Enterprise Risk Management Program for Your Community Bank: Ten Tips to Get Started

As community banks continue to grow in size and complexity, one important consideration for the future is the implementation of an enterprise risk management (ERM) program. Building an efficient, effective risk management function is beneficial to achieve operational and strategic objectives, as well as to increase value and sustainability along with satisfying regulatory concerns.

In this article, we explore making the case for ERM implementation for growing community banks, as well as tips for getting started and tenets of a basic risk management function.

For small community banks engaged in limited or less inherently risky activities, risk management systems may be less formal in scope and structure. Such systems may be required to give evidence of policies, processes, personnel and control systems/management information systems (MIS), such as loan review, internal audits and quality assurance and compliance reviews. Governance and culture are paramount to establish a foundation for the bank’s risk management roadmap inclusive of risk identification and assessment, measurement, monitoring and reporting processes. Risk management must be independent of the business, as examiners increasingly are focusing on potential segregation of duties issues within a bank’s organizational structure to ensure audit and risk management maintain their independence with respect to oversight and monitoring.

Ten Tips to Consider When Establishing an ERM Program

Below are ten tips for banks to consider when deciding to establish an ERM program, including planning and applying a solid risk management function.

  1. Policies, procedures and standards governing the management of various classes of risks should be as concise as possible and easy to understand.
  2. Risk management policies, procedures and standards should be socialized and syndicated with representatives of the user community, which should be done prior to submitting a request for formal approval to the internal executive governance committees and the board or designated governance committee.
  3. Have all risk management policies, procedures and standards reviewed and approved by internal executive governance committees and the board on at least an annual basis. These reviews may occur after internal audit has reviewed and opined independently on the status of the documents.
  4. In all risk management policies, procedures and standards, a section should be devoted to a clear, concise summary of the various roles, responsibilities, authorities and accountabilities that each of the institution’s constituent functions hold with respect to the indigenous topic.
  5. Roles, responsibilities, authorities and accountabilities should be developed using a defined nomenclature or taxonomy that provides clarity to differentiate between the management of risk, versus the oversight – including measurement and monitoring – of risk.
  6. The executive leadership team should be responsible for establishing and maintaining an effective system of controls, including the enforcement of official lines of authority and the appropriate segregation of duties.
  7. Banks should make certain their risk management programs are supported by clear, concise and efficient communication, education and training facilities to ease implementation, including leveraging existing infrastructures, such as intranet platforms, to carry out plans for implementation.
  8. Banks should have a board-approved risk appetite statement based on fundamental principles, including soundness, profitability and sustainable growth. The statement also should address management with the following: defined strategic objectives, stakeholder requirements, risk management philosophy and risk capacity.
  9. Risk management communication, education and training should highlight lessons learned from internal and external industry events, including summaries of success stories and lessons learned to provide tangible examples for employees. The materials may contain guidance materials and reference tools to assist employees.
  10. Maintaining a proactive, transparent culture with respect to the management of risk can provide great value for banks; in particular, change management risks may need careful examination.

While each of these overarching themes is applicable at a certain high level, each bank may have a unique approach toward implementation that can vary according to the nature of the risk programs supported by the bank’s specific culture and operating style.

ERM and IMMR Methodology

Community banks should also make certain that their ERM system applies the standard identify, measure, mitigate and report (IMMR) methodology and approach1:

As smaller community banks consider ERM implementation, it is important to note that organically developing a risk management program around the risk culture and structure of your bank goes a long way to meet internal and external expectations. The key is to determine the degree of ERM maturity that is right for their company and reflects management’s view on what is critical to future success, managing risks and realizing the benefits.

For more information about ERM implementation for community banks, reach out to us at benchstrength@dhg.com.

About DHG Financial Services

DHG Financial Services professionals provide you with in-depth industry knowledge and a wide range of advisory, assurance and tax services to address issues facing your industry in today’s challenging environment. For more information, visit dhg.com/financial-services.


  1. OCC Community Bank Supervision Comptroller’s Handbook (Version 1.0, June 2018).