Risk management is about balancing off probabilities of threats and costs of assets. Adapted from image by Clker-Free-Vector-Images from Pixabay.
The list of threats that can affect a company, their risk levels, the decisions on which threats to prioritize, and the tools (hardware, software, etc.) that the company plans to use to control the threats are collectively called a threat model.