Insight: Assessing the impact of the CSRD: insights from four large I

About the Author and This Research

Mattia Colombo is an emerging academic researcher with an h-index of 3 and 15 cumulative citations. While still developing his academic profile, the methodological rigor of this thesis distinguishes it as a practically valuable resource: Colombo conducted systematic literature review combined with a multiple case study design, conducting field interviews directly with sustainability and finance teams at four of Italy's largest publicly listed enterprises. All four companies—Pirelli, Eni, Prysmian, and Fincantieri—belong to CSRD "Wave 1," defined as companies previously subject to the Non-Financial Reporting Directive (NFRD) that must report under the European Sustainability Reporting Standards (ESRS) for the first time in 2025.

The research identifies five challenge categories derived from literature: Double Materiality and Value Chains, Organizational Impact of CSRD, Transparency and Greenwashing, Data Management and Assurance, and Scope 3 Emissions. It then tests whether real-world corporate experience confirms these challenges. The study represents Phase 1 of a broader longitudinal research program, making it an early but significant empirical contribution to CSRD impact assessment.

Core Findings: What Four Italian Giants Actually Did Under CSRD Pressure

The study's most important contribution is its documentation of concrete corporate responses—not theoretical recommendations, but actual decisions made by large enterprises under regulatory pressure. All five literature-identified challenges were confirmed in practice, with one notable exception: third-party assurance was already standard practice for these large Italian companies prior to CSRD, making it a non-incremental burden.

Finding 1: Sustainability-Finance Integration Emerged as the Universal Response

All four companies significantly deepened collaboration between their Sustainability and Finance functions. This structural shift reflects CSRD's fundamental innovation: sustainability information is no longer soft narrative but hard data subject to the same verification standards as financial reporting. Under ISO 31000's risk management framework, this corresponds to the principle that risk identification and assessment must be integrated across organizational functions rather than siloed within individual departments. The COSO ERM 2017 framework's "Governance and Culture" component similarly emphasizes that risk oversight must operate across all organizational layers. Taiwanese companies still managing ESG reporting through isolated CSR departments must restructure before CSRD compliance pressure reaches their supply chain relationships.

Finding 2: Scope 3 Emissions Presented the Highest Technical Complexity

Scope 3 greenhouse gas emission calculation was unanimously identified as the single most technically challenging aspect of CSRD implementation. The core problem: enterprises cannot directly control data quality from suppliers, and reliability deteriorates at each tier of the supply chain. All four companies launched digital data collection projects targeting supply chain partners, implementing automated reporting tools to improve consistency. For Taiwanese enterprises—central nodes in global electronics, semiconductor, and machinery supply chains—this finding carries immediate operational significance. European brand clients reporting under CSRD will require Taiwanese suppliers to provide Scope 3 emissions data, potentially as a contractual condition rather than a voluntary disclosure.

Finding 3: Internal Control Strengthening Was the Primary Defense Against Greenwashing Risk

The ESRS framework's verifiability requirements pushed all four companies to establish more robust ESG internal control processes. This included data validation checkpoints, cross-referencing mechanisms, and bringing ESG information within the same internal audit scope as financial data. Under the COSO ERM framework, this corresponds to systematic upgrades of the "Control Activities" and "Information and Communication" components—not ad-hoc fixes but structural enhancements to governance infrastructure.

Finding 4: Stakeholder Engagement Processes Underwent Structural Transformation

CSRD's Double Materiality principle requires companies to incorporate stakeholder perspectives when determining which issues are material. All four companies evolved their stakeholder engagement from investor-relations-dominated unidirectional communication to multi-directional dialogue encompassing employees, communities, suppliers, and regulators. ISO 31000's "Communication and Consultation" principle directly supports this shift, reinforcing that risk governance cannot remain confined to boardroom discussions but must extend throughout daily operations.

Implications for Taiwan Enterprise Risk Management (ERM) Practice

The Italian experience provides four actionable implications for Taiwanese enterprise risk managers working within ISO 31000 and COSO ERM frameworks.

