In the Post-Quantum Cryptography (PQC) era, assessing quantum risk is essential for informing decisions such as prioritising system migration. Emerging identity and authorisation systems, including Decentralised Identifiers (DIDs) and Verifiable Credentials (VCs), introduce new challenges due to long-lived assets and multi-actor lifecycle interactions. In this paper, we propose a threat modelling framework and a lifecycle-aware extension to an existing quantum risk assessment methodology. We present a taxonomy of quantum-related threats tailored to DID/VC systems, categorising them by target asset: data (e.g., credentials and DID documents), services (e.g., issuance and verification), and resources (e.g., computation and storage at wallets and verifiers). Building on this, we derive an extended quantum risk formulation that incorporates aggregation risk, sharing exposure, and verified destruction, enabling more informed and context-aware prioritisation of PQC migration strategies.