Hi,
I would think that when planning an organizational audit, it would help if I knew how you addressed risk. This would help the auditors when they go on the ground to conduct the audit.
If you said that you managed it through FMEA then it would be a heads up for the auditors to expect it.
If you said it is handled it as part of the Management review, then it would make sense to look for it there on how it is articulated to fulfill the requirements of the standard.
This would help the lead auditor plan his resources before engaging the organization on the ground. Imagine surprising the lead auditor by telling him that you perform cloud analytics with a sophisticated customized in-house software which you cant even pronounce when you ask the organization how risk is addressed.
My 5 cents,
Ernest