There are several components to risk assessment for GXP:
See GAMP 5, ISO 14971 (Med Devices), ICH Q9, Quality Risk Management
1-High level assessment of regulatory applicability; i.e., is the system GxP, HIPPA, SOX, etc., and what is the level of criticality for the system as a whole.
2-Requirements level risk: There are a number of methodologies which might be used here (see GAMP 5) - FMEA, Hazard Analysis, Fault Trees, Impact Analysis. Depending on the type of system (e.g. SW application vs. Medical Device vs. Mfg Eqpt) and development phase (design, validation, production) one or another of these methods may be preferable. FMEA seems generally to be the most popular, at least in my experience (although not necessarily the best in all circumstances).

3-Risk assessment is a team-based effort involving the business, quality and technical SMEs. The output of the risk assessment can be used to determine the required degree of rigor to apply in the verification of a particular requirement, based on established procedure.

Risk assessment should be done and applied throughout the lifecycle to ensure the validation is fit for intended use. Depending on which stage and what is the purpose of risk assessment, you can any number of methodologies which are highlighted in ICH Q9, ISO 14971. Obviously FMEA is most popular but it may not be the right tool all the time.

For risk assessment, you can involve all the SMEs necessary from different functions to ensure it is thorough. However, the discussion for risk assessment should be moderated well otherwise everything will come out to be high risk which will kinda defeat the purpose of it. A good moderator is very important in my opinion.

I recommend having GxP compliance drive the RA. Include the business owner, SMEs, validation lead, and implementation consultants. Start with the URS and traceability from URS to system/functional spec in a matrix. Then classify each URS as either GxP relevant our business critical. These are the higher risk requirements. All others can be informally verified, as needed. Then, using a 14971-style risk assessment, identify potential failures for each Go/business critical requirement. Include relevant hazards and outcomes. Determine severity, likelihood, and detectability for each. Establish a risk exposure level for each, then apply risk controls of design, testing, procedure controls, and contractual controls as appropriate to mitigate risk to acceptable levels. Make sure someone verifies the risk controls are implemented and they are formally tested to prove they work.

Risk Impact assessment is done on various factor depends upon CSV categorization whether its regulatory or non regulatory or finance system.
Product manager,compliance office,business, Internal teams will be consulted depending upon product or project. As a basic step impact assessment for product quality,data impact, probability of failure , detectability will be calculated

What are the common pitfalls that can happen in the high level risk assessment and Requirement level risk assessment?

Thank you Lou Ragni, CQE, CQA, Ravindra Kumar, David Meeks, and Mohan V