Insight: A systemic approach for climate risk assessment applied to t

Winners Consulting Services Co. Ltd. (積穗科研股份有限公司), Taiwan's expert in Enterprise Risk Management (ERM), highlights a critical insight from a 2022 peer-reviewed study: climate risk is no longer an environmental footnote—it is a quantifiable, manageable operational risk that must be embedded into every company's ERM framework. The study, published in Climate Risk Management, demonstrates that integrating IPCC AR5 scenarios, ISO 31000 risk management principles, and ISO 14090 climate adaptation guidelines produces a robust, replicable methodology for assessing climate risk across industrial facilities. For Taiwanese enterprises facing tightening ESG disclosure requirements and supply chain resilience pressures, this research provides the methodological foundation that corporate risk managers and boards have been waiting for.

About the Authors and This Research

This paper was co-authored by Denise S. Sousa, Cláudio Freitas Neves, and Heliana V.O. Silva, a Brazilian research team with expertise spanning coastal climate science, energy systems engineering, and applied risk management. Cláudio Freitas Neves holds an academic h-index of 3 with a cumulative citation count of 51, reflecting sustained scholarly influence in climate risk quantification and coastal engineering assessment. Since its publication in 2022, the paper has been cited 5 times, a meaningful signal of peer recognition within the emerging interdisciplinary field of integrated climate risk assessment for industrial infrastructure.

The research team's institutional background is rooted in Brazil's scientific engagement with climate-vulnerable coastal energy infrastructure, giving their work a strong empirical grounding. While the study examines 5 thermoelectric power plants along the northeastern coast of Brazil, the methodological framework they propose—structured around hazard identification, exposure measurement, vulnerability analysis, and composite risk scoring—transcends any single geography or industrial sector. This universality is precisely what makes the research relevant to Taiwanese enterprise risk managers designing climate-responsive ERM systems.

A Three-Layer Framework That Bridges Climate Science and Corporate Risk Management

The central contribution of this paper is not a description of how bad climate change will be—it is a structured, operational methodology that enables companies to systematically identify, analyze, and assess climate risks across their critical assets and operations. This is exactly what most Taiwanese enterprises lack in their current ERM practice.

The authors integrate three internationally recognized frameworks: the IPCC Fifth Assessment Report (AR5) for climate scenario development, ISO 31000 for risk management process structure, and ISO 14090 for climate adaptation principles. These three layers work together to ensure that climate risk assessment is both scientifically grounded and operationally actionable.

The research identifies both climatic stressors—extreme rainfall, rising sea levels, high-temperature events—and non-climatic stressors such as equipment aging and maintenance gaps. It then establishes significance criteria to evaluate hazard level, degree of exposure, vulnerability, and final risk classification. Critically, the study investigates risks across four operational dimensions: design, operation, maintenance, and performance. This multidimensional scope ensures that risk assessment captures both immediate operational vulnerabilities and long-term asset resilience gaps.

Key Finding One: Climate Risk Requires Decadal Reassessment

One of the paper's most important practical conclusions is that climate risk assessment cannot be a one-time exercise. The authors explicitly call for reassessment at decadal intervals—every 10 years at minimum—to incorporate advances in climate science and to revise resilience strategies accordingly. For Taiwanese enterprises designing their risk registers and ERM governance calendars, this finding mandates a formal scheduled review cycle for climate-related risk entries, a requirement that most current ERM implementations in Taiwan do not yet meet.

Key Finding Two: Observed Data and Numerical Models Must Be Combined

The research underscores that accurate future climate projections require the integration of both historical observed data and forward-looking numerical climate models. Relying solely on historical incident records—the default approach in most enterprise risk assessments—systematically underestimates future climate risk. This finding directly informs the KRI (Key Risk Indicator) design principle for climate-related risks: indicators must include forward-looking scenario-based metrics, not only backward-looking historical frequency counts. This aligns with both ISO 31000's principle of using the "best available information" and COSO ERM 2017's emphasis on emerging risk detection.

What This Means for Enterprise Risk Management in Taiwan

Taiwanese enterprises are operating in an accelerating regulatory and market environment where climate risk assessment capability is rapidly shifting from a competitive advantage to a compliance baseline. The Financial Supervisory Commission (FSC) of Taiwan has strengthened sustainability report disclosure requirements, with listed companies above specified capital thresholds now required to align their climate-related disclosures with the TCFD framework. This means boards must demonstrate governance oversight of climate risk, strategy teams must conduct climate scenario analysis, and risk management functions must document their climate risk identification and assessment processes—all areas where most Taiwanese companies currently have significant gaps.

The COSO ERM 2017 framework explicitly identifies "environmental change" as an external context factor requiring continuous monitoring, and calls on organizations to build KRI systems capable of detecting emerging risks before they materialize into losses. The methodology proposed in this paper provides a concrete operational template for designing climate KRIs: from hazard-level indicators (e.g., frequency of extreme weather events exceeding design thresholds at key facilities) to vulnerability-level indicators (e.g., proportion of critical equipment with no climate-rated protection).

