Does anyone out there have a sample ERM policy or program they would be willing to share with me, please contact me and I will supply you with my contact information.

Key components of ERM
The ERM Integrated Framework published by the Committee of Sponsoring Organizations (COSO) identifies these key components:
• Internal environment
• Objective setting
• Event identification
• Risk assessment
• Risk response
• Control activities
• Information and communication and monitoring


There is no one-size-fits-all risk management program. The COSO components are encompassed in the following common fundamentals:

1. Internal environment and objective setting: An informed board must guide the bank’s strategic direction, established in writing. Capable management and competent personnel, driven by integrity and ethical values, are critical to carrying out the board’s strategic plan.

2. Risk identification: Strategic risk includes the misalignment of strategic plans (e.g. business and technology). Board approved policies address identified risks, set standards to achieve specific objectives within defined risk parameters and are periodically updated when tolerances change. Key policies are written and communicated throughout the organization.

3. Risk measurement: Quantity of risk measures the nature, complexity and volume as low, moderate or high. Quality of risk management measures the strength of processes and controls as strong, acceptable or weak. Aggregate level of risk balances the quantity with the quality as low, moderate or high. Direction of risk indicates the likelihood of change to the risk profile as increasing, stable or decreasing.

4. Risk control: Control systems are tools and information systems that management uses to measure performance, make decisions, gauge existing processes and incorporate checks and balances. Feedback devices such as detailed management reports (usually system-derived) must be timely, accurate and informative.

5. Risk monitoring: Well-designed monitoring systems (internal audit, loan review, variance analysis, key ratios) appropriately address the changing risk profile of the bank. They enable the board to consider whether management is operating within established risk limits.

Documenting ERM


The ERM process may be documented by:

1. Verifying your bank’s strategic goals and assessing strategic risks.

2. Analyzing each business unit branch operations, lending, deposit operations, accounting and financial reporting, marketing and human resources.

3. Identifying the applicable risks in each unit (e.g. credit risk applies to lending activities and Automated Clearing House activities in deposit operations).

4. Identifying the controls mitigating risk in each unit (e.g. policies, procedures, independent review, management analyses and monitoring).

5. Identifying the reporting processes internal and external.

6. Measuring the quantity, quality, aggregate risk and direction of risk.

7. Consolidating the entity wide risk assessment by business unit.

For a small bank, the process may be accomplished internally by designated bank personnel or relatively inexpensively by outside consultants.