If there are allergens you are particularly concerned about then you may also find it useful to turn also agree a slightly restricted item list with the company stocking the vending machines - we have a nut/peanut free site and have a written agreement with the suppliers of these types of item to not deliver anything containing nuts/peanuts. If you're setting this as a new requirement then there may be a learning curve so you'll need to monitor it, but they do learn and particularly if you dispose of their stock for violating the agreement...
In terms of listing everything for your risk assessment, the only way you'll realistically be able to do this will be by allergen category - for example, our assessment is done on the basis that staff lunches and snacks etc may contain any of the 14 EU allergens with the exception of nuts and peanuts.
In terms of the potential routes of contamination, the level of risk will depend on the nature and effectiveness of your training program and general levels of adherence to site hygiene rules, so whilst it's possible to e.g. sneeze peanut residue into your products it's hopefully very improbable that anyone would actually do this.
IME it's a really popular area for BRC auditors to look at and can be a source of an easy non-conformance - every year they like to have a bit of a dig around in the refrigerators used by the staff for their lunches (as do we, as part of our own internal audit program ) but I've seen them go as far as asking for gloves and poking around in the rubbish bin in the break room to see if anyone had eaten and then disposed of anything on the banned list!