In addition to being considered as a 'Preventive Action', it can also also be considered for application under 4.1 (a) "determine the processes..." since Risk Assessment' is a process whose application, like any other process, might be considered indispensable for the QMS.
However, the standard has not explicitly prescribed which processes are to be determined and managed. It's upto the organization to identify & manage the processes based on it's perceived needs.