Insight: Roadmap and Information System to Implement Information Tech

Winners Consulting Services Co. Ltd. (積穗科研股份有限公司), Taiwan's expert in Enterprise Risk Management (ERM), highlights a critical gap that affects nearly every digitally-transforming organization: while ISO 31000, COSO ERM, and COBIT 5 are widely recognized frameworks, none of them provides a complete, step-by-step roadmap for implementing Information Technology Risk Management (ITRM). A landmark 2023 academic study now fills that gap — and its implications for Taiwanese enterprises managing IT risk within their ERM architecture are immediate and actionable.

About the Authors and This Research

This paper was co-authored by three researchers affiliated with Moroccan academic institutions, combining expertise in information systems, IT governance, and enterprise risk management. Hasnaa Berrada, the lead author, holds an h-index of 2 with 19 cumulative citations — a profile indicative of an emerging scholar gaining recognition in an interdisciplinary space. Her co-author, Jaouad Boutahar, brings substantially greater academic weight to the study: with an h-index of 8 and 235 cumulative citations, Boutahar is a well-established figure in IT governance and systems engineering within North African and Arabic-speaking academic communities. The third contributor, Souhaïl El Ghazi El Houssaïni, specializes in information security and IT governance applied research.

Since its publication in 2023, the paper has already been cited 3 times and is indexed under Enterprise Risk Management in OpenAlex. What distinguishes this research from typical academic surveys is its practical orientation: the authors do not merely compare existing frameworks but produce an actionable roadmap with clearly defined phases and expected deliverables. For enterprise risk managers, this is precisely the kind of research that bridges theory and practice.

Bridging Three Frameworks: The Core Research Problem and Its Solution

The research begins from an honest and important observation: organizations today depend heavily on information technologies, yet ITRM remains underserved compared to broader ERM disciplines. While ISO 31000 provides general risk management principles, COSO ERM addresses governance and strategic risk integration, and COBIT 5 offers IT-specific audit and governance guidance — none of the three provides a comprehensive, structured methodology for end-to-end ITRM implementation.

Key Finding One: A Structured Implementation Gap Across All Major Frameworks

Through systematic analysis of existing standards and frameworks, the researchers confirmed that COBIT 5 — the most IT-specific of the three — still lacks detailed, step-by-step implementation guidance. Organizations following COBIT 5 know what governance principles to apply, but are left without clarity on how to sequence actions, who is responsible at each stage, and what documents or outputs should be produced. The same limitation applies to ISO 31000 and COSO ERM when applied specifically to IT risk contexts. This gap is identified by the researchers as a primary reason why many organizations struggle to embed ITRM effectively into their enterprise-wide risk architecture.

Key Finding Two: An Integrated Roadmap With Defined Deliverables Solves the Problem

The paper's central contribution is a proposed roadmap that draws simultaneously on ISO 31000's process logic (context establishment → risk assessment → risk treatment → monitoring and review), COSO ERM's governance perspective, and COBIT 5's IT-specific controls. Crucially, the roadmap is designed around expected deliverables at each stage — not just principles or checklists. This means that a risk manager can follow the roadmap and know exactly what outputs to produce at each phase, making ITRM implementation both auditable and measurable. The researchers also identify Artificial Intelligence (AI) as a promising future enhancement to further automate and refine this roadmap, increasing both efficiency and strategic alignment.

What This Means for Enterprise Risk Management in Taiwan

For Taiwanese enterprises — particularly publicly listed companies navigating Corporate Governance Score (CGS) assessments, ESG disclosures, and increasing regulatory scrutiny — this research delivers three urgent messages.

First, IT risk cannot remain siloed in the IT department. The research makes explicit that ITRM must be integrated into the enterprise's overall ERM architecture. Many Taiwanese companies have adopted ISO 31000 at a general level but treat information technology risks as a separate technical concern. This approach leaves significant blind spots in the enterprise risk profile presented to boards and regulators.

Second, risk matrices and KRIs must be extended to cover IT-specific risks. Key Risk Indicators (KRIs) in most Taiwanese organizations focus on financial, legal, and market risks. The roadmap proposed in this research calls for dedicated IT risk identification, IT-specific KRI design, and IT risk heat maps that can be reviewed by board-level risk committees — not just IT security teams.

Third, board-level governance responsibility for ITRM is non-negotiable. COSO ERM places ultimate risk governance accountability at the board level. As Taiwan's Financial Supervisory Commission continues to raise ESG and risk disclosure standards, organizations that cannot demonstrate board oversight of IT risks face both compliance risk and reputational exposure.

