Insight: Implementing Information Technology Risk Management: A Case

=============================================================

Winners Consulting Services Co. Ltd. (積穗科研股份有限公司), Taiwan's expert in Enterprise Risk Management (ERM), draws a critical lesson from a 2023 case study: when an African airline successfully deployed the RITM 23 framework — integrating ISO 31000, COSO ERM, and COBIT 5 — it built a complete IT risk governance environment from the ground up, proving that unmanaged IT threats can produce catastrophic outcomes, while systematic ERM frameworks decisively prevent them. Every Taiwan enterprise executive should treat this as an immediate call to action.

About the Authors and This Research

Published in 2023 in the OpenAlex — Enterprise Risk Management journal, this paper is co-authored by three researchers affiliated with Moroccan academic institutions: Hasnaa Berrada, Souhaïl El Ghazi El Houssaïni, and Jaouad Boutahar. El Ghazi El Houssaïni holds an h-index of 1 with a cumulative citation count of 2, and this paper itself has already been cited once — a signal that peers in emerging-market enterprise risk management are taking notice of this work.

What distinguishes these authors is their focus on the practical gap between international standard frameworks and real-world organizational deployment. Rather than theorizing in isolation, they chose one of the highest-stakes industries imaginable — commercial aviation — to validate their proposed methodology. The result is a research contribution that functions simultaneously as an academic framework validation and an operational implementation blueprint, making it uniquely transferable to enterprises in Asia-Pacific, including Taiwan.

RITM 23: A Three-Framework Integration That Closes the IT Risk Management Gap

The central contribution of this paper is the proposal and real-world validation of RITM 23, a comprehensive methodological framework that merges three internationally recognized standards into a single, operable system: ISO 31000 (the international standard for risk management), COSO ERM (the integrated enterprise risk management framework), and COBIT 5 (the IT governance framework). The research team applied this integrated framework within a live organizational context — an African commercial airline — and documented the outcomes at each implementation stage.

Key Finding 1: Framework Integration Eliminates Structural Blind Spots in IT Risk Management

Before RITM 23 was introduced, the airline's IT risk management was fragmented. ISO 31000 provided overarching risk management principles but lacked IT-specific operational depth. COBIT 5 addressed IT governance in technical detail but was not aligned with the organization's enterprise-wide risk strategy. COSO ERM emphasized board-level risk culture and governance architecture but offered insufficient technical guidance for IT risk identification and mitigation. RITM 23's breakthrough was to integrate the strengths of all three frameworks across four sequential phases: project framing, data collection, ITRM system development, and communication and monitoring. This integration allowed the organization to simultaneously address risk management at the governance, strategic, and operational levels — eliminating the structural blind spots created by using each framework in isolation.

Key Finding 2: Systematic Deployment Produces a Complete, Operational ITRM Environment

The implementation of RITM 23 resulted in the establishment of a fully functioning IT Risk Management environment, encompassing standardized risk assessment templates, IT risk identification and quantification tools, a risk matrix design covering likelihood and impact dimensions, Key Risk Indicators (KRI) for ongoing monitoring, and formalized governance processes for escalation and decision-making. The researchers explicitly noted that unmanaged IT threats in the airline sector carry the potential for "catastrophic outcomes" — a finding that underscores not just the academic value of RITM 23, but its urgency as a practical governance imperative. Looking forward, the study identifies artificial intelligence as the natural next step in automating and streamlining ITRM processes, which requires a solid KRI data foundation to be effective.

What This Means for Enterprise Risk Management in Taiwan

Taiwan enterprises are accelerating digital transformation across manufacturing, finance, logistics, and services — and with that acceleration comes an exponentially growing surface area of IT risk. This research delivers three direct implications for Taiwan ERM practitioners and board members.

First, the ISO 31000 integration imperative. ISO 31000 requires that risk management be integrated, systematic, and subject to continual improvement. Yet the majority of Taiwan's mid-to-large enterprises still operate IT risk management in reactive mode — responding to incidents rather than proactively identifying, assessing, and monitoring threats through a structured framework. The RITM 23 case demonstrates that systematic ISO 31000 implementation is not a luxury reserved for well-resourced Western multinationals; it is achievable even in resource-constrained emerging-market environments.

Second, the COSO ERM board governance gap. COSO ERM explicitly places risk oversight responsibility at the board and senior management level. Taiwan's Financial Supervisory Commission (FSC) has been strengthening corporate governance evaluation requirements, with increasing emphasis on information security risk governance. Enterprises that cannot demonstrate structured IT risk oversight at the board level face growing regulatory exposure and reputational risk.

Third, the AI readiness prerequisite. This paper's forward-looking conclusion — that AI will further automate ITRM processes — carries a hidden urgency: organizations that do not build their KRI monitoring infrastructure now will lack the data foundations required to leverage AI-powered risk management tools in the near future. The window to establish this foundation is now, not later.

How Winners Consulting Services Co. Ltd. Helps Taiwan Enterprises Build ERM and ITRM Capability

Winners Consulting Services Co. Ltd. (積穗科研股份有限公司) provides Taiwan enterprises with end-to-end support for ISO 31000 and COSO ERM framework implementation, risk matrix and KRI design, and board-level risk governance capacity building.

