I just created a Custom Attribute on the risk object for attachments in the CA PPM 14.4 Sandbox environment. I could as the administrator delete the attachment. But as a non-admin resource, I got an error when I tried to delete:
ERRORError 401 - Unauthorized. You are not authorized to view the page. If you are sure you have access, try logging in again or contact your system administrator.
I created a new risk where I had a non-admin account as the risk owner, and could not delete the attachment either.
I would recommend opening a ticket with CA