I would agree with
John Vandenbemden that you have exceeded the expectations because there is no requirement for documentation in 4.1 or 4.2 of ISO 9001:2015. Additionally, 6.1 also does not have any documentation requirement. When we were pursuing ISO 9001:2015 upgrade, I emphasized to our leadership (and to a lesser extent personnel in general) that they needed to understand and be able to verbally explain their understanding of the organization in its context and how they understood the needs and expectations of interested parties. This led to good discussions about what this really meant to our company and the ability of our leaders to describe these requirements confidently with our auditor.
I think I would be include to disagree with your auditor in regards to ISO 9001:2015 not ranking risks. I have been reviewing 6.1 with that in mind and I keep landing on the word proportionate. I guess this depends on your definition of the word mitigate, but NOTE 1 states "Options to address risks and opportunities can include avoiding risk, taking risk in order to pursue an opportunity, eliminating the risk source, changing the likelihood or consequences, sharing the risk, or retaining risk by informed decision." Mitigation to me implies action, I think a case could be made that some risks simply can be answered with a single word like accepted or retained. Again, there is no documentation requirement for this clause of the standard, so this could even take place in a meeting setting.
We have a rather unusual business and product, so we really have had to evaluate the standard and the expectations of auditors to determine what is really a requirement and what is auditor preference.