I’m not sure if there is a simple answer to that question. There are lots of different kinds of risk, so who manages what may well change over time.
Even before the team is founded or designated to the project, there is the sponsor. S/he may be the person with the vision, the instigator of the project, or s/he may just be the person with for the money. In either case, s/he is or will eventually designate the product owner, whose primary responsibility is financial.
I think it is legitimate for the project owner to ask risk oriented questions right at the beginning: What are the big risks in the projects? What will cost us money if they happen or if we don’t prepare for them properly? How do we mitigate those risks, keep our options open, and handle the issues gracefully when they happen? Once the team is consituted, these are questions for them to think about as well.
There are many risks, some more likely than others. Some “risks” are not risks at all, they are certainties. Changing requirements is high on the list. Scrum embraces these risks as part of the process.
A classic risk question in any user facing application: ‘What happens when the usability people decide they need to redesign the UI late in the game?’ Call it a special case of changing requirements, but you don’t want to caught without a solid test suite if you have have to completely refactor the back-end.
Other risks are more subtle. Teams or individuals that do not have the necessary training or that don’t work well together will make slow progress. This can be seen in the Product Burndown Chart. The Product Owner will see quickly that he has a time/scope/money problem, but figuring out the cause will need support from Team and Scrum Master.
What I don’t like to see in a bid is boiler-plate text which can be “safely” ignored during the actual project.
Once the team is constituted and an initial product backlog has been created, the P-O and the Scrum Master and maybe the team will get together to prioritize the stories. There are many ways to do this, including bang for the buck, value to the P-O, deal with hard problems first, put off difficult and unclear issues until later (when they are better understood)… And yes, some of the strategies are contradictory.
So somebody makes a decision, and that someone is the Product Owner.
The Scrum Master and Team should help the P-O optimally prioritize the backlog so minimize risks. The team can be particularly helpful with technical risks and the Scrum process should help identify blind spots. But since ROI is the responsibility of the P-O and the consequence of risk is cost, managing Risk is fundamentally the P-O’s responsibility.