For our RDC risk assessment we started with identifying the risks, reputaion, operation, financial etc etc etc. Most of that should be boiler plate to a majority of your products and services.
For the actual product we broke it down by most significant regs or issues... so GLBA, a litle BSA and a lot of FRAUD...
From there you just need to think of the entire work flow for RDC... customer gets a check, customer opens software program, customer activates hardware, customer scans check, customer transmits data, software processes data, bank receives data, customer stores captured check, check gets cleared through process.
Once you get your work flow down you theorize ways for someone to come in and steal info (GLBA), launder money (BSA), or defraud people (Fraud)... make a quick list of all the ways and then what your system does to stop them. If the system can't stop them, what you do to detect them... if the system can't stop them and you can't detect them you have found your weak link... How do you combine other mitigation to sure up this weak link... if you can't sure it up, note that it is a vulnerability to you, make your risk assessment honest, get it signed off above your pay grade and your assessment is done.
I will share mine after I redact the detailed information, send me a PM with your e-mail
In life, there is a lot less that could get better and a lot more that could get worse.
MBA Fin/MBS HR
My views only!