AS9100 expects operational risk assessments to be specific enough that risks can be understood, owned, and controlled at the process and part/program level. High-level “generic” risk lists are not sufficient. The right depth depends on your process complexity, customer/regulatory expectations, and the maturity of your QMS and data.