Secure Development policy

There is a paragraph in the Secure development policy which states: In addition to the risk assessment performed according to the Risk Assessment and Risk Treatment Methodology, Head of RD must perform the annual assessment of the following: the risks related to unauthorized access to the development environment the risks related to unauthorized changes to the development environment technical vulnerabilities of the IT systems used in the organization the risks a new technology might bring if used in the organization the risk a new development methodology and/or programming language might bring if used in the organization the risks related to licensing requirements The question is, is this assessment to be done in the Risk Register or is it an additional document that needs to be drafted by the Head of R&D? Thanks