There are many ways to describe risk and ISO 31000's Clause 5 risk assessment through to treatment steps is ideal. It can be applied to most risk disciplines without compromising the way in which uncertainty is measured, modelled and treated.

Risks from Market risk, credit risk or operational risk can be fitted into the Clause 5 steps of ISO 31000 even though these risks are measured using not only different datasets but alternate techniques.

All this said, the following statement in ISO 31000 needs to be applied to the letter in which it was written.

"Risk is often characterized by reference to potential events (2.17) and consequences (2.18), or a combination of these." | ISO 31000

and

"Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood (2.19) of occurrence." | ISO 31000

Risks are "often" characterized and "often" does not translate to ALWAYS. ISO 31000 practitioners should be sensitive to the use of this single word in the ISO 31000 principles and guidelines document.

ISO 31000 Market Risk Infographic | LINK

Risks that are born from a contractual or actuarial source are only expressed in the terms of a "combination of consequences of event and the associated likelihood" with great model error and this quantification practice is not fit for purpose for all types of uncertainty that risk practitioners attempt to evaluate.

To be specific with what I am saying here, there are risks that are time dependent, there are risks that are dose dependent and levels of fragility which are impacted by a combination of both time and dose factors. Concisely, your chance or likelihood if you prefer of either negative or positive consequences can increase as your exposure to a volatility surface does.

For example; if you have one x-ray a year, the chance of ill effects from radioactive contamination are different than when you either shorten the time between x-ray exposure or increase the number of x-rays over a fixed time period.

As off putting as this is for people that believe risk is only represented as frequency x magnitude over any period of time, I am afraid to say they need to apply the appropriate model to the specific risk problem they are attempting to measure. These type of risk practitioners should either broaden their minds or in many cases do more research because all risk problems are not simply a nail that needs a hammer.

If any risk practitioner believes a five year cross currency swap for one million, just as an example, has the same uncertainty (risk) as an identical notional contract for ten years, they are deluded. Volatility [LINK] is a form of uncertainty and time series analysis is an appropriate type of modelling technique that should be applied to market instruments.

So where does this leave us in respect to ISO 31000 is anyone's guess but we can be nearly sure of one thing in the realm of uncertainty management, there is a gap here that requires attention for the enterprise risk management community.