Presumably the item in question is not an ointment or cream, but some sort of device.
Welcome to the wonderful world of formulated medical devices (a sort of
devices) - some of which are certainly creams and ointments, others are solutions, powders etc. To qualify as medical devices they need to function chiefly not through
a metabolic, pharmacological or immunological mechanism (each of which has quite a precise definition) a chemical reaction in or on the body or (specifically) through being metabolised. For example, an ointment may serve as a physical barrier, a powder may serve as a packing agent etc. I suggest not jumping to conclusions whilst we weren't told what the product is and what it's intended for (before and after the "change").
Added in edit: I initially related to the EU medical devices definition (see struckthrough text), and later recalled that that discussion evolved in an FDA context so replaced it with the relevant wording from the FDA's definition. The argument is not really affected by that, though the FDA's definition is not as specific.
If the device has already been on the market, presumably the manufacturer is aware of the harms that arise from the use of the device because they have been taking complaints and/or collecting data about their market.
I think you presume a little too much.
The nature of any received complaints (and their occurrence/reporting rate) may well be related to the manufacturer's claims, the distribution channels etc., i.e. as what the product has been marketed, and for what. They may not have gotten many (or any) complaints related to the medical use because such use didn't occur yet (because no one has intended it and promoted it, yet).
Second (as already noted), they might have not been collecting data about "their market" (Q: what market - medical or cosmetic?), not because they're a dodgy company or a lazy/sloppy team, but simply because it's not required or expected for cosmetics at the same level that's expected for medical devices (in most jurisdictions). Proactive data collection costs money.
If they are trying to start an assessment of risks from scratch, they absolutely need to have some basic understanding of the harms, whether they intend to 'calculate' acceptability or not.
Exactly my (bigger) point: Understanding the harms (and their realisation mechanisms) is paramount for
assessing and evaluating risks, which is both what the standard requires (in contrast with calculation) and what is practical in the vast majority of cases in which a new product is brought to the market (new use = new product, in medical devices terms).