Insight: Robust blue-green urban flood risk management optimised with

Winners Consulting Services Co. Ltd. (積穗科研股份有限公司), Taiwan's leading expert in Enterprise Risk Management (ERM), highlights a critical warning from the latest 2025 academic research: any risk management framework optimized solely for a single extreme scenario is structurally fragile—and will likely fail when confronted with risks of different magnitudes. A groundbreaking study published in the Journal of Flood Risk Management demonstrates that multi-scenario composite optimization can improve key risk performance metrics by up to 73%, delivering a paradigm shift that carries profound implications for how Taiwan enterprises design their ERM frameworks under ISO 31000 and COSO ERM.

About the Authors and This Research

This paper is co-authored by three researchers with strong ties to leading UK academic institutions in climate resilience and urban risk management. The lead author, Asid Ur Rehman, is an emerging scholar in the field of urban flood risk and climate adaptation, with an h-index of 1 and 4 cumulative citations. While still in the early stages of his academic career, Rehman's methodological innovation—particularly his pioneering use of direct damage cost (DDC) and expected annual damage (EAD) as optimization objective functions—has already attracted peer recognition and generated 2 citations for this specific paper since its 2025 publication.

Co-authors Vassilis Glenis and Elizabeth Lewis bring substantial depth to the research. Both have extensive experience in hydrodynamic simulation, urban infrastructure risk, and climate adaptation, with strong reputations in European academic circles focused on flood risk management and climate-resilient city design. Their collaboration ensures that the theoretical rigor of the research is grounded in practical, policy-relevant applications.

The study's methodological core—coupling the Non-dominated Sorting Genetic Algorithm II (NSGA-II) with a fully distributed hydrodynamic flood model across five distinct rainstorm return periods (T = 10, 20, 30, 50, and 100 years)—represents a significant advance over existing single-period optimization approaches. For ERM practitioners, the conceptual translation is immediate and powerful: designing a risk response framework around only one scenario benchmark leaves the organization exposed to the full range of risks it did not model.

The Fatal Flaw of Single-Scenario Optimization: Why Multi-Scenario Resilience Is the Only Robust Answer

The paper's central finding strikes at the heart of a deeply entrenched assumption in both engineering design and enterprise risk management: that optimizing for the worst-case scenario is sufficient to ensure resilience across all risk magnitudes. The research results decisively refute this assumption with quantitative evidence across multiple performance metrics.

Core Finding 1: A 100-Year Return Period Design Fails Dramatically Under Shorter Return Period Conditions

When the researchers tested Blue-Green Infrastructure (BGI) designs optimized exclusively for the 100-year rainstorm return period against scenarios with shorter return periods (10, 20, and 30 years), the performance degradation was substantial. This means that a system designed to handle the most severe, rarest flood event performs poorly when confronted with more frequent, moderate-intensity flood events. In ERM terms, this is the classic "tail risk tunnel vision" problem: organizations that focus all their risk mitigation resources on the most extreme scenarios may find themselves functionally unprepared for the moderate-severity, high-frequency events that actually drive most of their annual loss experience.

Core Finding 2: Composite Multi-Period Optimization Improves Performance by Up to 73%

The paper's proposed innovation—a BGI design framework simultaneously optimized across all five return periods using a multi-objective genetic algorithm—delivers dramatic improvements in three key performance metrics. The Median Risk Difference (MedRD) improved by 22% for the 20-year return period scenario. The Area Under Pareto Front (AUPF), a measure of overall optimization quality, improved by a remarkable 73% for the 20-year return period scenario. The Maximum Risk Difference (MaxRD) improved by 23% for the 50-year return period scenario. Furthermore, the researchers conducted climate uplift stress testing to validate that the composite-optimized design remains robust under future intensified rainfall conditions driven by climate change. These results provide a compelling quantitative case for what ISO 31000 has long advocated: risk management frameworks must be iterative, adaptive, and capable of addressing a full spectrum of risk scenarios rather than a single design-basis event.

What This Means for Taiwan Enterprise Risk Management (ERM) Practice

The implications of this research extend far beyond flood risk engineering. The core methodological insight—that single-scenario optimization produces brittle risk management systems, while multi-scenario composite optimization produces genuinely resilient ones—is directly applicable to how Taiwan enterprises design and operate their ERM frameworks under ISO 31000 and COSO ERM.

Under ISO 31000:2018, the risk management framework is explicitly required to be iterative and dynamic, capable of responding to risk events across a range of magnitudes and frequencies. The standard's risk assessment process calls for scenario analysis that captures how organizational risk exposures vary under different conditions—not merely under a single worst-case assumption. Yet in practice, many Taiwan enterprises build risk matrices anchored to a single "maximum credible scenario," leaving entire bands of the risk spectrum without adequate KRI monitoring or response protocols.

The COSO ERM 2017 framework goes further, requiring organizations to integrate risk appetite and risk tolerance calibration with strategic planning across multiple performance scenarios. COSO ERM's emphasis on "Strategy and Performance" explicitly recognizes that risk tolerance boundaries must be defined for various scenario magnitudes, not just the most extreme. When organizations set a single risk appetite statement anchored to their worst-case scenario, they implicitly accept unlimited exposure to all scenarios below that threshold—a dangerous design flaw analogous to the single-period optimization problem identified in this research.

