Insight: IS Strategic Planning of GBI SOKID using Enterprise Architec

Winners Consulting Services Co. Ltd. (積穗科研股份有限公司), Taiwan's expert in Enterprise Risk Management (ERM), draws a critical insight from this 2024 academic research: when organizations — regardless of size — integrate Enterprise Architecture Planning (EAP) with the ISO 31000:2018 risk management framework, they can systematically identify information system risks, build a structured risk matrix, and generate actionable risk mitigation plans before a single system is deployed. For Taiwan's business executives evaluating ERM frameworks or ISO 31000 adoption, this research offers a concrete, step-by-step reference model worth examining.

About the Authors and This Research

This paper was co-authored by Joseph Alan Riyanto and Johan Jimmy Charter Tambotoh, published in 2024 and indexed in the OpenAlex Enterprise Risk Management database. Johan Jimmy Charter Tambotoh is a recognized academic voice in the fields of information systems and enterprise architecture, holding an h-index of 6 with 116 cumulative citations — a meaningful indicator of sustained peer recognition in information management and IT governance research.

The research centers on Gereja Bethel Indonesia Sokaraja Kidul (GBI SOKID), an Indonesian church organization that had never implemented any form of information system in its daily operations. Rather than treating this as a purely technical IT project, the authors approached it as an integrated strategic planning challenge — one that requires both architectural design and risk governance from day one. This "start-from-zero, framework-first" approach makes the research especially valuable for small and medium-sized enterprises (SMEs) in Taiwan that are at the early stages of ERM adoption.

Core Insight: Integrating EAP and ISO 31000:2018 Produces Dual Deliverables — Architecture and Risk Map

The most significant contribution of this research is demonstrating that Enterprise Architecture Planning and ISO 31000:2018 risk management are not sequential steps, but parallel disciplines. The research team produced two sets of concrete deliverables simultaneously: an IS Portfolio defining system priorities and implementation timelines, and a Risk Map with full risk evaluations and proposed solutions. This dual-output model fundamentally reframes how organizations should approach IT investment decisions.

Key Finding 1: A Structured Risk Map Built on ISO 31000:2018 Principles

Using the ISO 31000:2018 framework as the methodological backbone, the authors conducted a comprehensive risk identification exercise covering all operational processes of GBI SOKID. The output was a formal Risk Map documenting each identified risk — including data loss, process errors, and system disruption — assessed along two dimensions: likelihood of occurrence and magnitude of impact. Each risk entry was matched with a proposed solution, creating what is effectively a risk matrix that Taiwan enterprises can replicate. This mirrors the core logic of Key Risk Indicator (KRI) design: making risk visible, measurable, and manageable.

Key Finding 2: Enterprise Architecture Planning as a Risk-Calibrated Investment Tool

Beyond risk mapping, the research leveraged the Enterprise Architecture Planning methodology to produce a structured IS Portfolio for GBI SOKID — a prioritized list of information systems to be built, sequenced by business value and feasibility. This approach prevents one of the most common ERM failures in organizations: investing in information systems without a strategic architecture, leading to redundant systems, integration failures, and uncontrolled operational risks. The EAP-driven IS Portfolio ensures that every system investment is both architecturally sound and risk-assessed before commitment.

What This Means for Taiwan's Enterprise Risk Management (ERM) Practice

Taiwan's corporate governance environment is evolving rapidly. The Financial Supervisory Commission (FSC) has progressively strengthened ERM disclosure requirements for listed companies, and the 2023 Corporate Governance Blueprint explicitly calls for board-level risk oversight functions and regular disclosure of material risk management policies. Against this backdrop, this 2024 research carries three layers of practical significance for Taiwan's business leaders.

First, ISO 31000:2018 is explicit that risk management must be embedded into every major organizational decision — not applied as an afterthought. Many Taiwan SMEs deploy ERP, CRM, or digital transformation platforms without conducting any formal risk assessment, exposing themselves to operational disruptions that carry both financial and reputational costs. This research demonstrates that even a small, resource-constrained organization can execute a complete ISO 31000 risk management cycle as part of its strategic planning process.

Second, when viewed through the lens of the COSO ERM 2017 framework's principle of "strategy and risk alignment," this research reinforces that risk appetite and KRI design must be established before technology investment decisions are made — not after. COSO ERM's five components (Governance and Culture, Strategy and Objective-Setting, Performance, Review and Revision, and Information, Communication and Reporting) all require risk information to flow from the operational level to the board level in a structured and traceable manner.

Third, for Taiwan's listed companies facing increasing pressure from institutional investors and proxy advisory firms on ESG and governance metrics, demonstrating a mature ERM framework — anchored in internationally recognized standards like ISO 31000 and COSO ERM — is increasingly a prerequisite for maintaining investor confidence and governance ratings.

