A risk is a finding and a finding is a risk. A finding can become a risk and a risk can become a finding. Risks are defined as probability or threat of a damage, injury, liability, loss, or other negative occurrence, caused by external or internal vulnerabilities, and which may be neutralized through pre-mediated action. You could say that risks are the Weaknesses and Threats of the SWOT analysis.
So when a risk is recognized this should lead to an action. Measures are taken to avoid, reduce, accept or transfer the risks. The severity of the risk and possible consequences is quantified by “high", “medium" and “low". Low could mean that it is not a big risk or there could be a serious risk but it can easily be resolved. Risks can be product related, process related and project related. A project risk could lead to a product risk and vice versa. When the risk is project related it can be development related or testing related.
What we often see is that the project manager and the test manager are both doing risk analysis, independent from each other. They both do this at an early stage of the project. During the project more risks become clear and should be defined, others disappear or are resolved.
Risk analysis and risk management would be done more efficiently if all parties involved would keep these risks together in one project risk database. Of course the configuration should be adjusted to the needs of the project. We could put in columns for severity, priority, project/product/process, requirements/risks/findings etc.