Firt you need to identify the risks associated to the context of your organization. You can use a SWOT analysis to determine the risks and opportunities. You have to identify the risks related to the customer requirements but also additional risks associated to other requirements that have to be complied, for instance risks coming from the regulatory environment, spepecific levels of toxic that cannot be exceeded, etc. Some other examples of risks may include: human capital risks, financing risks, IT risks, etc.
Once you have identified the risks, you will need to use certain criteria to determine their significance, for instance, frequency of the risks, impact, etc. These criteria are not stated by the ISO 9001:2015, so you can decide which are the criteria that best fit your organization. After, you will have to carry out the necessary actions to eliminate or mitigate the risks according to their significance. Those risks that are subject to comply with laws and regulations will automatically be significant and your company will need to take the necessary actions to mitigate the risks (i.e. fulfill the regulatory requirements). These actions may include HR training, new equipment, better facilities, work instructions, improvement on calibration procedures, etc. Once these actions have been implemented and run for a certain amount of time you will need to measure their effectiveness.
Basically these are the steps that you will need to follow: