Security risk is uncertainty about undesirable future events, a lack of control. To reduce uncertainty, we'd need a way to look into the future. And we can.
Having identified threat sources and vulnerabilities relevant to our assets, we construct risk by formulating realistic events. Neither objective nor scientific, it does provide a crystal ball of sorts.
Also, what has already happened? History is an indicator of what might happen. Spotting the future in the rear mirror could be our best option.