Insight: A “A Supply Chain Risk Mitigation Based on ISO 31000: 2018-

================================================================= ```html

Winners Consulting Services Co. Ltd. (積穗科研股份有限公司), Taiwan's expert in Enterprise Risk Management (ERM), highlights a landmark 2022 study demonstrating that integrating ISO 31000:2018 with the Balanced Scorecard (BSC) framework can systematically identify and mitigate 36 distinct supply chain risks while simultaneously improving organizational performance across four strategic dimensions—a finding with profound implications for Taiwanese enterprises navigating today's increasingly fragile global supply chains.

About the Author and This Research

Perminas Pangeran is an academic researcher based in Yogyakarta Special Region (DIY), Indonesia, with a focus on enterprise risk management and supply chain performance. With an h-index of 2 and 22 cumulative citations recorded in OpenAlex, this 2022 paper represents a practical contribution to the intersection of risk management standards and strategic performance frameworks. The research has been cited once in academic literature, and its value lies not in citation volume but in methodological rigor: the author selected a real hospital as the research site, applying the internationally recognized ISO 31000:2018 risk management standard alongside the Balanced Scorecard (BSC) framework first developed by Kaplan and Norton in the 1990s to create a replicable, measurable model for risk mitigation and performance improvement.

Published in the International Journal of Social Science Research and Review (IJSSRR), this study focuses on BTD Hospital's supply chain risk management challenges in Yogyakarta, Indonesia. The research employs a descriptive-qualitative case study methodology, systematically examining risk sources in pharmaceutical supply, staffing, and operational procedures, and proposing concrete mitigation strategies. For Taiwanese business executives, this Southeast Asian healthcare case raises a universally relevant question: when supply chain disruption has become the new normal, how can organizations use structured frameworks to make risk management and strategic execution work in tandem?

ISO 31000 × BSC Integration: How Identifying 36 Risks Drives Holistic Organizational Performance

The central insight of this research is that risk management should not be a standalone compliance exercise—it must be deeply integrated with strategic performance management. The researcher applied ISO 31000:2018's risk assessment process to fully identify and classify supply chain risks at BTD Hospital, then mapped each of the 36 identified risks to the four BSC perspectives, creating a three-tier alignment between risk, strategic objectives, and performance indicators.

Core Finding 1: 36 Risks Systematically Mapped Using a Risk Matrix to Prioritize Mitigation

The study identified 36 supply chain risks spanning inadequate communication with pharmaceutical distributors, improper buffer stock management for life-saving drugs, absence of e-prescription policies, incomplete standard operating procedures (SOPs) for drug dispensing, unbalanced staffing during peak hours, and insufficient training on Look-Alike Sound-Alike (LASA) high-alert medications. These risks were not simply listed—they were ranked through ISO 31000:2018's risk assessment matrix (likelihood × impact), enabling management to use a structured risk matrix to concentrate resources on the highest-priority threats. This is precisely where ISO 31000's framework delivers its greatest practical value: transforming qualitative risk awareness into a prioritized, actionable risk register.

Core Finding 2: BSC Four-Perspective Integration Connects Risk Mitigation Directly to Organizational Performance

The research further mapped mitigation actions to the four BSC perspectives: (1) Financial Perspective—improving pharmaceutical procurement cost control; (2) Customer Perspective—enhancing patient medication safety and service quality; (3) Internal Process Perspective—revising dispensing SOPs and establishing annual supplier evaluation mechanisms; (4) Learning and Growth Perspective—implementing staff skills development programs and facility improvement initiatives. The significance of this integrated design is that every risk mitigation action has a corresponding performance indicator, enabling organizations to track whether risk mitigation actually translates into performance improvement. This is the concrete realization of the principle COSO ERM has long advocated: connecting risk to strategy and organizational objectives.

Implications for Taiwan's Enterprise Risk Management (ERM) Practice: Why Framework Integration Is Now Essential

Taiwanese enterprises are under historic pressure to restructure their supply chains. From the COVID-19 disruptions of 2020, to the semiconductor component shortage crisis of 2021, to the ongoing geopolitical-driven de-risking and supply chain diversification wave, both Taiwanese SMEs and publicly listed companies are rethinking the same fundamental question: how can supply chain risks be made visible, quantifiable, and manageable?

This paper's case study demonstrates that ISO 31000:2018 provides a systematic risk identification and assessment process, while BSC provides the language for aligning risk management actions with strategic objectives. For Taiwanese enterprises, this integration is particularly relevant because Taiwan's boards of directors and senior management teams are accustomed to measuring performance through financial KPIs, yet typically lack mechanisms to translate risk events into KRIs (Key Risk Indicators) that can be monitored on a continuous basis.

