I would like to discuss what was your approach to risk management from the start of incorporating this process. What questions do you ask and is there a format for defining risk where Management does not have input but wants output? Basically what should be asked to start this process
The standard, doesn´t require a procedure to manage risks.
Is up to you, how to manage thus stuff in your system.
I have seen different approaches and most of them comply the standard.
Starting from some of them , where they say, Risks are everywhere, and actions to minimize them are already into my procedures, e.g.
why I perform Supplier evaluation? in this case, I detect a risk in delivering materiales, why I perform audits, because I detect a risk
if my processes are not woking well, and so... I dont have the need to have anything documented regarding the risk.
I have seen other systems, where they have a simple procedure and form, ,where risk is detected, is evaluated its value by
using the formulae Risk values is =PxI, (probability x impact) based on this actions plans are needed to lower the value of the
risk, after plans have finished, residual risk is evaluated, if is less than initial, is closed.
Again, ISO does not require a procedure nor a standard to be followed.
As a reference, you can take a look at the ISO 30000 which is a standard for the risk treatment so that can have a general idea.
Regards