Insight: A Conceptual Framework for Measuring the Environmental, Soci

About the Authors and Research

Jon Øystein Rosland and Laurits Wolff-Skjelbred are researchers affiliated with Nordic academic institutions, and this study was published on the arXiv preprint platform using Design Science Research (DSR) methodology. DSR is particularly suited to this type of inquiry because it requires researchers to construct not only conceptual frameworks but also validate them against real-world contexts — in this case, through five semi-structured interviews with practitioners operating across different digital service environments.

The study's distinctive value lies in addressing a domain consistently overlooked by mainstream ESG frameworks: the sustainability impact of digital services on SMEs. Major frameworks such as GRI, SASB, or the European Sustainability Reporting Standards (ESRS) are predominantly designed with large enterprises in mind, making them prohibitively complex and resource-intensive for SMEs. Rosland and Wolff-Skjelbred's research attempts to fill this methodological gap with a structured yet practical alternative.

A constructive note: the sample size of five interviews remains at the exploratory research level and does not yet support broad generalization. Taiwanese enterprises should treat this framework as a directional reference rather than a prescriptive standard, adapting it to local industry contexts, particularly the ODM/OEM manufacturing sector that dominates Taiwan's export economy.

Core Research Findings: A Tiered Digital ESG Framework That Addresses SME Reality

The central contribution of this research is a tiered ESG measurement framework purpose-built for SMEs, addressing the sustainability dimensions of digital services across environmental, social, and governance themes — an area insufficiently covered by the existing Corporate Sustainability Reporting Directive (CSRD) and the Voluntary SME Sustainability Reporting Standard (VSME).

Finding 1: Cloud Carbon Emissions and Digital Waste as Emerging ESG Blind Spots

The research identifies that traditional ESG frameworks, when measuring corporate carbon footprints, focus primarily on facility energy consumption and direct process emissions (Scope 1 and Scope 2), leaving the indirect emissions generated by cloud service adoption (Scope 3) without corresponding measurement indicators. For SMEs heavily dependent on SaaS platforms and cloud infrastructure, this is not merely a reporting gap but an active compliance risk — particularly as European clients increasingly require full Scope 3 data from their supply chain partners. The framework also designates hardware lifecycle-generated digital waste as a newly critical ESG indicator.

Finding 2: Cybersecurity Governance and Digital Workforce Well-being Enter the Governance Dimension

A significant innovation of this research is the formal integration of cybersecurity governance into the G (Governance) dimension of ESG, and the inclusion of digital worker psychological health and remote work well-being within the S (Social) dimension. This aligns with the growing emphasis within the European Sustainability Reporting Regulation on data governance and employee rights disclosure. For Taiwanese enterprises, this signals that ERM risk identification must expand its perimeter: cybersecurity risk is no longer solely a technical IT department matter but a board-level ESG materiality issue requiring governance-level oversight and reporting.

Finding 3: Tiered Adoption Structure Enables Gradual Compliance for SMEs

The framework's tiered structure represents its most practically valuable design feature. The first tier begins with input-based metrics — such as cloud service expenditure and hardware procurement volumes — that are readily available without additional data infrastructure investment. As organizational capacity grows, enterprises progressively transition to more advanced output and impact indicators. This graduated approach is highly consistent with ISO 31000's core principle of context-appropriate design and continuous improvement, and aligns with the 90-day framework establishment pathway that Winners Consulting Services recommends for Taiwanese SMEs.

Implications for Taiwan Enterprise Risk Management (ERM) Practice

The critical signal for Taiwanese enterprises is this: ESG impacts from digital services are rapidly transitioning from voluntary disclosure to supply chain mandatory requirements. It is estimated that by 2026, over 60% of Taiwanese IT suppliers and manufacturing exporters will face CSRD-related questionnaires from European clients, with sections on digital service carbon emissions and cybersecurity governance representing the highest probability of response gaps for Taiwanese firms.

Analyzed through the COSO ERM framework, the digital service ESG risks identified in this research span at least three risk categories: (1) Compliance risk — failure to meet European sustainability reporting requirements; (2) Reputational risk — supply chain ESG audit failures leading to order losses; and (3) Operational risk — business disruption caused by cybersecurity incidents. These three risk categories are frequently underestimated or managed in isolation within current Taiwanese SME risk matrices, lacking integrated KRI (Key Risk Indicator) monitoring mechanisms.

ISO 31000:2018 Clause 6.3 explicitly requires that risk identification encompass changes in the "external context," including the evolution of the regulatory environment. The digital service ESG measurement gaps revealed by this research represent precisely the type of external context variable that Taiwanese enterprises most commonly overlook during ISO 31000 risk identification exercises. Enterprises are advised to proactively incorporate "digital service ESG compliance" as a distinct risk category during annual ERM risk inventories, with corresponding KRI monitoring indicators.

A practical caveat: this research framework was developed in a Nordic context, and there is a meaningful gap between this context and the industrial structure of Taiwanese SMEs — predominantly ODM/OEM manufacturers with varying degrees of service sector digitalization. In practice, Taiwanese enterprises should prioritize the two most immediately relevant indicators: Scope 3 emissions calculation for cloud procurement, and supplier cybersecurity governance assessment, rather than wholesale adoption of the complete framework.

