Your risk assessment should help you determine how much risk your bank has overall. From there develop a plan on how you want to risk rate your customers. I prefer to not individually risk rate consumers - when I was at an FDIC bank my policy stated that all consumer accounts used for household purposes are automatically rated low. Low risk accounts reviewed with regular monitoring of cash & wire activity along with kiting report reviews, etc. (note this was a bank with manual BSA process - just like my current OCC bank - however the OCC makes us risk rate consumer accounts which is a whole separate topic and pet peeve of mine).
For business/commercial accounts, we have a risk rating form that has many questions about the type of business, types of products or services they offer, types of wire activity, what kinds of deposits will be coming in, paypal, square, merchant, etc., so that we know what to expect. Enhanced due diligence is done on anyone that comes out high risk from that sheet or is automatically higher risk because they're an MSB, own an ATM, etc.
Really, you're program for risk rating (customer due diligence) should be based on the exam manual - look at page 56:
The cornerstone of a strong BSA/AML compliance program is the adoption and implementation of comprehensive CDD policies, procedures, and processes for all customers, particularly those that present a higher risk for money laundering and terrorist financing. The objective of CDD should be to enable the bank to predict with relative certainty the types of transactions in which a customer is likely to engage. These processes assist the bank in determining when transactions are potentially suspicious. The concept of CDD begins with verifying the customer’s identity and assessing the risks associated with that customer. Processes should also include enhanced CDD for higher-risk customers and ongoing due diligence of the customer base.
Effective CDD policies, procedures, and processes provide the critical framework that enables the bank to comply with regulatory requirements and to report suspicious activity. An illustration of this concept is provided in Appendix K (“Customer Risk versus Due Diligence and Suspicious Activity Monitoringâ€).
I sent you a PM on your other post - I'd be happy to talk to you about this too.