Insight: Enterprise Risk Management Berdasarkan ISO 31000 Dalam Pengu

=========================

Winners Consulting Services Co. Ltd. (積穗科研股份有限公司), Taiwan's expert in Enterprise Risk Management (ERM), highlights a compelling 2022 empirical study that demonstrates how even a small medical clinic—using the ISO 31000:2018 framework—can systematically identify 22 operational risks and deploy a 3×3 risk matrix to pinpoint IT system failure as its highest-priority risk. For Taiwan's SMEs navigating digital transformation and tightening regulatory scrutiny, the implications are immediate and actionable.

About the Authors and This Research

This paper was co-authored by Abelia Putri Aisyah and Lely Dahlia, two Indonesian scholars whose work sits at the intersection of enterprise risk management theory and real-world organizational practice. Published in 2022 and indexed in OpenAlex's Enterprise Risk Management collection, the paper has accumulated 16 citations—a meaningful signal of scholarly influence for a practice-oriented study in this field.

Co-author Lely Dahlia brings the weightier academic profile: an h-index of 4 and 99 total citations place her among consistently productive researchers in Indonesian business and risk management academia. First author Abelia Putri Aisyah, with an h-index of 2 and 18 citations, contributes a focused expertise in the operational deployment of risk frameworks within healthcare settings.

What makes this research particularly credible is its methodology. Rather than proposing a theoretical model, the authors embedded themselves within Esti Specialist Clinic—conducting direct interviews, online interviews, and on-site observations—and walked ISO 31000:2018's full risk management cycle from start to finish within a live organizational context. This qualitative, fieldwork-grounded approach gives the findings a rare operational authenticity that purely quantitative or desk-based studies often lack.

How a 3×3 Risk Matrix and ISO 31000 Turned 22 Operational Risks Into a Prioritized Action Plan

The central contribution of this research is its demonstration of a complete ERM deployment cycle executed within a real organization. The authors applied ISO 31000:2018's risk management process—risk identification, risk assessment (probability × impact), risk evaluation (3×3 matrix), and risk treatment—sequentially and comprehensively at Esti Specialist Clinic. This is not a partial implementation; it is a full-cycle case study that provides a replicable template for organizations of similar scale.

Key Finding 1: 22 Operational Risks Identified Across Two Stakeholder Groups

The research identified a total of 22 operational risks: 10 risks associated with physicians and 12 risks associated with operational employees. This two-track classification is itself a methodological insight. By organizing risk identification around "risk owners"—the specific roles and people who bear each risk—the research ensures that no category of operational exposure is overlooked. Physician-side risks encompassed clinical process errors and incomplete patient information; employee-side risks included administrative errors, system operation mistakes, and service disruptions. This bifurcated structure provides a direct template for any organization seeking to build a comprehensive risk register that is ownership-mapped from day one.

Key Finding 2: IT System Failure Emerges as the Single Highest-Priority Risk

After applying the 3×3 risk matrix—with probability on one axis and impact severity on the other—the research concluded that computer system disturbances represent the clinic's highest-risk category, demanding immediate and sustained management attention. This finding carries a universal message: in any organization that depends on digital infrastructure for core operations (patient management, billing, scheduling, supply chain coordination), IT system stability is not an IT department concern—it is a board-level ERM priority. For Taiwan's enterprises undergoing digital transformation, this finding is a direct call to elevate IT operational risk into the formal ERM framework and assign it a dedicated Key Risk Indicator (KRI) for ongoing monitoring.

What This Research Means for Enterprise Risk Management Practice in Taiwan

Taiwan's corporate risk management landscape is at an inflection point. The Financial Supervisory Commission (FSC) has progressively tightened requirements for risk governance disclosure among listed companies, and institutional investors increasingly scrutinize ERM maturity as a proxy for management quality. Against this backdrop, this 2022 study delivers three insights with direct relevance to Taiwan enterprises.

First, ISO 31000 is scalable—and Taiwan's SMEs should stop waiting to "get big enough" before implementing ERM. The subject of this research is a specialist clinic, not a multinational. ISO 31000:2018 is explicitly designed to be applicable across organizations of all sizes and sectors. The 3×3 risk matrix and risk owner assignment model demonstrated in this study require no large budget, no specialized software, and no complex organizational restructuring. They require commitment, methodology, and facilitated workshops—all of which are accessible to Taiwan's mid-market companies today.

Second, static risk matrices must evolve into dynamic KRI monitoring systems. This research demonstrates best-practice risk identification and assessment. The next step—one that Taiwan enterprises must prioritize—is converting static risk snapshots into continuously monitored dashboards. The COSO ERM framework (2017) complements ISO 31000 precisely here: it introduces the concept of risk appetite, connects risk tolerance thresholds to strategic performance targets, and provides the governance architecture that supports board-level risk oversight. Together, ISO 31000's operational process and COSO ERM's strategic governance layer form a comprehensive ERM system that meets both practical and regulatory expectations.

