Yes, Dramman is right (as is Randy) that you don't have to list them out. Ours are taken care of in management review meetings (minutes). Here are two examples of ours (over-narrated, of course, and my apologies for that...)
One of our identified risks is with a provider of black oxide coating. As the result of a recent storm, the provider lost power for four business days, resulting in a delay of approximately a week on our parts due to their need to heat up tanks, etc. While we do nearly all of our business with this one black oxider, we realized we need to maintain a relationship with another black oxider so that we can meet our customer's schedule even if events happen that are outside the first company's control. So we made a plan to hire another supplier and send 20% of our black oxide orders to them during the year to maintain the relationship, so that if we run into problems again the new provider might be willing to "fit in" a last minute request in an urgent situation (properly compensated, of course).
Another risk: our salesperson landed a set of jobs with a subcontractor, who gave us the contract their customer gave them so we could work from the original. But the subcontractor failed to tell us that we needed to thoroughly understand the notes and references on the contract, which were located on a centralized website. We completed the job without having reviewed the notes, (D'oh!) and the subcontractor rejected our work because it did not comply with the other website references. In addition to remaking the parts to correct the error, we realized we had to re-create our review process for contracts so that the notes and references would not be missed the next time the subcontractor puts out RFQs.
Now, these are not the brightest moves we've made, and they really come out of NCs, but they are long term fixes that we're bound to encounter again. I really do miss the PA part of CAPA...
