Insight: Integrative Analysis of Risk Management Methodologies in Dat

Winners Consulting Services Co. Ltd. (積穗科研股份有限公司), Taiwan's expert in Enterprise Risk Management (ERM), highlights a critical finding from a landmark 2025 study: the single greatest cause of data science project failure is not technical inadequacy, but a structural gap in risk management frameworks — and closing that gap requires a hybrid approach that integrates ISO 31000, COSO ERM, and emerging ethical governance standards into a unified, multi-dimensional ERM architecture.

About the Author and This Research

This research was authored by Sabrina Delmondes da Costa Feitosa and published in 2025 on arXiv, the internationally recognized open-access preprint platform maintained by Cornell University. arXiv serves as the primary channel through which researchers across computer science, engineering, mathematics, and quantitative finance share frontier findings with the global academic and professional community before formal peer review. Its Enterprise Risk Management category has become an increasingly important destination for practitioners seeking to connect academic insights with real-world governance challenges.

Feitosa's methodological approach is rigorous and systematic. The study employs an integrative literature review conducted using indexed academic databases, combined with a structured selection protocol and content analysis framework. Rather than simply cataloguing existing frameworks, the research performs a genuine comparative analysis — examining where five major risk management standards and frameworks align, where they diverge, and, critically, where they collectively fail to address the risk landscape specific to data science environments.

The five frameworks examined span both traditional standards and emerging data-science-specific models: ISO 31000 (the international risk management standard), PMBOK Risk Management (the Project Management Body of Knowledge's risk chapter), NIST RMF (the National Institute of Standards and Technology's Risk Management Framework), CRISP-DM (Cross Industry Standard Process for Data Mining), and the newly proposed DS-EthiCo RMF, which explicitly incorporates ethical and sociotechnical dimensions into the data science project lifecycle. This cross-framework comparison is precisely the kind of analytical foundation that Taiwanese business executives need when making decisions about ERM infrastructure investment.

Why Traditional Risk Frameworks Are Failing Data Science Projects: Five Frameworks, One Structural Diagnosis

The research addresses a problem that has significant financial and strategic consequences: data science initiatives exhibit persistently high failure rates, and the root causes go far beyond technical constraints. Feitosa's integrative review identifies a constellation of organizational and governance factors — low data maturity, absence of structured governance, misalignment between technical and business teams, and the lack of mechanisms to address ethical and sociotechnical risks — as the primary drivers of project failure.

Core Finding One: Traditional Frameworks Provide Insufficient Coverage of Emerging Risks

ISO 31000, PMBOK Risk Management, and NIST RMF represent the three most widely adopted risk management standards globally. The research finds that while these frameworks offer robust process structures for risk identification, assessment, and response, they were not designed with data science workflows in mind. As a result, they provide limited — and in some cases virtually no — coverage of risks that are endemic to data-intensive projects: data quality failures, model bias and explainability gaps, data governance deficiencies, cross-functional misalignment between data scientists and business stakeholders, and the rapidly expanding category of ethical and sociotechnical risks associated with AI deployment. Organizations relying exclusively on these traditional standards to manage their data science risk exposure are operating with a fundamentally incomplete risk map.

Core Finding Two: Contemporary Models Propose Multi-Dimensional Governance Structures

In contrast, data-science-specific frameworks — particularly the recently proposed DS-EthiCo RMF — demonstrate significantly more sophisticated coverage of the risk dimensions that matter most in modern data environments. DS-EthiCo RMF is notable for being among the first frameworks to systematically integrate ethical oversight, governance accountability, and continuous monitoring mechanisms directly into the data science project lifecycle rather than treating them as external compliance considerations. CRISP-DM, while primarily a process methodology, similarly offers workflow-aligned risk touchpoints that traditional standards lack. The research characterizes these contemporary models as providing "multidimensional structures capable of integrating ethical oversight, governance, and continuous monitoring" — a formulation that should resonate directly with Taiwanese corporate boards grappling with AI governance obligations.

Core Finding Three: The Gaps Point Toward Hybrid Framework Design

Perhaps the most actionable insight from Feitosa's research is the explicit identification of research and practice gaps that point toward hybrid framework design as the optimal path forward. No single existing framework — whether traditional or contemporary — provides complete coverage of the risk landscape for data science projects. Traditional frameworks offer process rigor and organizational scalability; contemporary frameworks offer ethical and technical depth. The research argues that "theoretical support for the development of hybrid frameworks that balance technical efficiency, organizational alignment, and responsible data practices" represents the most important contribution the field can make at this moment. For Taiwanese enterprises, this finding has direct implications for how ERM systems should be architected when data and AI initiatives are in scope.

