The key to this workflow (and the secret of its success) is the action to get the business owners to click on the 'Accept Risk' button.
That simple action makes the whole difference, since that is the moment that a particular RISK become REAL.
Now, the responsibility/decision/liability of NOT fixing an issue, is clearly mapped to an individual (which in some cases can even be the CTO).
Note that the definition of 'not fixing' should be 'will not be fixed in the next couple weeks'
Here is v1.0 of the workflow (for an Risk JIRA issue)
Once there are enough risks in the system, its time to introduce v2.0
Update: Here is an improved version of this workflow