Risk based thinking was one of the relatively few new inclusions to ISO 9001 2015. Note that phrase: 'risk based thinking'. Formal risk management is not a requirement, but thinking about risks is.
I'll be writing an article or two to help in the coming weeks. Because like many other topics, it is good sense and it isn't as complicated as some people would like to make it. Though you can certainly make it incredibly complicated if you wish.