In my experience, there are 2 ways to figure out risk management (and bear with me, the suggestions that I am going to talk about would seem very obvious and common sense, but people, even those with experience, somehow seem to neglect some of these aspects; and believe me, with risk management, it can come back to bite you very hard and imperil the possible success of the project). The 2 major aspects of risk management from my experience are:
1. Common areas that are known
There are different ways to handle these 2 different factors. If you look at common areas, these are a list of factors that are common across projects. These are typical factors such as schedule slips, attrition / transfers, feature creep, etc. Any well run organization will have a database of such common factors (and which gets constantly updated in terms of severity of the issues and possible responses / mitigation factors). Knowing all this, if a project manager does not review these issues on a regular basis and ensures that none of them reaches a critical level, it is entirely on the head of the project manager. However, sometimes it happens that a project manager gets so tied up in the daily running of the project that they do not spend the required amount of mind space on reviewing the risk factors, especially from the common such areas.
2. Unknown factors that can come up any time. These can be difficult to diagnose and even more difficult to handle, but who says that the job of the project manager has to be easy ! So, consider a case (which is also a real life situation), where a competitor made some strategic changes in their product line and this required some real time changes in the way the features being developed had to be changed, which in turn required a lot of changes in the internal schedule, in the resource management and so on. This is an example, a bit extreme, but there can be different variations as well as other kinds of issues that come up (and it is hard to speculate on the wide variety of issues that can come up). The best way to find out such issues is to have regular meetings with the leads and the product manager(s) and track the issues that come up in such meetings; and then follow these issues until they diminish or are otherwise handled properly.