First: CSRD compliance risk must be explicitly incorporated into ERM risk registers. Under ISO 31000's risk identification requirements, all sources of uncertainty affecting organizational objectives must be documented. CSRD compliance pressure—including supply chain data gaps, elevated assurance standards, and evolving client requirements—constitutes material business risk that requires formal KRI design and monitoring. Current Taiwanese ERM frameworks typically treat ESG as a parallel track, separated from financial and operational risk management, which directly contradicts the Italian research findings.

Second: The COSO ERM "Strategy and Objective-Setting" component requires recalibration. The 2017 COSO ERM framework positions "Strategy and Objective-Setting" as foundational, requiring that risk appetite align with strategic direction. The Italian study demonstrates that CSRD compliance is a strategic positioning decision—not merely a compliance exercise. Boards must engage with questions such as: Which suppliers are worth investing in for ESG capability development? Which business lines carry unquantifiable Scope 3 exposure? These decisions have direct competitive implications and must be addressed at the governance level.

Third: A cross-functional ESG data governance mechanism must be established within 12 months. The universal organizational response observed in Italian Wave 1 companies—strengthening Sustainability-Finance collaboration—provides a clear template. Taiwanese companies should establish a standing cross-functional ESG Data Committee with CFO and Chief Sustainability Officer co-sponsorship, define Data Quality Standards, and create review cycles that bring ESG information reliability to parity with financial data.

Fourth: Risk matrices must incorporate supply chain ESG dimensions. The Scope 3 data challenge maps directly to risk matrix design requirements. Low supplier ESG data reliability should be rated as high probability; if those suppliers are primary data sources for client CSRD compliance, impact severity is also high. Taiwanese enterprises should add a "Supply Chain ESG Compliance" dimension to existing risk matrices and design KRIs such as "percentage of Tier 1 suppliers with completed ESG data submissions" and "Scope 3 data verification pass rate."

How Winners Consulting Services Co. Ltd. Translates Italian Evidence into Executable ERM Action

積穗科研股份有限公司 (Winners Consulting Services Co. Ltd.) helps Taiwanese enterprises implement ISO 31000 and COSO ERM frameworks, build risk matrices and KRI systems, and strengthen board-level risk governance capabilities. Based on the core findings of this Italian research, we recommend the following phased action plan:

1. Months 1–3: ERM Gap Diagnosis and CSRD Risk Assessment. Conduct a systematic gap analysis against ISO 31000 requirements, specifically examining whether existing risk registers cover supply chain ESG data risks, whether KRI design reflects Double Materiality assessment outcomes, and whether board risk governance reports include ESG compliance indicators. Output: an ESG Risk Gap Report serving as the baseline for subsequent mechanism design.
2. Months 4–7: Cross-Functional ESG Data Governance Design and Pilot. Modeled on the Italian Wave 1 "Sustainability-Finance collaboration" pattern, establish a standing cross-functional ESG Data Committee. Design supplier ESG data reporting standards, implement digital collection tools (prioritizing the top 20 high-risk suppliers for piloting), and design ESG information verification processes within the COSO ERM "Control Activities" framework.
3. Months 8–12: KRI Monitoring System Launch and Board Governance Integration. Formally integrate designed ESG risk KRIs into the corporate risk monitoring dashboard and establish quarterly board reporting mechanisms. KRIs should include quantitative indicators such as supplier ESG data submission completion rates, Scope 3 data verification pass rates, and number of material findings from ESG internal audits.

Frequently Asked Questions

How does the Italian CSRD research directly apply to Taiwanese electronics supply chain companies?

Taiwanese electronics and semiconductor suppliers face a more immediate version of the Scope 3 challenge documented in the Italian study. When Pirelli or Eni must calculate Scope 3 emissions, their Taiwanese suppliers become data sources—meaning client contracts may soon require ESG data submissions as standard procurement conditions rather than voluntary disclosures. Taiwanese companies should immediately map which of their top 20 European clients are Wave 1 or Wave 2 CSRD reporters, assess what Scope 3 data those clients will require, and build supply chain ESG data infrastructure accordingly. Under ISO 31000, this risk should be formally registered and monitored through KRIs measuring client CSRD readiness and data request frequency.

