The requirement for a BSA policy comes from your primary federal regulatory agency, not the BSA itself. Each agency has its own regulation, but they are substantially identical. Here's the relevant portion of the FIDC's reg:
(b) Compliance procedures--(1) Program requirement. Each bank shall develop and provide for the continued administration of a program reasonably designed to assure and monitor compliance with recordkeeping and reporting requirements set forth in subchapter II of chapter 53 of title 31, United States Code and the implementing regulations issued by
the Department of the Treasury at 31 CFR part 103. The compliance program shall be written, approved by the bank's board of directors, and noted in the minutes.
Logically, a lesser body cannot revise something a higher body has adopted; the board needs to approve all amendments. Technically there is no legal requirement to report the risk assessment, but it is your primary internal control so it should be reported to the entire board.
I've sat through my share of board meetings and never heard them discuss anything of more importance.