Risks and threats are what risk management strives to deal with. Risks are something that have a negative impact on project objectives or a company's ability to perform normal business functions, and can result in loss for the company. Threats are the potential to use a particular vulnerability to cause damage. Each has the ability to adversely effect the confidentiality, availability, or integrity of a project or business, which is why it is so important that they are handled effectively.

The definitions of risks and threats are similar to one another. However, a threat and a risk may not always be exclusive to one another. The difference between the two is that a risk always involves the potential for loss, while a threat is always something that exploits or triggers a weakness to cause damage. If there is no vulnerability that can be exercised, then the source of a threat poses no risk. To illustrate this, say a company has a building near a mountain that is prone to having avalanches. This would mean the source of the threat is the mountain, the threat is an avalanche, and the vulnerability involves being too close to the mountain. If the company's building were far enough away from the mountain, then there would be no risk. While the threat of avalanche still exists, the risk does not.

It is also important to realize that risks are not inevitable or necessarily bad. Something that threatens or provides an...