As an optimist I would say: you are looking at this half-right.
You are right about the fact, that not having a security policy creates risks.
You are not right about that this does not include business risks. ISO/IEC 27000 itself says under chapter 3.6:
A large number of factors are critical to the successful implementation of an ISMS to allow an organization to meet its business objectives. Examples of critical success factors include the following:
a) information security policy, objectives, and activities aligned with objectives;
To correct your question further: The risk the organization is facing is not being not compliant with the ISO norm, the risk lies in the consequences that ensue from not having a security policy.
What are those consequences? These are threats that the respective organization might face because of the non-existence of a security policy. ISO27005 has some examples in Annex C under "Compromise of information" or "Unauthorised actions". See Annex D for pairing with vulnerabilities to make things perfectly clear.
For example:
Lack of procedures for classified information handling - Error in use
This vulnerability and the paired threat are corresponding to a missing policy for handling classified information. An organization needs a policy like that, which describes how classified information is handled and who has access to it under what circumstances etc. After a policy has been worked out and presented to all employees, is has to be enforcedin varying degrees.
If there is no policy -> it can't be enforced -> there can't be any procedures -> classified information will be handled poorly => for instance: employees don't shred secret files before throwing them away.
(You can find all this in chapter 8.2 in the ISO/IEC 27002 norm.)
So how do you describe the risk in the end?
Exactly like you would describe any other risk. The only difference is, that this one is much more impactful. Just follow the risk assessment process in ISO/IEC 27005 and imagine an organization that has no security policy.
It's all in the norms, you just have to look know where.