I use 9 categories and assign point values to each audit area and auditable unit that I have determined to be worthy of auditing. The categories I use are Human Resource Risk, Reputation Risk, Regulatory/Legal Risk, Regulatory Requirements, Audit/Exam findings and timing, regulatory changes and and any changes in products/services. I addup the scores from each category to come up with a total Risk score.
This risk assessment seems to work well within my organization, generating higher scores for the more risky areas/regulations and lower scores for the less "human" dependant ones.
[This message has been edited by JoAnne (edited 02-07-2001).]