Please note that ISO 27001 specifies that the CIA is related to risks (6.1.2 c 1), and to consequences (6.1.2 d 1), not to assets. Considering that, when using asset-based Risk Assessment, you need to consider the CIA on the asset-threat-vulnerability set, and to consequences related to it.
When you talk about a risk-based Risk Assessment approach, I'm assuming you are referring to the description of a risk scenario (scenario-based). In this case, the CIA must refer to the described scenario and related consequences, while that in a process-based Risk Assessment approach the CIA must refer to the defined process and related consequences.
For asset-based: paper document - fire - the document is not stored in a fire-proof cabinet (affects availability)
For scenario-based: Data leak with impact on regulatory compliance occurring once every five years (affects confidentiality)
For process-based: Payment process failure, resulting in people receiving wrong values (affects integrity)