General steps for risk assessment and treatment are:
Risk identification (i.e., identification of elements that compose the risk, and already implemented controls)
Risk analysis (i.e., the definition of risk value, considering any already implemented controls
Risk evaluation (i.e., comparing the risk value to risk acceptance criteria to decide if additional treatment is required)
Risk treatment (i.e., defining which treatment is to be applied, and its effect on the risk)
Here is an example considering a scenario where a power generator is no longer needed, and possible power failures will be covered by UPS, and the use of the asset-threat-vulnerability approach:
Risk identification: assets would be any power dependable equipment (e.g., servers, desktops, routers, etc.), threat (power failure), vulnerability (lack of power generator), and implemented control (UPS)
Risk analysis: without any emergency power supply, your operations will run as long as the charges of your UPSs before the normal power supply is recovered, so the risk of operational disruption will increase with time (i.e., you have to consider how long your UPSs will last and how long it will be necessary to the normal power supply to be reestablished to value the risk).
Risk evaluation: considering your risk evaluation criteria you can decide how to treat (e.g., mitigate, transfer, accept, or avoid)
Risk treatment: for mitigation: you may decide to keep the power supply, for transfer you can decide to operate in a facility physically maintained by a third party, or you can do nothing and absorb the impact if the risk occurs. Please note that this analysis is valid only for this scenario. For example, if the asset to be removed is a notebook, you must take other considerations to take into account, like the information stored in the notebook.