Insight: Implementation of the Corporate Sustainability Reporting Dir

About the Author and the Research

Theocharidis, Theodoros published this thesis on arXiv in 2025, employing Action Research methodology—a pragmatic approach that generates directly implementable solutions within the organizational context studied. The research combined semi-structured interviews with case company employees and systematic document analysis, focusing on a European company already considered mature in sustainability practices. This made the findings particularly striking: if even a sustainability-mature company has procurement blind spots regarding CSRD, the challenge for Taiwanese suppliers still building their ESG foundations is considerably more acute.

The study fills a meaningful gap in existing literature by centering specifically on the procurement function—a department that sits at the intersection of Scope 3 emissions data collection, supplier due diligence, and the Corporate Sustainability Due Diligence Directive (CSDDD) value chain requirements. For Taiwan's export-oriented manufacturers, this research provides a directly applicable framework for identifying where their supply chain risk exposure begins.

The Procurement Department Is the Weakest Link in CSRD Compliance

The core thesis is analytically clear: organizational sustainability maturity does not automatically translate into procurement-level CSRD readiness. The research identified three structural gaps, each with a corresponding development proposal.

Finding One: Procurement Employees Lack Specific CSRD Knowledge

Despite the case company's overall sustainability leadership, interviewed procurement employees demonstrated limited understanding of CSRD's specific disclosure requirements—including the Double Materiality principle, the European Sustainability Reporting Standards (ESRS) provisions relevant to supply chains, and the practical implications for their day-to-day sourcing decisions. The thesis proposes a dedicated CSRD training program for procurement staff, covering regulatory architecture, ESRS data interpretation, and the direct linkage between procurement choices and the company's GHG emissions reporting obligations. For Taiwanese companies facing similar gaps, this training imperative should be treated as an ERM control measure, not merely an HR development activity.

Finding Two: Supplier Onboarding Questionnaires Are Not CSRD-Aligned

The existing supplier onboarding questionnaire in the case company did not systematically capture the sustainability data required under CSRD—including supplier-level GHG emissions data, human rights due diligence status, and value chain risk information as required by the CSDDD. The thesis recommends redesigning the questionnaire to embed ESRS-relevant data fields into standard procurement workflows, alongside a tiered supplier risk assessment mechanism that applies more intensive due diligence to high-risk or high-emission suppliers. This directly mirrors the challenge facing Taiwanese companies that receive CSRD-aligned questionnaires from their European customers—they must simultaneously respond to incoming requests and cascade similar requirements to their own upstream suppliers.

Finding Three: A GHG Reduction Program Must Be Anchored in Procurement

Scope 3 Category 1 (Purchased Goods and Services) typically represents the largest and most difficult-to-quantify emissions source for manufacturing companies. The thesis argues that procurement departments hold the key lever through supplier selection criteria and contract design. By embedding emissions targets into supplier contracts, prioritizing low-carbon suppliers in sourcing decisions, and tracking reduction progress through the supplier relationship management process, procurement can shift from being a passive data collector to an active emissions reduction driver. For Taiwan's listed companies facing the Financial Supervisory Commission's requirement to set carbon reduction targets from 2025 onward under the "Listed Company Sustainable Development Action Plan (2023)," this procurement-anchored approach provides a concrete implementation pathway.

Implications for Taiwan Enterprise Risk Management (ERM) Practice

Translating Theocharidis (2025) into ISO 31000 and COSO ERM terms, the research surfaces three categories of risk that Taiwanese companies should formally register and monitor.

First, regulatory transmission risk: the European Sustainability Reporting Regulation framework creates cascading compliance obligations. Wave 1 EU companies (applicable from 2025) must collect ESRS-formatted data from their supply chains. Taiwanese suppliers that cannot provide compliant data face concrete commercial risk—vendor disqualification—not merely reputational risk. ISO 31000:2018 Clause 5.4.1 explicitly requires organizations to identify changes in the external regulatory environment as part of establishing risk context. CSRD's supply chain transmission effects should be listed in every Taiwanese manufacturer's risk register.

Second, data governance risk: if procurement employees cannot accurately identify which supplier information to collect, validate, or report, the enterprise's Scope 3 disclosure will contain material errors. Under COSO ERM 2017's "Performance" component, organizations are required to set quantifiable risk response metrics for priority risks. A KRI such as "Scope 3 Category 1 data coverage rate across strategic suppliers" provides exactly this kind of measurable governance signal.

Third, third-party assurance risk: as Japan's Financial Services Agency Working Group on sustainability disclosure and assurance standards progresses toward mandatory third-party assurance requirements, and as Taiwan's FSC deepens its disclosure expectations, procurement-sourced sustainability data that lacks proper collection and verification protocols will increasingly fail assurance review. Establishing internal controls over sustainability data—analogous to financial reporting internal controls—is now an ERM imperative, not an optional enhancement.

