If you don’t know who the key players are then how can you start on the risk assessment? - this is one of the challenges of decentralised organisations? Any risk assessment should take account of the use of open sourced software in a non-commercial structure - TTN is not a telco.
If this “risk mapping group” has access to information such as the resilience and architecture used in TTN and they don’t share this then there are issues as to transparency and agency.
I for one feel the first steps prior to any risk assessments is public disclosure as to ownership and details of the non-open source elements of the TTN architecture, together with clear plans and intentions on open sourcing hardware and software of, for example, the new TTN gateway.