When working with an organization to implement a quality management system according to ISO 9001:2015 I consider three main sources for risk determination.
(4.4 f)) - Risks related to processes.
For example: What can go wrong in the process above that make’s bad parts and bad packages? What opportunities are there for improving productivity or reducing cycle time?
(5.1.2 b)) – Risks related to products and services. What can go wrong with products and services when used by customers?
(6.1.1) – Risks related to clauses 4.1 and 4.2. For example, the government can publish legislation that works as a barrier to competitors and makes our organization win market share. For example, technological evolution can make our production process obsolete.