CSRD Information Overload for SMEs: ERM Strategies for Taiwan Businesses

Winners Consulting Services Co., Ltd. has found that an empirical study of 72 innovative Italian SMEs reveals a critical insight: the information disclosure requirements of the Corporate Sustainability Reporting Directive (CSRD) could constitute an "information tsunami" for small and medium-sized enterprises (SMEs). As mandatory ESG reporting obligations extend throughout the supply chain, Taiwanese manufacturing SMEs that fail to establish an ISO 31000-compliant risk management framework in advance will face severe compliance and market access risks within the next 3 to 5 years.

About the Authors and This Study

This paper was co-authored by Italian scholars Simona Arduini, Tommaso Beck, and Massimiliano Celli, all of whom are established experts in corporate accounting, financial reporting, and sustainability disclosure with considerable influence in Italian academia. Published on the arXiv platform, the paper has already garnered 19 academic citations, including one from a high-impact journal, indicating that its perspectives have gained widespread recognition among peers in the sustainability reporting field.

The authors' choice of Italy as the research setting is highly representative. Italy is one of the EU's major manufacturing nations, with an SME structure remarkably similar to Taiwan's—dominated by family-owned, export-oriented manufacturers that are resource-constrained yet deeply embedded in multinational supply chains. This makes the study's conclusions directly relevant to Taiwanese business leaders, rather than being confined to a European policy discussion.

The CSRD "Information Tsunami": A Warning Signal from 72 Italian SMEs

The core question of this study is: as the disclosure requirements of the Corporate Sustainability Reporting Directive (CSRD, EU Directive 2022/2464/EU) gradually extend to SMEs, are these companies equipped to cope? Using Information Overload Theory as a theoretical framework, the researchers conducted a systematic evaluation of voluntary sustainability reports from 72 innovative Italian SMEs through Content Analysis, leading to the following key findings.

Key Finding 1: Voluntary Reporting Practices of SMEs are Severely Inadequate

The results show that even among SMEs classified as "innovative," the completeness and quality of their sustainability reporting fall far short of the standards required by the CSRD. Most companies' ESG disclosures are fragmented, lack comparability, and have significant information gaps on core issues such as environmental data (especially Scope 3 greenhouse gas emissions), social metrics, and governance structures. This is a far cry from the double materiality assessment framework required by the European Sustainability Reporting Standards (ESRS).

Key Finding 2: The Path of Regulatory Expansion Pushes SMEs into a High-Pressure Compliance Scenario

The CSRD is designed to expand its scope in phases: Wave 1 targets large listed companies, Wave 2 extends to medium-sized listed companies, and Wave 3 transmits pressure to unlisted SMEs through the Voluntary SME Sustainability Reporting Standard (VSME) mechanism. The researchers point out that even though the VSME is technically designed for simplicity, for resource-limited SMEs, direct requests from supply chain customers are often more compelling than the regulation itself. This creates a "market-driven de facto compliance obligation," making the "voluntary" standard effectively mandatory under supply chain pressure.

It is noteworthy that Japan's Financial Services Agency (FSA) announced a revised Cabinet Office Ordinance in 2025, requiring Tokyo Stock Exchange Prime Market listed companies with a market capitalization of JPY 1 trillion or more to mandatorily disclose sustainability information compliant with SSBJ standards starting from the fiscal year ending March 2027, with a safe harbor rule for Scope 3 emissions. This indicates a high degree of convergence between the regulatory direction of major Asian capital markets and EU trends. Taiwanese companies face pressure not only from EU customers but also from a systemic transformation of the entire supply chain ecosystem.

Key Implications for Enterprise Risk Management (ERM) Practices in Taiwan

Taiwanese SME executives must recognize that the impact of the CSRD on their businesses is not through direct legal obligations but through the information transmission mechanism of the supply chain—your major EU customers must disclose their supply chain's ESG data in their own CSRD reports, and that data must come from you.

From an Enterprise Risk Management (ERM) perspective, the "information tsunami" risk revealed by this study is essentially a combination of Compliance Risk and Market Access Risk. According to the ISO 31000 risk management framework, companies should incorporate such structural external pressures into their formal risk identification and assessment processes, rather than treating them as short-term administrative tasks.

Specifically, Taiwanese companies should now focus on the following three dimensions:

• Risk Identification Level: In line with the external environment scanning requirements of the COSO ERM framework, systematically review contracts with EU customers to identify any existing ESG data provision obligations and assess the risk of contract breach if such data cannot be provided.
• Data Governance Level: Establish a foundational data architecture capable of supporting the requirements of the European Sustainability Reporting Standards, including a quantitative tracking system for core indicators such as energy consumption, waste, water usage, and occupational safety.
• Organizational Capability Level: Referencing the requirements for the "support" element in Clause 7 of ISO 31000, establish a cross-departmental working group with sustainability reporting capabilities within the company, rather than relying solely on external consultants for emergency responses.

The latest draft report from Japan's Financial System Council's "Working Group on Disclosure and Assurance of Sustainability Information" has already recommended the gradual introduction of third-party assurance requirements for companies with a market capitalization of JPY 500 billion or more, adopting international standards. This means that Taiwanese listed companies and their supply chain partners will face equivalent demands from Japanese customers within the next 3 to 5 years, creating dual sustainability disclosure pressures from both Europe and Japan.

