"We are trying to address a nonconformance on the subject item (10.2) and I'm not sure how to address it. The auditor was looking for evidence that we accessed the risks and opportunities with each corrective action. Is this right. Or can it be part of our annual context analysis and management review(s)?”
I have not seen the nonconformance. Looking into clause 10.2 I can guess what the intention of the auditor was. Please, check the first part of clause 10.2 – “When a nonconformity occurs” it is about the occurrence of a nonconformity, not about corrective action. When a nonconformity occurs, your organization should update risks and opportunities determined during planning, if necessary. A nonconformity is the manifestation of a risk that actually happened. Was that risk initially determined? Was that risk correctly classified and evaluated? The nonconformity can be about something that you overlooked during the initial risk determination. Waiting for an annual revision exercise can be too late to act.
The following material will provide you information about risks and opportunities: