I've taken into consideration all of the things you have listed above in my risk assessment. The way it is designed, ratings of 1 and 2 (low) are audited every three years, 3's (moderate) are audited every two years, and ratings of 4 and 5 (high) are audited every year. Management questioned the number of 4's and 5's we have and assumed that it meant we weren't doing enough to mitigate those areas down to moderate or low. Obviously some areas require an annual audit, and others deserve frequent reviews because of examiner scrutiny, fines and penalties, reg changes, and/or prior audit findings. I explained to management that we could have very strong internal controls, but the risk rating could still be high due to the nature of the regulation. I explained that a 5 rating doesn't necessarily mean that we are likely to have problems, but that if we do, the consequences are so severe that they could cripple the bank. Their suggestion was that I detail for each rating, 1 through 5, exactly what each means. I'm looking for that language.
Don't make me say, "I told you so!" Sincerely, your friendly Compliance Officer.