How Winners Consulting Services Helps Taiwanese Companies

積穗科研股份有限公司（Winners Consulting Services Co. Ltd.）assists Taiwanese companies in implementing ISO 31000 and COSO ERM frameworks, designing risk matrices and KRI systems, and strengthening board-level risk governance. Based on the gaps identified in Theocharidis (2025), we recommend the following action sequence:

1. Procurement CSRD Capability Gap Assessment (Months 1–2): Benchmark the procurement department's current data collection processes, supplier questionnaire design, and staff knowledge levels against ESRS requirements (particularly E1 Climate, E2 Pollution, and S2 Value Chain Workers topics). Use the resulting gap matrix as the input for ISO 31000 risk identification and risk register population.
2. Supplier Risk Tiering and KRI Design (Months 3–5): Classify suppliers into three risk tiers based on procurement volume, geographic risk, and industry profile. Design corresponding due diligence depth and data collection frequency for each tier. Establish KRIs (e.g., "High-risk supplier ESRS questionnaire completion rate," "Scope 3 Category 1 verified data coverage") integrated into the enterprise ERM dashboard for board-level monitoring.
3. Procurement Training and Supplier Engagement Program (Months 6–9): Develop layered CSRD training for procurement managers and frontline buyers, covering regulatory architecture, ESRS data interpretation, and sustainable contract design. Launch a supplier sustainability capacity-building program targeting strategic suppliers, reducing upstream data gaps and overall supply chain compliance risk.

Frequently Asked Questions

Why does our procurement department specifically need to understand CSRD, rather than leaving this to the sustainability team?

Procurement departments are the primary collection point for Scope 3 Category 1 emissions data and the first line of supply chain due diligence. Theocharidis (2025) found that even in sustainability-mature companies, procurement employees lack specific knowledge of CSRD's data requirements—including ESRS E1 (climate), S2 (value chain workers), and G1 (governance) disclosure obligations. The sustainability team can set policy, but procurement operationalizes it through supplier selection, contract design, and questionnaire management. If procurement cannot collect, validate, and transmit ESRS-compliant data, the entire disclosure chain breaks down. Under ISO 31000:2018, this represents a control gap that must be formally recognized and remediated within the ERM framework.

What are the most common ERM challenges for Taiwanese listed companies implementing CSRD-aligned sustainability disclosure?

Three challenges dominate: First, cross-departmental data silos—sustainability reporting is typically led by the ESG team, but Scope 3 data resides in procurement, logistics, and production systems with no integration protocol. Second, supplier capability gaps—SME suppliers often cannot provide ESRS-format emissions data, creating systematic coverage gaps. Third, insufficient KRI design—most companies have not embedded CSRD compliance progress into their ISO 31000 risk registers, leaving boards without real-time monitoring capability. COSO ERM 2017's Performance component requires quantifiable response metrics for priority risks; designing KRIs such as "strategic supplier ESRS questionnaire completion rate" directly addresses this gap.

How does ISO 31000 provide a framework for managing CSRD procurement compliance risk?

ISO 31000:2018 Clause 5.4.1 requires organizations to establish external context by identifying relevant regulatory changes—CSRD and CSDDD supply chain obligations qualify as high-priority external regulatory risks. The practical implementation sequence is: Months 1–2, external context analysis and risk identification; Months 3–4, populate procurement supply chain risk register (GHG data gap risk, human rights due diligence gap risk); Months 5–6, design risk matrix and KRIs; Months 7–9, establish board-level monitoring and reporting cycle. COSO ERM 2017's Governance and Culture component further emphasizes that risk management culture must permeate frontline operations—procurement teams need to internalize compliance responsibility, not merely receive top-down policy mandates. Full mechanism implementation typically requires 7 to 12 months.

What resources are realistically required to update supplier onboarding questionnaires to CSRD standards?

For a mid-sized Taiwanese company with 100–500 suppliers, redesigning the supplier onboarding questionnaire to ESRS standards typically requires 2–3 months, involving legal, procurement, and sustainability team collaboration. Key inputs include ESRS clause interpretation (external consulting support recommended), questionnaire system integration into existing procurement management platforms, and supplier communication (tiered webinar rollout recommended). Target outcomes: achieving 80% or above ESRS data coverage among strategic suppliers within 12 months of implementation, reducing third-party assurance rejection rates, and demonstrating supply chain transparency to European customers—directly supporting retention of high-value export relationships.

Why should Taiwanese companies choose Winners Consulting Services for ERM-related issues?

Winners Consulting Services Co. Ltd. (積穗科研股份有限公司) specializes in Enterprise Risk Management with deep implementation experience across ISO 31000 and COSO ERM frameworks, serving listed Taiwanese companies in manufacturing, technology, and financial services sectors. Our consultants combine international ERM certifications with practical ESG sustainability reporting expertise, enabling us to integrate CSRD procurement compliance risk, Scope 3 data governance, and supply chain due diligence into existing ISO 31000 risk management mechanisms—avoiding the common failure pattern where "ESG compliance" and "ERM architecture" operate in parallel without integration. We offer a free ERM mechanism diagnostic and support companies in building internationally compliant systems within 7 to 12 months, with ongoing board-level risk reporting support.

積穗科研股份有限公司（Winners Consulting Services Co. Ltd.）は、Theocharidis（2025）の研究が示す重要な知見に着目する。欧州の成熟した企業においてさえ、調達部門はCSRD（企業サステナビリティ報告指令）の具体的要件に対する知識・準備が著しく不足しており、このギャップがScope 3排出量データの品質と供給網ガバナンスの最大のリスク源となっている。