Do risk assessments need to include administrative facilities, data centers, and cash vaults?

Yes. Risk assessments should extend beyond branches to include all facilities where sensitive assets or data are stored or processed — including headquarters, data centers, warehouse facilities, cash vaults, and currency counting rooms. The risk level assigned to each facility should drive the appropriate level of access control, video surveillance, and alarm protection.