In risk assessment, what is the next step after identifying threats and vulnerabilities?

Identifying threats and vulnerabilities provides the factual picture of what could go wrong. The next step is to estimate risk by combining how likely it is that a threat will exploit a vulnerability with the potential impact on the asset. This involves assigning a likelihood and an impact (using qualitative or quantitative scales) to produce a risk level or score. Those risk estimates quantify the danger and create a basis for deciding which risks deserve attention first and what controls to put in place. After risk estimation, you typically move on to prioritization to rank risks, and then to mitigation planning to address the highest ones. Asset identification and the initial identification of threats and vulnerabilities happen earlier in the process, while mitigation planning comes later.