The COSO ERM 2017 framework explicitly states that the core of Enterprise Risk Management (ERM) is to embed risk considerations into strategy-setting and objective-setting processes—not to treat risk management as a remedial afterthought. Taiwan's Financial Supervisory Commission (FSC) has in recent years strengthened requirements for listed companies to establish formal risk management mechanisms, requirements that are closely aligned with the principles of ISO 31000. This 2022 research case provides Taiwanese enterprises with a real-world reference for implementation: from identifying specific risk items in the supply chain, to designing trackable KRIs, to connecting risk mitigation actions to BSC performance objectives—a clear and actionable ERM implementation pathway.

Taiwan's position as a critical node in global technology supply chains—particularly in semiconductors, electronics, and precision manufacturing—makes supply chain risk management not merely a compliance matter but a strategic imperative. Companies that can demonstrate robust ERM mechanisms aligned with ISO 31000 and COSO ERM principles will increasingly command greater trust from international partners, investors, and regulators.

How Winners Consulting Services Co. Ltd. Helps Taiwan Enterprises Implement ISO 31000 and BSC Integration

積穗科研股份有限公司（Winners Consulting Services Co. Ltd.）helps Taiwanese enterprises implement ISO 31000 and COSO ERM frameworks, establish risk matrices and KRI systems, and strengthen board-level risk governance capabilities. Drawing directly on the integrated approach demonstrated in this research, Winners Consulting offers the following concrete service pathways:

1. Supply Chain Risk Inventory and Risk Matrix Development: Following ISO 31000:2018's risk identification and assessment processes, Winners Consulting helps enterprises systematically map supply chain risks including supplier concentration, delivery delays, and raw material substitutability. We build company-specific risk matrices (likelihood × impact) to identify the highest-priority items requiring mitigation, producing a formal Risk Register that serves as the foundation for all subsequent ERM activities.
2. KRI Design and BSC Strategic Alignment: Drawing on the 36-risk-to-BSC-four-perspective integration logic demonstrated in this study, Winners Consulting helps Taiwanese enterprises design quantifiable KRIs for each significant risk item, directly mapping risk mitigation actions to financial, customer, internal process, and learning and growth strategic objectives—making risk management an integral part of strategy execution rather than a separate compliance obligation.
3. ERM Framework Implementation and Board Risk Governance Training: Integrating the COSO ERM 2017 framework, Winners Consulting helps enterprises design ERM mechanisms that meet Taiwan FSC requirements, including risk management policies, Risk Appetite Statements, and risk reporting mechanisms. We also provide risk governance training for boards of directors and senior management teams, ensuring that ERM genuinely fulfills its governance function.

Frequently Asked Questions

How can companies systematically identify specific risks in their supply chains?

The most effective approach is to follow ISO 31000:2018's risk identification process, systematically examining four dimensions: suppliers, logistics, inventory, and contracts. The BTD Hospital study identified 36 supply chain risks using a methodology centered on defining risk scenarios (e.g., supplier delivery delays, insufficient emergency drug inventory), then confirming each risk's likelihood and potential impact through interviews and document reviews, finally building a risk matrix to prioritize mitigation items. Taiwanese enterprises can use this as a template, adjusting risk categories to suit their industry characteristics, and building their own Risk Register. This is both the first step in implementing Enterprise Risk Management (ERM) and the most critical foundational work—without a complete risk inventory, all subsequent KRI design and strategy alignment efforts lack a sound basis.

What risk management compliance requirements must Taiwan's listed companies meet?

Taiwan's Financial Supervisory Commission (FSC) requires listed and OTC-traded companies to establish risk management mechanisms, including appointing a risk management committee or designated senior executive responsible for risk management, regularly reporting significant risks to the board of directors, and disclosing risk management policies. These requirements are closely aligned with ISO 31000 and COSO ERM principles. Companies should pay particular attention to three points: first, risk management cannot be merely a formal compliance report—it must be connected to strategic objectives; second, quantifiable KRI (Key Risk Indicator) tracking mechanisms must be established; third, the board must develop sufficient risk governance capability to regularly review risk appetite and risk tolerance settings in line with ERM best practices.

What is the difference between ISO 31000 and COSO ERM? Which should Taiwanese enterprises adopt?

ISO 31000:2018 is the risk management principles and guidelines published by the International Organization for Standardization, emphasizing that risk management is a systematic process applicable to all types of organizations, with considerable flexibility and universality. COSO ERM (2017 edition) is published by the Committee of Sponsoring Organizations of the Treadway Commission, placing greater emphasis on the integration of risk management with enterprise strategy and performance, with particular focus on value creation and protection. The two are not mutually exclusive—many Taiwanese enterprises use ISO 31000 as the foundation for their risk management process framework, supplementing it with COSO ERM for the strategy integration and governance dimensions. Winners Consulting recommends that Taiwanese enterprises choose an integration model appropriate to their scale and industry characteristics, rather than implementing only one framework in isolation.

How long does it take to implement an ISO 31000 risk management mechanism? What are the steps?

For a mid-sized enterprise (100 to 500 employees), implementing a complete ISO 31000-compliant mechanism typically requires 3 to 6 months. Winners Consulting's recommended four-step pathway is: Month 1—Current State Diagnostic, assessing existing risk management mechanisms against ISO 31000