated legacy position is still a recommendation the firm has to be able to defend.

For the full picture of what examiners are testing this cycle, see our breakdown of the SEC exam priorities for 2026. None of this requires the firm to force every client out of a concentrated position. It requires the firm to identify the concentration, document the client-specific rationale for holding it, and supervise it on an ongoing basis. The fiduciary obligation is to manage the conflict between the client's attachment to a position and their actual risk capacity — not to pretend the position is not there.

How to measure portfolio concentration risk you can defend

Defensible concentration measurement goes past position weight to factor exposure, correlation, and stress behavior — and it runs on every household, not a sampled few. A measure you compute once a year for your largest accounts is not supervision.

Position weight is the starting point, not the answer. A measurement approach a CCO can stand behind covers five dimensions:

Measure	What it catches	What it misses on its own
Single-position weight (% of portfolio)	The obvious 10%-plus single name	Sector clusters built from individually modest positions
Sector and industry weight	The 40%-technology book that holds no single large name	Cross-sector exposure to a shared factor (rates, growth)
Factor and correlation exposure	Holdings that move together despite different tickers	Tail behavior when correlations spike in a drawdown
Stress and scenario loss	How the concentrated portfolio behaves in a specific shock	The client's capacity to absorb that loss
Risk capacity reconciliation	Whether the client can afford the concentrated drawdown, not just tolerate it	Nothing — this is the layer that turns measurement into a suitability judgment

The distinction that matters here is between the willingness to bear risk and the ability to bear it. The SEC's own investor guidance on asset allocation and diversification frames concentration as the central reason diversification exists — spreading exposure so that no single holding can sink the portfolio. Concentration measurement that ignores risk capacity — the client's actual financial ability to absorb a concentrated loss — produces a number without a judgment. Vanilla risk-number tools that score only standard holdings cannot measure concentration accurately once a portfolio holds alternatives, structured products, or options, where the concentrated exposure is not visible from the position list alone. For the deeper risk-analytics view, see our guide to investment risk analytics software for RIAs.

Concentration by security type: where the position list lies

Some securities carry concentrated risk that a position-weight scan never sees. Alternatives, leveraged funds, inverse ETFs, and crypto funds each pack outsized — and sometimes hidden — exposure into a single line item, which is why concentration risk has to be measured by what a holding does, not just how much of it the client owns.

The four-layer model — single name, sector, factor, issuer — assumes each holding behaves like a normal long equity position. A growing share of RIA books no longer does. A 5% line item in a leveraged fund does not carry 5% of risk, and a "diversified" 4% allocation to a single crypto vehicle can move the whole portfolio on a quiet day. When an examiner reconciles the portfolio to the firm's stated risk process, these are the positions where the disclosure and the reality drift apart fastest. Each one concentrates risk in a different way:

Alternatives. Private credit, hedge funds, interval funds, and non-traded vehicles concentrate three ways at once: by sponsor (one manager runs the strategy, the operations, and the valuation), by illiquidity (the client cannot trim the position in a drawdown even when they want to), and by hidden factor (a "diversifying" alt may hold the same rate or credit exposure the rest of the book already carries). A 6% allocation that cannot be sold for a quarter is a different risk than a 6% allocation in a liquid ETF, and a position-weight report treats them identically. The valuation lag also masks correlation — an alt that prices monthly looks uncorrelated to public markets right up until it reprices. See our glossary entry on private credit for how one common alt category behaves under stress.
Leveraged funds. A leveraged ETF targets a daily multiple — 2x or 3x — of an index's return, which means its effective exposure is two or three times its position weight. A 4% sleeve in a 3x fund carries the directional risk of a 12% unlevered position, and daily rebalancing causes the fund to decay away from the multiple over longer holds. A concentration scan that reads the 4% weight understates the real exposure by a factor of three. Cluster two or three leveraged sleeves in the same direction and the portfolio is concentrated on a single factor at far higher intensity than the position list suggests.
Inverse ETFs. Inverse and inverse-leveraged ETFs deliver the opposite of an index's daily move and reset every day. Over any holding period longer than a day, path dependency means the return diverges — often sharply — from the simple inverse of the index. A position meant to hedge concentration can quietly become its own concentrated, decaying bet. Examiners and FINRA have flagged these products specifically because the holding period mismatch makes them unsuitable for the buy-and-hold use many advisors default to.
Crypto funds. Spot and futures-based crypto funds add an asset class with extreme single-asset volatility, frequent portfolio drift from its target weight, and correlation that spikes toward 1.0 across crypto holdings in a sell-off. A 3% target allocation can run to 7% in a rally and back to 2% in a drawdown within a single quarter, breaching a stated cap between manual reviews. Two different crypto funds are not diversification — they are usually the same factor twice.