What is the most common obstacle Taiwanese companies face when implementing ISO 31000 to address CSRD compliance risk?

The most prevalent obstacle is organizational siloing: ESG reporting is managed by a standalone CSR team with minimal integration with Finance, Risk, and Legal functions. The Italian research conclusively demonstrates that all four successful CSRD-adapting companies first dismantled this barrier. ISO 31000 Clause 5.4 (Organizational Context) requires risk management to be embedded across all organizational levels and decision-making processes—directly mandating cross-functional integration. COSO ERM 2017's "Governance and Culture" component further specifies that risk culture must flow from board level down to daily operations. Taiwanese companies should form a cross-functional ESG governance committee with CFO and CSO co-sponsorship within 90 days of initiating their ERM enhancement program.

What are ISO 31000's core requirements and how should Taiwanese companies phase implementation?

ISO 31000:2018 operates through five integrated elements: Framework establishment, Principles articulation, Risk Assessment Process (comprising identification, analysis, and evaluation), Risk Treatment, and Monitoring and Review. For Taiwanese companies addressing CSRD-related ERM gaps, we recommend: Months 1–3: current state diagnosis and ESG risk gap identification; Months 4–6: risk register reconstruction incorporating CSRD risks and Double Materiality assessment design; Months 7–9: KRI system design covering supply chain ESG data metrics; Months 10–12: board governance integration ensuring ESG risks appear in regular board risk reporting. The complete implementation cycle is 12 months, aligned with annual ESG reporting preparation cycles.

What resources are required to implement a CSRD-aligned ERM mechanism, and how can expected benefits be quantified?

The European Commission's CSRD impact assessment estimates one-time compliance costs for large enterprises at €200,000 to €1,000,000, varying by company size and existing mechanism maturity. However, research on ESG-mature enterprises indicates 30% to 50% human resource savings during CSRD report preparation cycles—meaning early ERM-ESG integration investment yields compounding returns in subsequent compliance years. Quantifiable benefit dimensions include: reduced financial restatement risk from ESG data errors, enhanced supply chain negotiating position (using ESG data quality as a contract differentiator), and reduced legal liability from greenwashing allegations. Companies should calculate ROI using "avoided compliance penalty costs" as the primary KPI, supplemented by "reduced hours per ESG reporting cycle" as an operational efficiency metric.

Why should Taiwanese enterprises choose Winners Consulting Services Co. Ltd. for ERM advisory services?

Winners Consulting Services Co. Ltd. (積穗科研股份有限公司) offers three differentiated advantages for ERM advisory in Taiwan. First, cross-framework integration capability: Winners holds practical implementation expertise in both ISO 31000 and COSO ERM, enabling enterprises to build risk management architectures compliant with multiple international standards simultaneously rather than optimizing for a single framework. Second, deep ESG-ERM integration expertise: Winners continuously tracks CSRD, ESRS, and related EU sustainability regulations, translating abstract regulatory requirements into concrete risk matrix designs, KRI systems, and supply chain ESG data governance solutions. Third, outcome-oriented consulting: Winners delivers executable mechanism-building services rather than advisory reports—every recommendation includes a defined implementation timeline (7 to 12 months) and quantifiable performance indicators ensuring investment produces tangible risk governance improvements.

積穗科研股份有限公司（Winners Consulting Services Co. Ltd.）は、2024年のイタリア研究が明らかにした重要な知見を台湾企業に届けます：CSRD（企業永続報告指令）のWave 1対象企業であるPirelli、Eni、Prysmian、Fincantieriの4社は、単なる報告書の更新ではなく、組織ガバナンス・データ管理・サプライチェーン管理の根本的な再構築によって規制圧力に対応しました。この実証知見は、グローバルサプライチェーンに深く組み込まれた台湾企業にとって、ISO 31000とCOSO ERMフレームワーク強化の緊急性を示す具体的な証拠です。