First of all, the Board should not approve the risk assessment; it is provided to them for their information so that they can know what the organization's BSA and OFAC risks are. Insofar as to the level of detail, you can summarize when it is being presented but in my opinion the complete R/A should also be provided and be in the Board package.