Here's something that might help both of you. This requirement likely springs from the
FFIEC's IT Handbooks, specifically the Information Security handbook. Read through the booklet and you should get a better understanding on where they are coming from and how you can go about fulfilling their requirement of a risk assessment.
If your IT auditor and/or IT department have not seen these before please share with them, these booklets are a tremendous resource.