Risk is an important concept, but too often, bringing risk into a security discussion leads to more analysis and talk and not to productive action. I prefer productive action.
If your discussion is more abstract and includes terms such as confidentiality, integrity, availability, and non-repudiation, then maybe including the reduction of risk as a motivation is appropriate. But if you're in a meeting with the business and trying to determine concrete direction and actions, then I'd recommend that you translate risk into controlling business disruptions related to unauthorized access. Then you have something definite to talk about and measure.