The risk-based thinking (RBT) should be an ongoing process, it can’t be done once a year and considered as effective. The best way to apply is through the PDCA cycle.
First you should define the scope of RBT. According to clauses 4.4.1 f), 5.1.2 b) and 6.1 of ISO 9001:2015 I recommend determining risks around processes, around products and services and around processes.
About the methodology to treat risks and opportunities there are a lot of available methodologies and there is no single methodology that will fit all organizations. My advice is to do a little research and select the methodology according to criteria that you find appropriate.
Determine the risks and opportunities. Although not mandatory, I recommend using a register to record risks and opportunities.
Next step is, of course, to conduct the risk evaluation. The best way is to include relevant people from your organization and get the most relevant information and data needed for the evaluation. I use and recommend using a simple approach like the one embodied in the following matrix:
For opportunities think advantage instead of severity.
Once you identify unacceptable risk, you need to create the plan for mitigation of those risks. This can be done in same way you performed the preventive actions.
And, at the end, you need to do a follow up to determine whether the actions for risk mitigation were effective and if the risk assessment methodology or scope should be altered. If there is need for further action, you need to initiate corrective actions.
Consider the non-conformities, complaints, devolutions, lost customers as signs, as warnings about the quality to update of the risk assessment or of the risk evaluation. Are they signaling that changes must be made?