How Winners Consulting Services Helps Taiwan Enterprises Implement ITRM

Winners Consulting Services Co. Ltd. (積穗科研股份有限公司) supports Taiwanese enterprises in implementing ISO 31000 and COSO ERM frameworks, designing risk matrices and Key Risk Indicators (KRIs), and strengthening board-level risk governance. Based on the findings of this 2023 research, we recommend three immediate actions for enterprise risk managers:

1. Conduct an ITRM Gap Assessment: Benchmark your current IT risk management practices against ISO 31000, COSO ERM, and COBIT 5. Identify whether IT risks are formally documented in your enterprise Risk Register, whether IT-specific KRIs exist, and whether board committees receive regular IT risk reporting. This diagnostic typically takes 2 to 4 weeks and produces a prioritized action plan.
2. Design IT-Specific Risk Matrices and KRIs: Extend your existing enterprise risk matrix to explicitly cover information technology risks — including cloud risk, third-party IT vendor risk, cybersecurity, and data governance. Design measurable KRIs for each IT risk category and establish threshold triggers for escalation to senior management and the board.
3. Build an ITRM Roadmap With Defined Deliverables: Following the logic of this research, develop a phased ITRM implementation plan that clearly defines ownership, deliverables, and review milestones for each phase. Align this roadmap with your organization's existing ERM cycle and board reporting calendar to ensure strategic coherence and ongoing compliance.

Frequently Asked Questions

What is the difference between ITRM and ERM, and should they be managed separately?

ITRM should be integrated into ERM, not managed independently. This 2023 research explicitly identifies the separation of IT risk from enterprise-wide ERM as one of the most common and damaging organizational blind spots. ISO 31000 provides a universal risk management process applicable to all risk types, including IT. COSO ERM further emphasizes that risk governance is a board-level responsibility that spans all organizational domains. For Taiwanese enterprises, the practical recommendation is to include IT risks in the enterprise Risk Register, assign IT risk ownership to cross-functional leadership, and ensure board-level visibility through regular IT risk reporting.

What compliance challenges do Taiwanese companies face when implementing COBIT 5?

The most common challenge is the gap between framework comprehension and practical execution. COBIT 5 provides governance principles and audit criteria for IT management, but as this research demonstrates, it does not specify detailed implementation steps or define what deliverables should be produced at each stage. Taiwanese companies often find that after studying COBIT 5, they understand what good IT governance looks like in theory but still lack a clear implementation path. Winners Consulting recommends pairing COBIT 5 with ISO 31000's process framework and COSO ERM's governance lens to create an integrated, actionable methodology — which is precisely the approach proposed in this 2023 paper.

How do ISO 31000 and COSO ERM differ, and which should Taiwanese enterprises prioritize?

ISO 31000 is a globally applicable risk management standard published by the International Organization for Standardization, focused on providing a systematic and universal risk management process. COSO ERM, sponsored by the Committee of Sponsoring Organizations of the Treadway Commission, places greater emphasis on enterprise governance, strategic risk alignment, and internal control integration. The two frameworks are complementary rather than competing. This 2023 study integrates both — alongside COBIT 5 — to produce a more complete ITRM framework than any single standard could provide. For Taiwanese listed companies, we recommend using ISO 31000 to build the operational risk management process and COSO ERM to strengthen board governance and strategic risk oversight, with COBIT 5 specifically addressing IT risk controls.

How long does it realistically take to implement a complete ITRM mechanism, and what does the process look like?

Based on enterprise size and existing risk management maturity, a complete ITRM implementation typically requires 3 to 6 months. Winners Consulting recommends a four-phase approach: Phase 1 (Month 1) — current state diagnostic and gap analysis against ISO 31000, COSO ERM, and COBIT 5; Phase 2 (Month 2) — design of risk matrices, IT-specific KRIs, and the ITRM roadmap; Phase 3 (Months 3–4) — systematic mechanism deployment and staff training; Phase 4 (Months 5–6) — pilot operation, performance review, and optimization. Organizations seeking an accelerated 90-day foundational build can apply for Winners Consulting's complimentary ERM Mechanism Diagnostic to receive a customized implementation roadmap.

Why should Taiwanese enterprises choose Winners Consulting Services for ERM and ITRM advisory?

Winners Consulting Services Co. Ltd. (積穗科研股份有限公司) is one of the few consulting firms in Taiwan with demonstrated expertise across ISO 31000 implementation, COSO ERM framework design, and IT risk governance advisory. Our consultants bring cross-industry ERM experience spanning manufacturing, financial services, technology, and listed company governance. We do not deliver off-the-shelf frameworks — every engagement is tailored to the enterprise's scale, industry context, and board governance requirements. From gap diagnosis and risk matrix design to KRI development and board risk reporting systems, Winners Consulting provides end-to-end advisory support, ensuring measurable improvements within 90 days and sustained compliance and governance quality over the long term.