I would argue that testing code is “Risk Mitigation” not “Risk Management”.

It is nuanced, but at least in large Systems Engineering orgs, Risk Management is typically a different thing entirely.

It entails documenting known risks, evaluating the likelihood and potential impacts, defining mitigating actions, tracking the closure of those actions and the resultant reduction in the likelihood of the risk manifesting.

This is both centralized and distributed. The specific SMEs provide most of this input/definition, but it is also useful to have a centralized understanding of all the system risks by someone with a system level purview.