What This Means for Enterprise Risk Management in Taiwan

Taiwan's corporate sector is at an inflection point. The simultaneous pressures of digital transformation acceleration, AI adoption, and increasingly stringent regulatory expectations around data governance are creating a new risk environment that existing ERM frameworks — many of which were designed before the era of large-scale machine learning — are not fully equipped to address. Feitosa's research provides the academic foundation for a conversation that Taiwan's boards and C-suite executives need to be having right now.

ISO 31000 remains essential, but must be extended. The 2018 revision of ISO 31000 provides a principles-based framework for integrating risk management into organizational decision-making and establishing a governance structure for risk oversight. For Taiwanese enterprises, ISO 31000 compliance represents the baseline — but the research makes clear that baseline compliance is insufficient when data science initiatives are involved. Executives should ensure that their ISO 31000 implementation explicitly addresses data asset risks, AI model governance, and the organizational dynamics that drive technical-business misalignment.

COSO ERM's governance strengths need to be complemented with data ethics dimensions. The COSO Enterprise Risk Management Framework (2017 revision) excels at connecting risk management to strategic planning and board-level governance — making it particularly relevant for Taiwanese listed companies with disclosure and governance obligations. However, COSO ERM's traditional application typically focuses on financial, operational, compliance, and strategic risk categories. The ethical and sociotechnical risk dimensions identified by Feitosa's research represent an important expansion that Taiwanese boards should explicitly incorporate into their COSO ERM implementations, supported by KRI (Key Risk Indicator) dashboards designed for AI and data-intensive risk monitoring.

Risk matrices must evolve to reflect multi-dimensional data science risk. The conventional risk matrix — plotting likelihood against impact — remains a useful tool, but it is insufficient for data science environments. Enterprises deploying AI and analytics capabilities should design multi-dimensional risk matrices that explicitly incorporate data quality risk, model bias risk, ethical compliance risk, and governance gap risk as distinct analytical dimensions. Corresponding KRIs should be established for each dimension to enable real-time monitoring at the management and board level.

How Winners Consulting Services Helps Taiwanese Enterprises Build Modern ERM Systems

Winners Consulting Services Co. Ltd. (積穗科研股份有限公司) specializes in helping Taiwanese enterprises implement ISO 31000 and COSO ERM frameworks, design multi-dimensional risk matrices with actionable KRI systems, and build board-level risk governance capabilities that are fit for the digital age. Our approach directly addresses the structural gaps identified in Feitosa's 2025 research.

1. Conduct a Comprehensive ERM Gap Analysis: Systematically benchmark your existing risk management mechanisms against ISO 31000 principles and COSO ERM requirements, with specific attention to emerging risk categories including data governance, AI model risk, ethical compliance, and cross-functional alignment gaps. This diagnostic produces a prioritized roadmap for ERM system upgrades grounded in both international standards and the latest academic evidence.
2. Design a Hybrid Risk Matrix and KRI Measurement Architecture: Working from the hybrid framework principles identified in Feitosa's research, we design multi-dimensional risk matrices that integrate traditional risk categories with data-science-specific risk dimensions. We then build KRI dashboards that give your board and senior management real-time visibility into data quality, model performance, ethical compliance, and governance health metrics — creating an ERM monitoring infrastructure that is genuinely fit for purpose in a data-intensive operating environment.
3. Establish Cross-Functional Risk Governance Protocols: Directly addressing the technical-business misalignment risk identified as a primary driver of data science project failure, we help enterprises design cross-departmental risk communication structures and governance workflows. These protocols clarify risk ownership, establish escalation paths, and ensure that data science project risk management is fully integrated into the enterprise-wide ERM architecture — achievable within a 90-day implementation timeline.

Frequently Asked Questions

Where should a company start when integrating ERM into data science project management?

The most effective starting point is a structured Gap Analysis against ISO 31000. Begin by mapping your current risk management processes against the ISO 31000 principles and framework components; then overlay a data-science-specific risk inventory that captures data quality, model governance, ethical compliance, and team alignment risks. Feitosa's 2025 research confirms that traditional frameworks systematically undercover these dimensions, which means most organizations will discover meaningful gaps at this diagnostic stage. The output of the Gap Analysis becomes the foundation for a targeted ERM upgrade plan. Winners Consulting Services provides this diagnostic at no cost as the entry point for our ERM advisory engagement.

What compliance challenges do Taiwanese companies most commonly face when implementing ISO 31000?

The three most common challenges are: first, treating ISO 31000 as a documentation exercise rather than an operational integration — producing risk registers and framework documents that do not actually influence management decisions; second, defining risk scope too narrowly, particularly failing to include data governance, AI application risks, and digital supply chain vulnerabilities as explicit risk categories; and third, failing to establish a sustainable review cadence that keeps KRI thresholds and risk assessments current. ISO 31000:2018 requires risk management to be "continual,