Yes, we do utilize an enterprise wide assessment approach. I started the risk management program for us but when I assumed the audit function the financial analyst assumed the program. We are a community bank so individuals wear multiple hats. The program was basic at first, reviewing the various areas/departments of the bank, now I am providing recommendations to the financial analyst on how to further develop the program to include ALCO, etc. From what I see thru audit, management does alot of risk management already but it is not necessarily documented in the Risk Management Program.
Besides reviewing COSO information, there is a publication by the Senior Supervisors Group called the Self-Assessment Template, A Supplement to Risk Management Lessons from the Global Banking Crisis of 2008 dated October 21, 2009 that I would recommend reading. It contains many valid points to consider in a Risk Management Program including Governance. Good info!
By the way, for what it is worth, I did have an examiner ask me if I audited the Risk Management Program yet.
Opinions are mine.............