For Taiwan enterprises, three specific risk domains warrant immediate multi-scenario design review. First, supply chain resilience frameworks in Taiwan's manufacturing sector are frequently designed around extreme disruption scenarios such as geopolitical supply shocks, while leaving moderate-severity risks such as supplier financial distress or capacity fluctuations without adequate KRI triggers or response protocols. Second, information security risk management programs often concentrate resources on advanced persistent threats (APTs) while underinvesting in defenses against the moderate-severity, high-frequency social engineering attacks that generate the majority of actual incident losses. Third, climate physical risk assessments for ESG disclosure purposes frequently employ single-pathway climate scenarios, missing the multi-scenario stress testing rigor that regulators and investors are increasingly demanding under TCFD-aligned frameworks.

How Winners Consulting Services Helps Taiwan Enterprises Build Multi-Scenario ERM Resilience

Winners Consulting Services Co. Ltd. (積穗科研股份有限公司) provides comprehensive ERM implementation services to help Taiwan enterprises build risk governance frameworks that are genuinely resilient across the full spectrum of risk scenarios—not merely optimized for a single extreme event. Our approach is directly informed by the methodological insights of research such as this 2025 study, translating academic advances into actionable enterprise risk management practice aligned with ISO 31000 and COSO ERM.

1. Multi-Scenario Risk Matrix Design: We assess whether your current risk matrix covers the full spectrum of risk magnitudes—from high-frequency moderate-severity events to low-frequency catastrophic ones—and redesign the framework to ensure every risk band has appropriate KRI monitoring thresholds and response protocols. This directly addresses the single-scenario optimization trap identified in the research.
2. COSO ERM Risk Appetite Multi-Dimensional Calibration: We help your board and senior management articulate risk appetite statements that define distinct tolerance boundaries for different scenario magnitudes, aligned with COSO ERM 2017's requirements for integrating risk and strategy. This prevents the common failure mode of accepting unlimited exposure to moderate-severity risks while nominally controlling only tail risks.
3. Climate and ESG Multi-Scenario Stress Testing: Drawing on the composite return period optimization methodology of this research, we design multi-scenario climate stress testing frameworks for your ESG risk disclosure, covering short-term (2030), medium-term (2050), and long-term (2100) climate pathways, ensuring your risk governance architecture meets TCFD requirements and emerging regulatory expectations.

Frequently Asked Questions

Our company already has a risk matrix. Do we need to redesign it for multiple scenarios?

Yes, almost certainly—and the urgency depends on how your current matrix was designed. If your risk matrix is anchored to a single worst-case or maximum credible scenario, this research demonstrates that it may provide a false sense of security. Organizations optimized for only their most extreme risk scenario can experience performance degradation of more than 73% (measured by the AUPF metric) when confronted with moderate-severity events. ISO 31000:2018 requires risk assessment processes to be iterative and capable of addressing risk events across a range of magnitudes. Winners Consulting Services can conduct a rapid diagnostic to identify the scenario coverage gaps in your existing framework and design targeted improvements.

What are the most common ERM compliance failures for Taiwan enterprises?

The most common failure is structural fragility disguised as formal compliance. Many Taiwan enterprises have risk management policy documents and a functioning risk committee, but their underlying risk matrices are designed around a single scenario benchmark, their KRI thresholds lack differentiation across risk magnitudes, and their board-level risk reporting does not include scenario stress testing results. COSO ERM 2017 requires risk management to be integrated with strategic decision-making, with the board actively engaging with multi-scenario risk exposures. ISO 31000 requires dynamic, iterative risk assessment. Both frameworks are violated when an organization's practical risk management system cannot demonstrate how it would respond to risks at different severity levels.

What does ISO 31000 specifically require regarding multi-scenario risk management?

ISO 31000:2018 establishes several principles directly relevant to multi-scenario design. The standard's principle of "iterative" risk management requires that the framework continuously adapt to new information and changing conditions—including the recognition that risks manifest at different scales. The risk assessment process specified in ISO 31000 requires scenario analysis that identifies how risk likelihood and consequence vary under different circumstances, not just under a single assumed maximum event. The standard also requires that risk treatment options be evaluated against a range of future scenarios, not just a single design basis. COSO ERM 2017 complements these requirements by explicitly linking risk appetite calibration to strategic scenario planning. Winners Consulting Services helps enterprises operationalize both frameworks through practical multi-scenario risk matrix design and KRI system implementation.

How long does it take to implement a multi-scenario ERM framework, and what are the steps?

Winners Consulting Services delivers the standard implementation in 90 days across four phases. Phase 1 (Weeks 1–3): Current State Diagnostic—gap analysis against ISO 31000 requirements, inventory of existing risk matrix scenario coverage, identification of critical blind spots. Phase 2 (Weeks 4–7): Framework Design—development of multi-scenario risk matrix architecture, KRI threshold design across three scenario bands (high-frequency moderate, medium-frequency significant, low-frequency severe), and risk appetite statement recalibration aligned with COSO ERM 2017. Phase 3 (Weeks