Good question. Which come first – the chicken or the egg?
ISA 300 (on audit planning) states:
“The auditor shall develop an audit plan that shall include a description of: (a) The nature, timing and extent of planned risk assessment procedures, as determined under ISA 315”.
So you have to plan to assess the risk. But, of course, other elements of the audit plan will be responding to the risks assessed.
Therefore the processes are somewhat iterative/circular.