ISO 9001:2015 Risk-based Thinking (A.4)

First, ISO 9001:2015 has no mandatory requirements concerning risks and opportunities – please check this article - List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/ . So, whatever the method used by your organization to document your risk assessment is valid if it suits your needs. Having said that, beware that a risk is not necessarily a nonconformity. Following ISO 9001:2015, I recommend organization to determine risks and opportunities around three areas:

• Around the business, when considering clauses 4.1 and 4.2 according to clause 6.1 – please check slide about “Intended results” in our free webinar on demand - How to implement risk management in ISO 9001:2015 - https://advisera.com/9001academy/webinar/how-to-implement-risk-management-in-iso-90012015-free-webinar-on-demand//
• Around products and services, when considering clause 5.1.2 b) - please check slide about “Products and services” in the same free webinar on demand
• Around processes, when considering clause 4.4.1 f) - - please check slide about “Processes” in the same free webinar on demand 

A common way to document the risk assessment is to use a Risk Register – please check the sample from our Documentation Toolkit - ISO 9001 document template - Registry of Key Risks and Opportunities - https://advisera.com/9001academy/documentation/registry-of-key-risks-and-opportunities/

I take the liberty of recommending my book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ - with a strong focus on the risk-based thinking.