The common thread: in each case the concentrated exposure is a property of what the security does, not of how large the position appears. FINRA's guidance on leveraged and inverse exchange-traded products makes the same point about holding-period risk that a static weight report cannot capture. This is precisely the gap RiskIQ, powered by PRISM, is built to close: it scores leverage, options, and alternative exposures by their actual risk contribution and stress-tests the portfolio under a shock, so a 4% leveraged sleeve or an illiquid alt shows up at the risk it carries, not the weight it shows — and a supervisor can see the concentrated drawdown a position-weight report would hide.

StratiFi turns "these security types are risky" into something a firm can actually supervise. Inside StratiFi you set a concentration limit not only per single security but per security type — high-yield (junk) bonds, crypto funds, leveraged and inverse ETFs, alternatives — and the platform raises a customizable alert the moment a position or a whole category breaches the limit you set. The 4% crypto sleeve that rallies past your stated cap, or the leveraged and inverse exposure that quietly clusters in one direction, surfaces as a flagged breach instead of waiting for the next manual review. The limit lives as a rule the platform enforces continuously, not a line in a policy document nobody re-checks.

Setting concentration limits in the IPS that hold up at exam

A concentration limit is only as good as the policy that records it and the supervision that enforces it. Limits that survive an exam share four traits:

Specific thresholds. "Diversified portfolio" is not a policy. "No single equity position above 10% of the account; no single GICS sector above 25%; legacy concentrated positions documented with a client-acknowledged exception" is.
A documented exception path. Real books hold concentrated positions for real reasons — low-basis legacy stock, restricted shares, a client who refuses to sell. The policy should define how an exception is approved, documented, and re-reviewed, not pretend exceptions do not exist.
A defined review cadence. The policy should state how often concentration is measured and what events force an off-cycle check (a position crossing a band, a large gift of appreciated stock, an inherited account).
Reviewer attribution. Every concentration exception and every breach resolution should carry who reviewed it and when. That is what books and records under Rule 204-2 means in practice.

For the broader supervision structure these limits live inside, our guide to portfolio supervision and IPS intelligence, the RIA portfolio supervision rulebook for 206(4)-7 and FINRA 3110, and the framework for documenting IPS supervision under 206(4)-7 walk through how the policy, the measurement, and the evidence trail fit together.

The supervision workflow portfolio concentration risk demands

Supervising concentration is a four-stage loop — set the limit, measure exposure continuously, surface only material breaches, and attach the resolution as evidence. Break any stage and the firm has a policy it cannot defend.

1. Set the limit where the policy lives

Concentration caps belong in the IPS as client-specific commitments, not in a firm-wide manual nobody maps to individual accounts. The cap that matters at exam is the one tied to the household, with the client's acknowledged exception for any position held above it.

2. Measure exposure across the whole book continuously

Sampling does not survive an exam. The firm has to measure concentration — single-name, sector, factor, issuer — across every household on a regular cadence, not just the accounts that happen to come up in a review. This is where manual monitoring breaks past a few hundred households: a spreadsheet refreshed quarterly cannot see a position that crossed a band in week six.

3. Surface only the breaches that matter

An alert that fires on every position above 8% is the same as no alert — the CCO learns to ignore it. Useful supervision surfaces material breaches against the stated limit, with the underlying holdings and the policy band attached, so the reviewer sees the exposure and the rationale in one place.

4. Attach the resolution as evidence

When a breach is identified, the supervision record should capture what the firm did — trimmed the position, documented a client-acknowledged exception, or escalated it — with reviewer attribution and a timestamp. That record is the difference between "we monitor concentration" as a claim and as a defensible fact.