1. IT Risk Current-State Diagnosis and Gap Analysis: Using ISO 31000 and COBIT 5 as benchmarks, Winners conducts a systematic assessment of your organization's existing IT risk identification, assessment, and response mechanisms. The output is a prioritized action list that gives executive leadership a complete picture within 30 days — covering risk matrix completeness, KRI monitoring gaps, and governance process deficiencies — so that remediation resources can be allocated with precision.
2. Integrated ERM Framework Design and Deployment: Drawing directly on the RITM 23 implementation model validated in this research, Winners designs and deploys an integrated ERM system that aligns ISO 31000 principles, COSO ERM governance architecture, and IT-specific risk controls into a single, coherent operational framework. This includes risk assessment template design, governance workflow establishment, board reporting structure, and escalation protocols — all calibrated to your organization's size and industry context.
3. KRI Development and AI Readiness Assessment: Winners establishes a quantifiable Key Risk Indicator monitoring system that creates the data infrastructure your organization will need to leverage AI-powered risk management automation in the future. Alongside KRI deployment, we implement a quarterly formal review cycle and annual framework effectiveness evaluation — ensuring that your ERM mechanism meets ISO 31000's continual improvement requirements and remains aligned with evolving regulatory expectations.

Frequently Asked Questions

How should a Taiwan enterprise begin implementing an IT Risk Management (ITRM) system?

The most effective starting point is a structured current-state diagnosis benchmarked against ISO 31000 and COBIT 5. This means systematically mapping your existing IT risk identification, assessment, and response processes against international standards to identify gaps. The RITM 23 framework validated in this paper offers a clear four-phase roadmap: project framing, data collection, system development, and communication and monitoring. For most Taiwan enterprises, a realistic implementation timeline is: 30 days for diagnosis and gap analysis, 60 days for risk matrix design and KRI framework development, and 90 days for initial system deployment and board-level reporting integration. The critical mistake to avoid is waiting for a security incident to trigger action.

What compliance requirements should Taiwan enterprises consider when implementing ERM?

Taiwan's Financial Supervisory Commission (FSC) corporate governance evaluation framework increasingly requires listed companies to demonstrate structured risk management mechanisms, with specific emphasis on information security governance. The Securities and Futures Bureau has issued guidance on risk management disclosures, and the scope of required IT risk governance reporting continues to expand. Adopting ISO 31000 as the foundational ERM framework aligns with both international best practice and Taiwan's regulatory direction. COSO ERM's explicit emphasis on board-level risk oversight is particularly relevant given FSC's growing focus on director-level accountability for risk governance. We recommend enterprises first confirm sector-specific regulatory requirements before designing their framework architecture.

What is the difference between ISO 31000 and COSO ERM, and which should Taiwan enterprises use?

ISO 31000 is the International Organization for Standardization's risk management principles and guidelines framework, applicable to all organization types and sizes. It emphasizes integration, systematic process, and continual improvement as core requirements. COSO ERM — developed by the Committee of Sponsoring Organizations of the Treadway Commission — is an integrated enterprise risk management framework with particular emphasis on the connection between risk and organizational strategy, corporate culture, and board governance structure. The key insight from this paper's RITM 23 framework is that the two standards are not mutually exclusive; they are complementary. Taiwan enterprises are best served by using ISO 31000 as the foundational framework and layering COSO ERM's governance and strategy-alignment capabilities on top, supplemented by COBIT 5 for IT-specific risk controls where relevant.

How long does it realistically take to build a complete ERM mechanism, and what resources are required?

Based on this paper's case study findings and Winners Consulting's implementation experience, an enterprise of moderate scale — typically under 500 employees — can establish an initial ERM mechanism within 90 days using a structured framework approach. The timeline breaks down as follows: Days 1–30 cover current-state diagnosis and gap analysis; Days 31–60 cover risk matrix design, KRI definition, and governance process establishment; Days 61–90 cover personnel training, system trial operation, and board-level presentation. Post-launch, a quarterly formal review cycle and an annual full framework effectiveness evaluation are required to maintain ISO 31000 continual improvement compliance. Resource requirements vary based on organizational scale and existing infrastructure — a free diagnostic consultation provides the most accurate estimate for your specific context.

Why should Taiwan enterprises choose Winners Consulting Services Co. Ltd. for ERM advisory?

Winners Consulting Services Co. Ltd. (積穗科研股份有限公司) is one of Taiwan's few consulting firms with integrated capability across ISO 31000, COSO ERM, and IT risk governance frameworks. Our value proposition goes beyond framework knowledge — we have deep practical experience translating international standards into operational mechanisms that actually work within Taiwan's unique business environment, regulatory landscape, and organizational culture constraints. Our service scope covers ERM current-state diagnostics, risk matrix and KRI system design, board-level risk governance training, and long-term mechanism maintenance advisory. We understand the resource and bandwidth realities facing Taiwan enterprise risk management teams, and we design solutions that are pragmatic, sustainable, and aligned with your specific board and management priorities. Choosing Winners means choosing a long-term implementation partner, not just a report deliverable.