Is there any information/documentation etc. out there that attests to how often CIP/BSA risk assessments must be updated?

No, but I would suggest annually would be sufficient. You would need to revisit your risk assessment before updating your BSA policy anyway and most banks (although not specifically required) have thier BSA Policy re-approved by the board on an annual basis even if there are no changes.

Should be whenever there are any significant changes to the bank's products, services, organization, etc but at least annually.

Thanks!

From the FFIEC BSA/AML Exam Manual...

"An effective BSA/AML compliance program controls risks associated with the bank’s products, services, customers, entities, and geographic locations; therefore, an effective risk assessment should be an ongoing process, not a one-time exercise. Management should update its risk assessment to identify changes in the bank’s risk profile, as necessary (e.g., when new products and services are introduced, existing products and services change, high-risk customers open and close accounts, or the bank expands through mergers and acquisitions). Even in the absence of such changes, it is a sound practice for banks to periodically reassess their BSA/AML risks at least every 12 to 18 months."

In addition to all the information provided on products, services, personnel, etc. in my bank's risk assessment, we also include volumes on CTR filings, SAR filings, Wire Transfer Activity, etc. for the prior calendar year. Therefore updating it at least annually is necessary for us to maintain consistency with the numbers and has always seemed logical.