Donna, One thing to look at is your past internal/external audit reports as well as examinations. Where were the major deficiencies? Were they responded to in a timely manner? Any particular area that seems especially slow or reluctant to take corrective actions? I like to look at risk on the basis of where the institution has committed large amounts of resources (like dollar exposure, but also employees, and things of that nature). Also, the three components of risk (probability, severity, and frequency) can be explored as well. If you use the 9 areas of risk identified by the OCC, you could document your assessment with respect to those 9 areas.
Opinions expressed are my own and do not necessarily reflect those of my employer.
_________________________
Opinions expressed are solely my own.