What is the best time interval to assess/re-assess the risk and opportunity?
It is difficult to give a straight answer. That will depend on your organization’s context and interested parties. For example, in my country, last December a lot of organizations updated their risks and opportunities register. Then, February and March came, and coronavirus’s lockdowns freeze economies and outdated all those registers.
So, set a frequency that could match your context and interested parties. For example, technological organizations working at the edge, may need to use shorter intervals. You can set a yearly deep assess/re-assess exercise followed my monthly or quarterly lighter exercises together with monitoring and analysis of performance.
Do I need to have operational and strategic risk and opportunity assessments separately?
Technical answer: No, you don’t. It is your organization’s call.
Experience-based answer: It is better to separate strategic and operational risk and opportunity assessments. That way, participants could work at different abstraction levels without having to continuously change from one to another. Ideally, I recommend an iterative approach to avoid daydreaming and losing contact with the ground.
Start with strategic level
Use strategic level as an input to the operational level
Use the operational level as an input to fine tune the strategic level
Perhaps the following information about risk and ISO 9001 could be useful for you: