First you need to convert comma separated values into an varray and then use
stmt := stmt || ' AND Risk.Code IN (select column_valuefrom TABLE(v_my_data))';
One technique: https://blogs.oracle.com/aramamoo/entry/how_to_split_comma_separated_string_and_pass_to_in_clause_of_select_statement