Risk is defined as activity of threats finding weakness and methods and gaining access to destroy assets.
It is defined as a gap or weakness in security system that can be helpful to find threats and gain access to unauthorized content. It can be used by cyber hackers or threats to get access for unauthorized content in a system of an organization.
Threats can be anything which is present within the system or exterior, whether happens intentionally or accidentally and may destroy system security.
Access control and its relation to the above defined factors:-
Access control to any organization is helpful to minimize the potential risks to the organization by prevention of ways possible vulnerabilities attacking the system.
Risk is nothing but function of threats exploiting vulnerabilities to destroy assets, thus threats might exist but if the vulnerabilities are less then there a chance of very less risk .In a similar manner if there is vulnerability and we have no or little threat, we have little risk.

Pinkerton. (2014, October 16). Risk vs Threat vs Vulnerability – and Why You Should Know the Differences. Retrieved January 17, 2016, from Pinkerton: http://www.pinkerton.com/blog/risk-vulnerability-threat-differences