Understand what can go wrong and explain it the simplest possible way.
Support your explanation with a realistic attack scenario. Provide a pragmatic example of how the risk can result in an actual attack.
Explain what is the impact to the business if this risk becomes true.
Note: Source of the principles.