How Winners Consulting Services Helps Taiwan Enterprises Build Digital ESG Risk Governance

積穗科研股份有限公司（Winners Consulting Services Co. Ltd.）assists Taiwanese enterprises in implementing ISO 31000 and COSO ERM frameworks, establishing risk matrices and KRI systems, and strengthening board-level risk governance capabilities. Based on the findings of this research, we recommend the following specific action steps:

1. Complete a digital service ESG gap assessment within 90 days: Cross-reference the VSME basic module and the first tier of this research framework to inventory existing cloud service procurement records, hardware retirement policies, and cybersecurity governance documentation. Identify ESG reporting gaps and quantify a Scope 3 emissions baseline, establishing the first reliable data foundation for responding to European client questionnaires.
2. Elevate cybersecurity risk to an ERM board-level governance issue: Following the COSO ERM framework's governance hierarchy design, assist enterprises in elevating cybersecurity governance from IT department operational management to board-level risk committee oversight. Design corresponding KRI indicators (such as security incident response time and third-party supplier security audit coverage rate), linking them to ESG G dimension disclosure requirements.
3. Establish a tiered ESG data collection mechanism supporting gradual compliance: Drawing on the tiered structure principle of this research and applying ISO 31000's proportionality principle, design lightweight-to-comprehensive ESG data collection processes calibrated to enterprise size and European export market share. This avoids high one-time implementation costs while ensuring mechanisms remain operationally sustainable over the long term.

Frequently Asked Questions

How can Taiwanese SMEs begin measuring Scope 3 carbon emissions from cloud services?

The first step is to inventory all cloud service contracts and expenditure records (SaaS, IaaS, PaaS) as the starting point for input-based metrics. Major cloud providers including AWS, Microsoft Azure, and Google Cloud all provide carbon footprint calculation tools, allowing enterprises to directly access platform-specific emission factor data. This research framework recommends beginning with this readily available data to establish a first Scope 3 emissions baseline report within 90 days, then progressively refining it toward formal disclosure compliant with GHG Protocol or ESRS E1 standards. Winners Consulting Services can assist enterprises in designing corresponding KRI monitoring indicators, integrating Scope 3 emissions management into the ISO 31000 risk identification framework.

What are the most common ESG compliance gaps when Taiwanese enterprises respond to European client CSRD questionnaires?

Based on practical observation, Taiwanese SMEs most frequently encounter three categories of gaps when responding to CSRD supply chain questionnaires: first, the absence of Scope 3 emissions calculation foundations covering cloud services, employee commuting, and business travel; second, incomplete cybersecurity governance documentation that cannot demonstrate process compliance with European standards; and third, the lack of quantitative employee well-being metrics such as remote work policies and mental health support measures. These three gap categories correspond precisely to the core indicators across E, G, and S dimensions within this research framework. Enterprises are advised to prioritize baseline data inventories in these three areas before proceeding to structured disclosure under the VSME basic module.

How does ISO 31000 help SMEs manage digital service ESG risks?

ISO 31000:2018 provides a highly flexible risk management framework whose core requirement is that "risk identification must encompass the organization's complete context," including changes in the external regulatory environment. The recommended implementation pathway is structured across three phases: Phase 1 (months 0-3) completes a current-state diagnostic identifying digital service ESG risk blind spots; Phase 2 (months 3-6) designs the risk matrix, integrating cloud carbon emissions, cybersecurity governance, and digital employee well-being into the COSO ERM five-component framework; Phase 3 (months 6-12) establishes KRI monitoring mechanisms with regular board-level risk reporting. Winners Consulting Services guides enterprises through this three-phase pathway to systematically build ERM mechanisms meeting ISO 31000 requirements.

What resources are required to implement a digital service ESG framework, and is it affordable for SMEs?

The tiered structure of this research was specifically designed to lower the implementation threshold for SMEs. The first-tier framework (input-based metrics) only requires enterprises to inventory existing procurement records and contract documents, without additional software system purchases, keeping initial resource investment within 8-16 internal person-hours per month. As framework maturity increases, the second and third tiers progressively introduce automated data collection tools. Compared to large enterprise ESG reporting system implementation costs that routinely reach millions of New Taiwan Dollars, SMEs adopting the graduated approach can typically contain first-year direct costs below NT$500,000, with investment pace flexibly adjusted according to the urgency of European client requirements.

Why choose Winners Consulting Services for Enterprise Risk Management (ERM) advisory?

Winners Consulting Services Co. Ltd. (積穗科研股份有限公司) specializes in ERM and ESG governance for Taiwanese enterprises, maintaining cross-domain professional expertise spanning ISO 31000, COSO ERM frameworks, and EU CSRD/ESRS regulatory requirements simultaneously. Our consulting team has assisted Taiwanese enterprises across manufacturing, IT services, and financial sectors in completing ERM framework establishment, with an average engagement cycle of 7 to 12 months, integrating digital service ESG risks with traditional financial and operational risk management. We offer a complimentary ERM mechanism diagnostic service, helping enterprises identify gaps in existing risk management mechanisms within 90 days and develop specific priority improvement pathways — enabling enterprises to respond to supply chain ESG requirements with maximum resource efficiency.

積穗科研股份有限公司（Winners Consulting Services Co. Ltd.）は、2025年にarXivで発表された研究論文を注目すべき成果として評価しています。この論文は、中小企業（SME）がデジタルサービスの環境・社会・ガバナンス（ESG）衝撃を評価・報告するための初の階層型実践フレームワークを提案しており、クラウドサービスのCO2排出、デジタル廃棄物、サイバーセキュリティガバナンス、デジタル人材の福祉という4つの新興指標を体系化しています。EU・CSRDやVSMEへの対応を迫られる台湾のITサプライヤーおよび製造業にとって、限られたリソースで段階的なESG開示を実現するための実務的参照モデルとして直接活用できます。