Risk based approach

Answer:

1. For example, in a Test Lab setting or in an Inspection Certification Body I would act in the same way:
a) what are the overall results that you intended to meet with your QMS in those settings?
b) did you map the processes for each of those settings? For each process, what are the overall intended results? For each process, what is its purpose?
c) for each service provided by each setting, what are the performance objectives, the specifications?
Then, for those three kinds of expected results you can ask: what can go wrong? In what ways can those expected results not being met? Each of those ways of failure is a risk. That would be my starting point. I would improve this baseline assessment with iterations done after non-conformities and performance evaluation.
2. ISO 31000 is for doing more than what is requested by ISO 9001:2015. It gives guidance, for example, about possible types of actions concerning risk mitigation, risk avoidance and risk reduction.

Please see bellow some material with information about the risk-based approach:
- ISO 9001 – How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
- Risk-based thinking replacing preventive action in ISO 9001:2015 – The benefits - https://advisera.com/9001academy/knowledgebase/risk-based-thinking-replacing-preventive-action-in-iso-90012015-the-benefits/
- ISO 9001:2015 Risk Management Toolkit - https://advisera.com/9001academy/iso-90012015-risk-management-toolkit/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/