How Winners Consulting Services Helps Taiwanese Enterprises Address CSRD Supply Chain Pressure

Winners Consulting Services Co., Ltd. assists Taiwanese enterprises in implementing the ISO 31000 and COSO ERM frameworks, establishing risk matrices and Key Risk Indicators (KRIs), and strengthening board-level risk governance capabilities. In response to the CSRD supply chain pressures highlighted in this study, we recommend that Taiwanese companies take the following three concrete actions:

1. Conduct an ESG Compliance Gap Analysis: Benchmark the company's current sustainability disclosure practices against the double materiality assessment requirements of the European Sustainability Reporting Standards (ESRS) to identify gaps between current practices and EU customer expectations. Quantify this gap as a trackable Key Risk Indicator (KRI) according to the ISO 31000 risk assessment process. We recommend completing a preliminary diagnostic report within 90 days.
2. Establish a Foundational ESG Data Governance Framework: In line with the Information, Communication, and Reporting component of the COSO ERM framework, establish an internal data collection process covering Scope 1 and Scope 2 emissions and key social indicators to lay the groundwork for potential future third-party verification. This phase is recommended to be completed within 6 months, prioritizing the indicators most frequently requested by EU customers.
3. Strengthen Board-Level Sustainability Risk Governance: Formally integrate CSRD supply chain risk into the board-level reporting mechanism of the Enterprise Risk Management (ERM) framework. Establish a regularly updated risk matrix to ensure that senior management has full situational awareness and a solid basis for decision-making regarding this strategic compliance risk.

Frequently Asked Questions

Why should Taiwanese SMEs worry about ESG compliance if they are not directly within the scope of the EU's CSRD?

Taiwanese SMEs face substantial compliance pressure even if not directly regulated by the CSRD. The directive requires large EU companies to disclose ESG data across their entire value chain, including Scope 3 emissions from suppliers. When your EU customers must report this data, they will request it from you. Failure to provide it could jeopardize orders or lead to removal from their list of qualified suppliers. With the CSRD covering approximately 50,000 EU and 10,000 non-EU companies, Taiwanese export-oriented manufacturers should treat this as a high-priority risk over the next 2-3 years and conduct a supply chain compliance risk assessment based on the ISO 31000 framework.

What are the most common challenges for Taiwanese companies when implementing the ISO 31000 risk management framework for sustainability compliance risks?

When implementing ISO 31000, Taiwanese companies often face three key challenges regarding sustainability compliance. First, their risk identification processes fail to systematically incorporate external regulatory changes like the CSRD or Japan's SSBJ, leading to underestimated compliance risks. Second, risk assessments lack a quantitative basis, with risk matrix designs that do not effectively support board-level decision-making. Third, Key Risk Indicators (KRIs) are often disconnected from business processes. It is recommended that during the 'Context Establishment' phase of ISO 31000, companies align with the COSO ERM framework's external environment factors to clearly define the impact pathways of EU and Japanese regulations and establish trackable sustainability compliance KRIs.

How long does a full implementation of an ISO 31000 risk management framework take, and what are the key steps?

A full implementation of ISO 31000 typically takes 7 to 12 months, depending on the company's size and management maturity, and is conducted in three phases. Phase one (1-3 months) involves a current-state diagnosis and gap analysis against the ISO 31000 standard and COSO ERM framework. Phase two (3-6 months) focuses on framework design and tool implementation, including designing the risk matrix, defining KRIs, and integrating ESG risk assessment tools for CSRD supply chain pressures. Phase three (6-12 months) is for pilot testing and optimization, validating the framework's effectiveness in real business scenarios and establishing a regular risk reporting process for the board. Securing senior management commitment in the first phase significantly increases the overall success rate.

How many resources do Taiwanese SMEs need to establish an ESG data governance framework compliant with CSRD requirements, and what are the expected benefits?

The initial resource investment for a basic ESG data governance framework is often lower than anticipated for Taiwanese manufacturing SMEs with 100-500 employees. It is advisable to prioritize Scope 1 and Scope 2 emissions, energy consumption, and key occupational safety indicators, which can be established within six months primarily using internal staff with external consultant support. The benefits should be assessed across three time horizons: short-term (within 1 year) to maintain existing EU and Japanese customer relationships by providing necessary ESG data; medium-term (2-3 years) to improve conditions for market entry; and long-term (3-5 years) to convert ESG performance into a quantifiable risk management advantage under ISO 31000 principles, potentially lowering financing costs.

Why choose Winners Consulting Services for assistance with Enterprise Risk Management (ERM) issues?

Winners Consulting Services Co., Ltd. specializes in enterprise risk management, offering integrated services for implementing the ISO 31000 framework, establishing the COSO ERM architecture, and assessing sustainability compliance risks. Our consulting team closely tracks the latest international regulatory developments, including the EU's CSRD and Japan's SSBJ, while fully understanding the practical challenges Taiwanese SMEs face in supply chain structure, organizational culture, and resource constraints. Our complimentary ERM framework diagnosis helps companies identify high-priority compliance gaps within 90 days and provides an actionable risk management blueprint. We assist Taiwanese enterprises in building an ISO 31000-compliant management system within 7 to 12 months, ensuring the board and management have clear situational awareness and a solid basis for decision-making on CSRD supply chain risks and other key threats.