Third, IT operational risk is systematically underweighted in Taiwan's SME risk registers. Just as this study found computer system failure to be the top-priority risk in a digitally dependent clinic, Taiwan's manufacturing firms, logistics companies, and service businesses face analogous exposures—ERP outages, cloud service interruptions, cybersecurity breaches, and supply chain platform failures. These risks deserve explicit representation in the risk matrix and dedicated KRIs, with clear escalation protocols to senior management and the board.

How Winners Consulting Services Helps Taiwan Enterprises Move from Framework to Practice

Winners Consulting Services Co. Ltd. (積穗科研股份有限公司) provides end-to-end ERM consulting for Taiwan enterprises, spanning ISO 31000 implementation, COSO ERM framework design, risk matrix development, KRI system construction, and board-level risk governance capacity building. Our approach is grounded in the same principle that makes this research valuable: we complete the full cycle, not just the design phase.

1. Layered Risk Identification Workshop: Build a Complete, Ownership-Mapped Risk Register. Modeled on this study's two-track approach, Winners facilitates structured workshops that identify risks by role and function—ensuring every risk has a named owner and no operational blind spot is left unmapped. Deliverable: a prioritized risk register ready for matrix evaluation, typically completed within 2 to 3 facilitated sessions.
2. Risk Matrix Design and KRI System Development: From Snapshot to Continuous Monitoring. Winners designs risk matrices calibrated to your organization's scale and risk profile (3×3 or 5×5), and develops KRI sets for each high-priority risk—including IT system risk, supply chain risk, regulatory compliance risk, and key personnel risk. These KRIs are embedded into existing management reporting cycles so that ERM becomes part of how the business is run, not a separate compliance exercise.
3. COSO ERM Integration and Board Reporting: Elevate Risk Governance to Strategic Advantage. For Taiwan's listed companies and their subsidiaries, Winners integrates COSO ERM's strategic governance layer with ISO 31000's operational process, building board-ready risk dashboards and disclosure-compliant risk reporting narratives. This positions ERM not as a cost center but as a demonstrable governance differentiator in investor and regulator communications.

Frequently Asked Questions

What is the most practical first step for a Taiwan SME starting Enterprise Risk Management (ERM)?

The most practical first step is conducting a structured risk identification workshop—not selecting a framework or purchasing software. As demonstrated in this ISO 31000 study, risk identification organized by risk owner (who bears the risk) produces a more actionable and complete risk register than generic checklists. Convene cross-functional stakeholders, use facilitated interview and observation methods, and produce a risk list with named owners before moving to assessment. This foundation determines whether your entire ERM system will be operational or ornamental. Winners Consulting Services recommends 2 to 3 focused workshops as a starting point for most Taiwan SMEs.

What regulatory requirements do Taiwan listed companies face for risk management disclosure?

Taiwan's Financial Supervisory Commission (FSC) requires listed companies to disclose risk management policies, mechanisms, and material risk exposures in their annual reports. The Corporate Governance Blueprint further specifies that boards of directors bear supervisory responsibility for enterprise-wide risk management. While ISO 31000:2018 certification is not mandatory, its principles align directly with FSC expectations and international governance benchmarks used by institutional investors and credit rating agencies. Companies that implement ISO 31000-compliant ERM—and document it in board-level reporting structures aligned with COSO ERM—are significantly better positioned for regulatory scrutiny and investor confidence than those relying on informal or ad hoc risk management practices.

What is the difference between ISO 31000 and COSO ERM, and which should Taiwan enterprises use?

ISO 31000:2018 is an international standard providing principles and a process framework for risk management: risk identification, assessment, evaluation, treatment, monitoring, and review. It is designed to be sector-agnostic and scalable across organization sizes. COSO ERM (2017 version) is a governance framework that connects risk management to strategy and performance, introducing concepts like risk appetite, risk culture, and enterprise-level risk oversight by boards and senior management. The two frameworks are complementary, not competing. Winners Consulting Services recommends using ISO 31000 as your operational foundation—the "how to manage risks" layer—and COSO ERM as your governance architecture—the "how risk management connects to strategy and board oversight" layer. Together they provide comprehensive coverage of both operational practice and regulatory expectation.

How long does it take to build a functioning ERM system, and what are the key steps?

Based on Winners Consulting Services' implementation experience, a foundational ERM system typically requires 60 to 90 days to establish. The key steps are: Weeks 1–2: current-state diagnostic and ISO