It truly depends on what you are trying to achieve and what the nature of the object is. For instance, if you merely want to mention that a risk is present in process X, then associate it to the process. If you have the luxury of knowing where specifically (a specific task or area in a subprocess), then associate it to the object(s).
EPC's reporting engine includes a Process Risk Assessment Report (see attached) that will produce a view that includes all risks tied to the process itself or any of its children. There are also others for Performance management and so on.