During a recent team meeting, there was a debate on the importance of risk management versus simply adhering to compliance requirements. As the Information Security Manager, what would you highlight as the PRIMARY distinction between risk management and compliance?