The gap between the two operating models is stark once you put them side by side:

Supervision dimension	Quarterly manual review	Continuous monitoring
Coverage	Sampled or largest accounts	Every household, every cadence
Detection lag	Up to a full quarter — or until annual review	Days, as positions cross a band
What it catches	Single-name weight at a point in time	Single-name, sector, factor, and issuer concentration as it builds
Alert quality	None, or a static threshold report	Material breaches only, with holdings and policy band attached
Audit evidence	Reconstructed from spreadsheets and email before the exam	Attached at the moment of review — breach, resolution, reviewer, timestamp

How StratiFi runs concentration risk as one supervised flow

The differentiator across StratiFi is that concentration risk is identified, measured, and supervised on one data lineage — advisor sales workflow into firm-level data extraction into compliance supervision — with no re-keying between systems. Three modules read from the same client record.

RiskIQ. StratiFi's risk-scoring product, powered by PRISM, measures concentration across not just vanilla securities but alternatives, complex products, and options — the exposures a single-number tool cannot see. It stress-tests the concentrated portfolio and separates risk capacity (what the client can afford to lose) from risk tolerance (what they are willing to lose), so a concentrated position is judged against the client's actual ability to absorb the drawdown.
OperationsIQ. Extracts the structured Suitability fields — Investment Objective, Risk Tolerance, Investment Experience, Asset Allocation, Restrictions, and Concentration Caps — from the firm-level paperwork the operations team already processes (IMAs, IAAs, new account applications, custodial paperwork, client update forms), so the concentration limit and the client's documented constraints live as queryable data, not in a PDF.
ComplianceIQ. This is where the firm sets the limits and the platform enforces them. You set a concentration limit per single security and per security type — high-yield (junk) bonds, crypto funds, leveraged and inverse ETFs, alternatives — and turn on customizable alerts that fire when a position or a category breaches the limit. ComplianceIQ then monitors every portfolio against those stated limits continuously, watches IPS drift bands so a position sliding away from its target allocation is flagged before it breaches, surfaces only material breaches, and attaches the evidence the examiner asks for — the policy band, the breaching holdings, the source-document citation, and reviewer attribution. The 206(4)-7 annual review runs against this evidence rather than a narrative reconstructed before the exam.

For a mid-market or enterprise firm scaling past a few hundred households, the value is that the concentration policy, the measurement, and the supervision record are the same connected system. Point tools that handle one slice leave the CCO reconciling a risk report, a spreadsheet of limits, and an email trail of exceptions. StratiFi removes that reconciliation by design.

The principle holds across the platform: human judgment amplified by institutional-grade intelligence. The decision to hold or trim a concentrated position stays with the advisor and the client; the platform makes that decision continuously measurable and defensible.

See concentration risk measured and supervised on one book

A 30-minute walkthrough on anonymized accounts. RiskIQ scores concentration across a portfolio that holds alternatives and options, OperationsIQ surfaces the documented limits from a sample IMA, and ComplianceIQ runs the breach report your CCO will start using on Monday.

Book a walkthrough

A practical 90-day rollout for concentration supervision

Treating concentration monitoring as a someday project leaves the firm exposed in the meantime. A defensible sequence:

Days 1-30. Integrate custody and CRM feeds and run a concentration scan across the entire book. The output is an inventory of every household above a single-name, sector, or issuer threshold — including the ones nobody flagged because no advisor traded into them.
Days 31-60. Set or confirm the concentration limits in the IPS for the top quintile of households by AUM, document client-acknowledged exceptions for legacy positions, and turn on continuous monitoring for that cohort.
Days 61-90. Bring the rest of the book under monitoring in weekly waves. By quarter end, the CCO can answer "show me every concentrated position, the policy it breaches, and how we supervised it" in under a minute, for any account.

Key takeaways

Portfolio concentration risk lives in four layers — single security, sector, factor, and issuer — and a portfolio can look diversified by holding count while being concentrated by factor.
Security type matters as much as weight: alternatives (sponsor and illiquidity risk), leveraged funds (2x-3x effective exposure), inverse ETFs (daily-reset path dependency), and crypto funds (volatility and drift) all concentrate risk that a position-weight scan understates or misses.
Concentration becomes a compliance problem the moment the firm states a limit in the IPS and stops measuring against it; the unsupervised breach is the finding, not the breach itself.
The March 2025 SEC charges against Upright Financial — a disclosed 25% industry-concentration policy breached over multiple years — are the textbook case of stated-limit-without-supervision.
Defensible measurement goes past position weight to sector, factor, stress, and risk-capacity reconciliation, run across every household rather than a sampled few.
StratiFi runs concentration risk on one data lineage — RiskIQ measures it (including alternatives and options), OperationsIQ structures the limits, ComplianceIQ supervises and evidences it.

