I think Jen is saying that you already do it, but can you explain how to an auditor.
I'm not really into ISO 9001:2015 but when reading about this stuff when I did implementations the biggest part was usually explaining to someone in a company how they were already, in most things, doing what the standard required. I would say you are doing this and this is what the standard requires. We usually did a cross-matrix to the clause in the standard to their process(es) and procedures which fulfilled the requirement of the standard. Key was the person in the company who could speak with the auditor about the requirements of the standard.
I would do the same today - In the case of Risk Based Thinking I would have a list of things, such as aspects Jen mentioned in her post so that when the auditor wanted to discuss compliance, you can say "We do this, and we do this, and we do this".
I do feel that the 2015 version is - Well, Sidney has made quite a few posts in which he for all intents and purposes has said that this version is poorly written (to say the least). From what I have read I agree. Then again, it is being audited to and auditors are asking questions. Think about what questions auditors are asking.
If it was me, I'd do a lead auditor course (again). I did my first one in 1994. I think I did it again in 1998. I did an "update" again for the 2000 version and I did a "transition" course for the 2000 version. These are a few of them:
https://elsmar.com/Certificates-Marc_T_Smith/ It's a tough week, but part of what you learn is what questions to ask and expected/acceptable responses. Afterward, you should be able to come back and use that to audit your company. That, in turn, prepares you.
And of course the internet has expanded so much and these days there is so much written about things like RBT that there are a lot of discussions about it. I agree with Jennifer in that many people are over thinking it and making it seem more complex than it is.
As to
So, My question is that, is it a requirement of ISO 9001 to do risk assessment on QMS processes?
you are doing it is my bet. In some areas you're documenting risks analysis you do and in others it may not be documented, but you're doing it. Jen has started you out with a few examples. Now, make up a list of all the examples you can think of. If it was me I'd probably have a list of departments and processes and such, and list some of the things your company does in each. With that you will be ready to discuss with the auditor how you comply, the things you do. My bet is once you start listing things you do to address risk in various parts of the company's business systems, you'll see and be able to talk about what your company does to address risk.
Like I say - The internet is vast these days and there is tons of articles and such you can read to help you think about RBT and how it is being audited. An example:
http://rube.asq.org/audit/2015/01/a-risk-based-thinking-model-for-iso-9001-2015.pdf
and
https://www.qualitydigest.com/inside/risk-management-column/030216-what-risk-based-thinking.html
NQA also has a decent write-up:
https://www.nqa.com/en-us/resources/blog/july-2016/risk-based-thinking - Note where they say
Understand the standards. You need to correctly interpret the terminology applied to ISO management systems. Risk is not always stated explicitly in each ISO standard. Terms like “suitable” and “appropriate” will often imply that you need to demonstrate a balanced approach towards risk based thinking.
which is what I am referring to above in this post and why I suggest there is value in a lead auditor course.
I will say that what they are calling RBT has been part of most of the companies I have actually worked in going back to the 1980's. I have worked in aerospace, automotive, and explosives to name a few. At one time I had an entire wall in my garage that had shelves filled with training and information materials, such as
Hazardous Operations and Process Design in Explosives Manufacturing. I was doing FMEAs, or variants of risk analysis, years ago.
Anyway - Just a few thoughts, and my Thanks to Jennifer for her posts on RBT in this thread and in others here.