what is it?
The ultimate goal of all information security programs is to lower the cyber risk of a company.
Risk = The likelihood that something bad would happen resulting in monetary or reputational loss to your company. The risk equation = an exploitation of a vulnerability by a threat against an asset.
For example working backwards, you have a computer system (the asset) that is attacked by a hacker (the threat) who takes advantage (exploits) of a flaw in your system or security (a vulnerability). That incident results in either the monetary or reputational loss to your company.
Another example - You have a server with sensitive data on it (the asset) that is changed by an internal employee (the threat) who mishandles the change and destroys data (exploits) in the absence of a policy, procedure, or system to prevent this type of result (vulnerability). Yes, human error is also a major threat to the security of your company.
Determining your level of risk and how best to mitigate it is what a risk assessment is supposed to accomplish. Much of this is determined and bubbled up by conducting a security posture examination (more on that here).