To comply with 14971, I've always listed the RCMs in the risk assessment in the priority order described in the standard without a deep analysis. In the Individual Benefit-Risk, that's where I state that the risk has been reduced as low as possible and no further risk control measures are possible without adversely affecting the benefit-risk ratio. If I only have information for safety as the RCM, I leave the residual occurrence the same as the initial (to demonstrate that risk reduction hasn't been attributed to it) and definitely have a more robust benefit-risk analysis discussion why no other risk control measures are possible.
Some clients I've worked with include separate columns for inherently safe design, protective measures, and info for safety, but that is not a requirement of the standard. It's a preference thing, as opposed to a compliance thing. I don't separate them if I have the choice, it leads to pointless discussions of what category the RCM goes it when it doesn't matter.
I think the documentation of decisions made regarding RCMs belong in a Design Review, purely for the benefit of the engineering team responsible for sustaining your device (you don't want them to waste their time on an RCM that you've decided doesn't improve your benefit-risk ratio). I wouldn't show an auditor a list of all the what-ifs when they want to see the risk management file, only the what-is.