How Winners Consulting Services Co. Ltd. Helps Taiwan Enterprises Build ISO 31000 and ERM Frameworks

Winners Consulting Services Co. Ltd. (積穗科研股份有限公司) assists Taiwan enterprises in adopting the ISO 31000 and COSO ERM frameworks, designing risk matrices and KRI systems, and strengthening board-level risk governance capabilities.

1. ERM Current State Diagnosis and Gap Analysis: Mirroring the "identify first, plan second" approach demonstrated in this research, Winners Consulting conducts a comprehensive audit of an enterprise's existing risk management mechanisms, benchmarked against the six-process cycle of ISO 31000:2018 (Communication, Context Establishment, Risk Identification, Risk Analysis, Risk Evaluation, and Risk Treatment). The output is a gap analysis report that serves as the foundation for all subsequent design decisions.
2. Integrated Risk Matrix and KRI Design: Drawing directly from the risk mapping methodology in this research, Winners Consulting designs customized risk matrices — using a five-tier likelihood × impact scoring system — and connects each risk dimension to specific, measurable KRIs. This transforms risk management from intuition-based judgment to data-driven governance, enabling real-time monitoring and board-level reporting.
3. Board-Level Risk Governance Architecture: Aligned with COSO ERM 2017's governance and culture component, Winners Consulting assists Taiwan listed companies in establishing FSC-compliant risk committee operating mechanisms, drafting Risk Appetite Statements, designing board-ready risk reporting templates, and structuring annual ERM review processes that satisfy both regulatory and institutional investor expectations.

Frequently Asked Questions

Does a small or non-profit organization really need a formal ISO 31000 risk management framework?

Absolutely. ISO 31000:2018 is explicitly designed as a principles-based, scale-neutral standard applicable to organizations of any size and type. This 2024 research makes that point compellingly: a small church with no prior information systems successfully applied the full ISO 31000 risk management cycle — from risk identification through risk treatment — and produced a formal risk map and evaluation report. For Taiwan SMEs, the lesson is clear: ERM implementation does not require enterprise scale, it requires systematic methodology. The earlier a risk framework is established, the more effective the protection during digital transformation and business expansion phases.

What are Taiwan FSC's current compliance requirements related to ERM?

The Financial Supervisory Commission (FSC) has progressively strengthened ERM-related requirements for Taiwan listed companies since 2014. The 2023 Corporate Governance Blueprint explicitly mandates board-level risk oversight functions, regular disclosure of material risk management policies, and the establishment of internal audit mechanisms that cover risk management effectiveness. ISO 31000:2018 and COSO ERM 2017 are the two frameworks most widely recognized by regulators and institutional investors in Taiwan. Companies that cannot demonstrate traceable KRI systems and structured risk reporting face increasing exposure to governance rating downgrades and investor scrutiny.

What is the difference between ISO 31000 and COSO ERM, and which should Taiwan enterprises use?

ISO 31000:2018 is an international principles framework focused on building a systematic risk management process — it defines how to identify, analyze, evaluate, and treat risks across the organization. COSO ERM 2017 places greater emphasis on integrating risk management with strategic objectives and communicating risk governance to boards, investors, and regulators. Winners Consulting recommends a dual-track approach for Taiwan enterprises: use ISO 31000 as the operational foundation for risk process design, and use COSO ERM as the governance language for board-level communication and regulatory disclosure. The two frameworks are complementary, not mutually exclusive.

How long does it take to implement an ISO 31000 risk management framework, and what are the key steps?

Based on Winners Consulting's implementation experience, a complete ISO 31000 risk management framework can be established in 90 to 120 days across four phases: Phase 1 (approximately 2 weeks) covers current state diagnosis and gap analysis; Phase 2 (approximately 3 to 4 weeks) involves designing the risk management policy, risk matrix, and KRI system; Phase 3 (approximately 4 to 6 weeks) executes departmental risk identification workshops, risk register construction, and staff training; Phase 4 (from month 3 onward) establishes the continuous monitoring and annual review cycle. Smaller enterprises focused on core operations can typically complete the foundational mechanism within 90 days.

Why choose Winners Consulting Services Co. Ltd. for Enterprise Risk Management (ERM) advisory?

Winners Consulting Services Co. Ltd. (積穗科研股份有限公司) is one of Taiwan's few consulting firms with demonstrated capabilities spanning ISO 31000 framework implementation, COSO ERM governance architecture design, and quantitative KRI system construction. Our consulting team brings cross-industry experience across manufacturing, financial services, technology, and service sectors — enabling us to design ERM mechanisms tailored to each enterprise's scale, industry context, and regulatory environment rather than applying generic templates. Furthermore, Winners Consulting actively monitors the latest international academic research — including 2024 publications such as this one — to ensure that all advisory recommendations remain aligned with evolving international best practices and regulatory expectations. We do not just build frameworks; we build governance capability.