Risk management, quantification, and threat modeling

GRC is at the core of any good security program. If you’re not measuring risks and using that to prioritize work, you’re wasting a lot of time and money. What tools and techniques do you use to quantify the risks in your environment? What strategies for threat modeling have you seen as effective?