Welcome to the next infernal circle of Risk Management, as envisioned and enforced by representatives of European NBs. As Low as Reasonably Practicable (ALARP) is (essentially) unacceptable.
My company's Risk Management process involves a RM Plan (and Report) with the primary document analyzing risks (and documenting controls) as a Hazard Analysis, The HA has subordinate
FMEA (and software HA). We have explicitly been mandated by our NB that
for each line of analysis (in all documents) to explicitly reduce risks (*1) as low as possible and to include a Risk-Benefit Analysis/RBA and Risk Control Option Analysis /RCOA (*2) for each line (of every document).
(*1) Internally, there is an opinion that the requirement to "reduce risks" (to any degree) in documents like FMEA is logically absurd. FMEA explicitly only review failure modes. Generally, the reduction/elimination of failure modes leads to risk reduction, but the risk reduction is only sensible at the Hazard Analysis level, because that is the level at which risks are identified an analyzed.
(*2) Risk Benefit Analyses used to be covered by the following guidance, but based on interaction with our NB things got weaker:
14971:2012 has a very useful guidance in D.6.3:
Those involved in making risk/benefit judgments have a responsibility to understand and take into account the
technical, clinical, regulatory, economic, sociological and political context of their risk management decisions.
This can involve an interpretation of fundamental requirements set out in applicable regulations or standards,
as they apply to the product in question under the anticipated conditions of use. Since this type of analysis is
highly product-specific, further guidance of a general nature is not possible. Instead, the safety requirements
specified by standards addressing specific products or risks can be presumed to be consistent with an
acceptable level of risk, especially where the use of those standards is sanctioned by the prevailing regulatory
system. Note that a clinical investigation, in accordance with a legally recognised procedure, might be required
We took this to mean that if we subjected system elements (that are subject to industry-accepted consensus standards) to the requirements of their accepted standards, that certain categories of risk would be ACCEPTABLE, without having to worry about RCOA or bother with an RBA (for those specific risk categories). I'm still digesting the totality of 14971:2019, but as far as I know this guidance does not appear in this form, and our NB isn't letting us use this approach any longer. Practically, we are now required to produce line-by-line RCOA that more or less repeat the content of the 2012 guidance D.6.3, which quite frankly is a waste of time and dilute the risk files.
I am concerned that the requirement by our NB audit team may actually drive counter-productive behavior: if it becomes burdensome to do extra "no value added" actions on line items there will be a temptation to reduce the number of lines of analysis. It has been my experience that more lines of analysis are generally good (for reducing risk and improving designs) but only when they actually contain relevant information.