ISO Guide 73:2009 defines risk management as "systematic application of management policies, procedures and practices to the activities of communicating, consulting, establishing the context, and identifying, analysing, evaluating, treating, monitoring and reviewing risk."
This is the defininition of RM used in ISO 27001. Given that RBT also appears to include action as well as thinking, I don't see a material difference between RM and RBT.
But, regardless, yes, auditing risk management is fraught with difficulties.
TC 176 were influenced by Annex SL of ISO's guidance to itself on writing management system standards, previously known as Guide 83.
I doubt whether it's much based upon the meltdown of risk management at the banks, not least because they themselves are still in denial and appear to have learned little. I believe that Annex SL draws heavily upon established risk management practices in ISO 14000, 18000 and 27001. It also refers to the ISO 31000 series of standards on risk management.
For quality, I don't think RM is just about product and service design, although that's a large part. It's also about resilience of the supply chain, assuring on-time delivery in full, packaging, assuring continued availability of critical know-how, assuring continuity of supply despite disruptive events (e.g. switching manufacturing from one plant to another) and more. While FMEA is one valuable technique, it's not always applicable. For example, in ISO 27001, some analysis methods go into detail such as threat (what could cause an undesired event, a thief for example) and vulnerability that the threat could exploit (an open door, for example). they then plan mitigations that are proportional to the strength and determination of the threat (we need stronger defences against organized crime, if they're a real threat, than the local kids).
Which of course makes RM hard to audit - but independent review of RM is vital, because when they must document their RM activities, there is a temptation for some to under-report risks, so as to make mitigations cheaper. Not only is it hard for auditors from a time and effort perspective, but - even harder - they must do it objectively.
In the ISO 27001 world, the 2005 version of the standard made objective auditing of RM possible by demanding a documented method for risk assessment - which often looked like FMEA, but modified to take account of threats and vulnerabilities. But the 2013 version of ISO 27001 dispensed with the requirement for formal risk assessment methods (because some organisations simply employed, for example, an ex-policeman with experience of organised crime who could advise appropriate mitigations). So objective auditing of RM, I think, will rely upon either a documented method, or records of RM competency.
To the example of BCA, if mitigations fail, that's not necessarily an indicator of ineffective RM. Indeed, I think the general requirement to measure the effectiveness of processes will have to make an exception for RM - because mitigations sometimes fail, that's life. I think the test of effective RM is, when something bad happens, "hands on hearts, can we stand up in Court and say truthfully that did we do our best?" Which of course isn't auditable. But that's the reality. Suppose we determine that flood is a risk to one of our facilities, with bad consequences both for the environment when our toxic waste gets into the flood waters, and for on-time delivery because we can't manufacture. Suppose also that our mitigation is flood defences - walls, run-off areas and so forth. We build our flood defences assuming the water might rise 10 feet. But it rises 15 feet and we still get flooded. I think for auditors to write that up as ineffective is unhelpful: we got flooded, we know it didn't work. Rather, as auditors, we'd look for lessons learned - how did we get the figures wrong? Did we get the figures wrong or was this a freak? Might it happen again? What more can be done?
So yes, auditing RM will be hard and in my experience of ISO 27001 auditors do get it wrong. We're not helped either by risk assessment methods that obscure the risks by listing hundreds in abstract terms. Nevertheless, as the banks showed spectacularly, if risks aren't monitored and independently audited, avoidable trainwrecks can occur. (Sorry about the mixed metaphor.)
One consequence, then, I think is that auditors will need more time for audits, and the competency to understand RM techniques and the risk landscape applicable to the sector they're auditing.
In a world that's uncertain, where almost everything is subcontracted, often to facilities half way across the globe, I think it's a challenge to which we need to rise.