ISO 31000's core principle of integrating risk management into all organizational decision-making processes is directly applicable here. Climate risk cannot remain siloed in a sustainability department or addressed only in annual sustainability reports. It must be embedded into capital allocation decisions, supply chain partner evaluation, facility design reviews, and board-level strategic planning—precisely the integration that ISO 31000 and COSO ERM both mandate.

Beyond regulatory compliance, the business case is clear: enterprises with mature climate ERM capabilities face lower financing costs (climate risk is now priced by major credit rating agencies), stronger supply chain positioning (global buyers increasingly conduct climate risk due diligence on suppliers), and greater investor confidence. Taiwanese manufacturers exporting to Europe and North America are particularly exposed, as these markets are accelerating climate-related supply chain requirements.

How Winners Consulting Services Co. Ltd. Helps Taiwanese Enterprises Build Climate ERM Capabilities

積穗科研股份有限公司（Winners Consulting Services Co. Ltd.）helps Taiwanese enterprises implement ISO 31000 and COSO ERM frameworks, build risk matrices and KRI systems, and strengthen board-level risk governance. Specifically informed by the findings of this 2022 research, we recommend the following three concrete actions:

1. Launch a structured climate risk inventory: Using IPCC AR5 or AR6 scenarios as the scientific basis, systematically audit your critical assets—manufacturing facilities, key equipment, supply chain nodes—for exposure to climate stressors. Replace vague "natural disaster" entries in your risk matrix with structured climate risk line items that specify hazard type, exposure level, vulnerability rating, and current control adequacy. This directly fulfills the ISO 31000 risk identification requirement and provides the data foundation for TCFD governance disclosures.
2. Design climate-specific KRI systems aligned with COSO ERM 2017: For each high-exposure climate risk identified, design quantifiable KRIs with defined thresholds and escalation triggers. Examples include: number of days per year where temperature at key facilities exceeds design operating limits; flood warning activation frequency at critical logistics nodes; climate vulnerability scores for top-tier suppliers. Connect these KRIs to board reporting cycles to fulfill COSO ERM's emerging risk governance requirements.
3. Institutionalize decadal climate risk reassessment: Formally embed a 10-year climate risk review cycle into your ERM governance calendar, as the paper's authors recommend. This should include a trigger clause allowing off-cycle reviews when significant new IPCC data, regulatory changes, or climate events materially alter the risk landscape. Pair this schedule with a commitment to integrating forward-looking numerical climate model data—not only historical records—into each reassessment cycle.

Frequently Asked Questions

How do we start systematically assessing climate risk rather than relying on intuition or ad hoc responses?

The starting point for systematic climate risk assessment is adopting a structured three-step process: hazard identification, exposure assessment, and vulnerability analysis. This paper's methodology—integrating IPCC climate scenarios with ISO 31000's risk identification process—provides a practical template. Begin by cataloging which climate stressors (extreme heat, flooding, sea-level rise, storm intensity) directly threaten your highest-value or most operationally critical assets. Then assess the degree of exposure for each asset, and evaluate whether existing protective measures are adequate. Winners Consulting recommends starting with a pilot assessment at one high-value facility or critical supply chain node, then scaling the approach enterprise-wide. This phased approach ensures early wins and builds organizational risk assessment capability systematically.

What climate risk disclosure compliance requirements apply to Taiwanese listed companies?

Taiwan's Financial Supervisory Commission (FSC) has progressively strengthened climate-related disclosure requirements for listed companies. Companies meeting specified capital thresholds are required to produce sustainability reports aligned with the TCFD framework, covering four areas: governance (board oversight of climate risk), strategy (climate scenario analysis and business impact), risk management (climate risk identification and assessment processes), and metrics and targets (climate-related KPIs and reduction goals). Companies that lack a documented ISO 31000-aligned climate risk management process will find it difficult to produce credible TCFD disclosures, and increasingly, external assurance providers are reviewing the adequacy of underlying risk processes—not just the disclosed numbers. Early investment in building a rigorous ERM mechanism pays dividends in compliance confidence and audit readiness.

How do ISO 31000 and COSO ERM differ in their approach to climate risk, and which should Taiwanese companies prioritize?

ISO 31000 is a principles-based international risk management standard that provides a complete process framework—from establishing context, through risk identification, analysis, evaluation, and treatment, to monitoring and review. It is applicable to any organization, any size, any industry. COSO ERM (2017 edition) is a strategy-centric enterprise risk management framework that emphasizes the integration of risk management with corporate strategy, performance management, and board governance. It explicitly requires organizations to monitor emerging risks—including climate-related risks—and build KRI systems for early warning. The two frameworks are complementary, not competing. The most effective approach for Taiwanese enterprises is to use ISO 31000 as the operational methodology foundation and COSO ERM as the governance architecture, designing an integrated ERM mechanism that embeds climate risk KRIs at the board reporting level while maintaining the rigorous risk assessment process that ISO 31000 prescribes.

How long does it take to implement a climate risk ERM mechanism, and what are the concrete steps?

A full climate risk ERM implementation typically requires 6 to 12 months and proceeds through