This is what I did and the OCC approved it without question:
1. Listed all the audits performed at the institution.
2. Took all those classified as high risk areas by the OCC and labeled them as high risk. (BSA, etc.)
3. Looked at past audits of each area to determine where short-comings seemed obvious.
4. Looked at relative risk in each of the areas audited in comparison to past performance.
5. Designated the areas as high, moderate or low risk based upon the combination of both internal weakness in the area and the possible penalties, reputational risk, etc. for poor performance.
6. Formatted the calendar based upon the assessment. (High risk, at least annual; moderate risk, at least every second year; low risk, at least every third year.) Note: frequency can also take into consideration the size of the bank and the number of staff performing the audits.
_________________________
I have many opinions; some are good, some are bad, and some don't contradict.