Frequently asked questions

What is portfolio concentration risk?

Portfolio concentration risk is the exposure created when a single security, sector, factor, or counterparty controls a disproportionate share of a portfolio's return and potential loss. It is measured not only by position weight but by sector and industry clustering, correlation and factor overlap, issuer exposure, and how the concentrated portfolio behaves under stress relative to the client's capacity to absorb that loss.

What is an acceptable concentration limit for a client portfolio?

There is no SEC-mandated number; the limit is whatever the firm states in its policy and can defend. Common working thresholds are no single equity position above 10% of an account and no single sector above 20-25%, with a documented, client-acknowledged exception process for legacy or restricted positions held above the cap. What matters at exam is that the limit is written, measured against continuously, and supervised — not the specific percentage.

How does concentration risk create an SEC compliance issue?

Under Rule 206(4)-7, a concentration limit stated in the IPS or Form ADV is a written policy the firm must implement. If the portfolio breaches that limit and the firm has no record of detecting and addressing it, the gap is a supervision and disclosure failure. The March 2025 SEC action against Upright Financial — over a disclosed 25% industry-concentration policy breached across multiple years — illustrates that the unsupervised breach of a self-stated limit is the core exposure.

How is concentration risk different from a general lack of diversification?

Lack of diversification is the investment condition; concentration risk is the supervised exposure. A portfolio can hold many positions and still be concentrated on a shared factor or sector. From a compliance standpoint, the firm's obligation is not to eliminate every concentrated position but to identify it, reconcile it with the client's suitability profile and risk capacity, document the rationale, and supervise it over time.

Can software monitor concentration risk across an entire book of clients?

Yes. Continuous monitoring compares each portfolio against its stated concentration limits on a regular cadence and surfaces only material breaches — single-name, sector, factor, or issuer — with the breaching holdings and the policy band attached. This is what manual review cannot do reliably past a few hundred households, because a position can cross a limit between quarterly spreadsheet refreshes and go unnoticed until the annual review or the exam.

How do alternatives, leveraged funds, inverse ETFs, and crypto funds change concentration risk?

Each concentrates risk in a way a position-weight scan understates. Alternatives concentrate by sponsor, illiquidity, and hidden shared factors, with valuation lags that mask correlation. A leveraged ETF carries two or three times its position weight in effective exposure because it targets a daily multiple of an index. Inverse ETFs reset daily, so over any multi-day hold their return diverges from the simple inverse of the index. Crypto funds add extreme single-asset volatility and drift fast from a target weight, and multiple crypto holdings usually represent the same factor rather than diversification. Concentration therefore has to be measured by what a security does, not just how much of it the client holds.

How does StratiFi measure and supervise concentration risk?

In ComplianceIQ you set a concentration limit per single security and per security type — junk bonds, crypto funds, leveraged and inverse ETFs, alternatives — with customizable alerts that fire when a position or a category breaches the limit, and IPS drift bands that flag a position deviating from its target before it breaches. RiskIQ, powered by PRISM, measures concentration across vanilla securities, alternatives, complex products, and options, stress-tests the portfolio, and separates risk capacity from risk tolerance. OperationsIQ extracts the documented concentration limits and Suitability fields from firm-level paperwork into structured data. ComplianceIQ then monitors every portfolio against those limits continuously and attaches the 206(4)-7 evidence — policy band, breaching holdings, source-document citation, and reviewer attribution. All three share one data lineage.

How quickly can a firm stand up concentration supervision?

A workable rollout is 90 days: 30 days to integrate custody and CRM feeds and scan the whole book for existing concentrations; 30 days to set concentration limits in the IPS for the largest households, document exceptions, and turn on monitoring for that cohort; 30 days to bring the rest of the book under continuous monitoring and run the first quarterly breach report.

Talk to StratiFi about concentration supervision

A working session on your book. We will scan a sample of accounts for single-name, sector, and factor concentration, set a concentration limit per single security and per security type — junk bonds, crypto funds, leveraged and inverse ETFs, alternatives — with a customizable breach alert, and show what a 206(4)-7 review looks like when the limits, the breaches, and the evidence are already attached — RiskIQ measuring it, OperationsIQ structuring it, ComplianceIQ supervising it.

Book a walkthrough

View full post