Lead with the overall risk assessment --- do not bury the lead - Use business language, not technical jargon ("patient database" not "PostgreSQL instance") - Quantify risk where possible ("this vulnerability could expose 50,000 patient records") - Connect findings to business impact (HIPAA fines, re