What areas require Risk Assessment ?

IMO, from an audit standpoint, you should be performing a risk assessment on all areas in which you audit. I attended the ICBA Audit Institute and they had a great example of one.

I agree with JM, and it should be updated as risks change.

I would agree but take it a little bit further. All areas of the bank should be included in your risk assessment including areas you don't audit. These areas may not be audited due to the fact that you consider it such a low risk but you should be able to define that through your risk assessment for the examiner purpose. Also, you would want to include in your risk assessment any areas that are audited by outside firms. Also I perform a separate I/T Risk assessment that is principally built around the FFIEC Examination booklets.

All areas. I am with litmachoq.

And do not drive yourself crazy with the "All Areas" risk assessment. Develop a RA committee made up from a qualified representative from each area and assign the risk assessment task to them and their department. Give them a uniform risk assessment matrix to work from and a reasonable amount of time to complete the assessment and to submit it to you for your review and to make suggestions. And do not forget to make the risk assessment part of your annual review for changes and updates and have it voted and accepted by your board.