So I stumbled across this blog post the other day and really liked it. If I wasn't so lazy, I'd rewrite it, replacing all the references to the development projects with security/risk mitigation projects.
But I am lazy, so read it yourself and make the replacement in your head.
It's a must read for anyone in the security biz communicating or managing risk to the business folks (in others, almost everyone in security)
No Deadlines For You! Software Dev Without Estimates, Specs or Other Lies
Seriously, go read it. It's great.