You can start by determining environmental aspects, determining how an organization interacts with the environment. For example:
Determining risks and opportunities of an organization, according to ISO 14001:2015, is based on its environmental aspects, compliance obligations, and context and interested parties.
For example, concerning environmental aspects we can have:
Since organizations have to consider the lifecycle of its products and services, do not forget to consider risks and opportunities around your products and services during use or final disposal.
For example, consumers may not follow your instructions about disposal.
Please check risk definition (3.2.10) on ISO 14001:2015 (effect of uncertainty). With environmental aspects and impacts we are considering normal, expected situations, like startup and closing down operations, but also abnormal and emergency situations. Whenever there is uncertainty there is risk or opportunities, there is a potential deviation from the expected.
About determining risks based on environmental aspects and compliance obligations I see that different organizations follow different approaches:
1. There are organizations that determine their environmental aspects and use a risk and opportunities assessment to determine its significant environmental aspects. (Please see the end of the second paragraph of Annex A.6.1.1 of ISO 14001:2015)
2. There are organizations that determine their environmental aspects evaluate them and determine the significant ones and use a risk and opportunities assessment to determine which ones need an action plan, and which ones need only to be monitored.
3. There are organizations that only apply the risk-based approach to the context part. In a certain way they are following the same approach as 1 without explicitly mentioning it.
Please check this information below with more detailed answers: