If you have implemented all the new requirements into your system, and the system is processes based, and process owners are training in RTB, and the employ this in their processes, a good Risk Assessment activity is to conduct and internal audit on all the processes.
What, you are already doing an internal audit on all the processes?
Wow, it looks as if you already are employing RTB in your system.
Now, the trick is to explain that (PLAN), and to capture the activities (DOCUMENTED INFORMATION).
Don't over think it. You do it all already, I'll bet.