I answered that you present the risks by outlining security incident likelihoods and impacts. If qualitative analysis does not sway upper management, quantitative methods can be used to better illustrate the potential for negative financial impact to the business. I also added that in the end, it is upper managements role (CISO, et al) to accept security risk...which they seemed to disagree with.