Greetings Bob,
Risk Based Thinking is one of the many sections in the standard that a lot of quality professionals struggle with when trying to demonstrate compliance to a registrar. I am a lead ISO consultant and have worked with over 40 companies in the last year and half to acquire certification in ISO 9001 and  AS9100. I cut my teeth in the automotive industry where FMEAs were required and caused a lot of stress to everyone, except the quality engineering nerds like me.
I know that the Risk Register and anything like it can be intimidating, therefore, I have used a technique that has not raised an eyebrow by a registrar yet. I encourage my ISO 9001 clients to identify risks and opportunities (the positive risks as you mentioned in the white paper) in three areas: Context of the Organization, Relevant Interested Parties, and in the Key Process Definition Documents (formerly Turtle Diagrams).
For example, a context issue may be an aging workforce where tribal knowledge has not been documented and the risk is that our processes, products and services may go haywire when our prized, seasoned employees retire or leave us to open a bar in Jamaica. The risk mitigation can include a shadowing program for new hires to work with seasoned employees to learn the processes and in turn document that knowledge. Encourage the seasoned employees to suggest improvements during this process and reward them for being team players and being committed to a culture of improvement.
During the Management Review meeting, discuss this risk and the progress that we are making toward the actions to mitigate the risk. Reviewing and updating the context issues,  their risks and improvement suggestions during the Management Review demonstrates compliance to 4.1, 6.1, 7.3, 9.3 and 10.3.

Thank you for sharing this content, Bob!