Insight: The Utilization of Lean Management Tools in the Application

=======================================================

Winners Consulting Services Co. Ltd. (積穗科研股份有限公司), Taiwan's expert in Enterprise Risk Management (ERM), brings a critical insight to the attention of corporate executives: most organizations that have invested in ISO 31000 frameworks still struggle to make risk management operational—because they lack the right execution tools. A landmark 2024 study published in the Enterprise Risk Management journal offers a compelling solution: integrating Lean Management tools into ISO 31000:2018 risk management methods can significantly enhance their real-world effectiveness, transforming ERM from a compliance exercise into a live operational mechanism.

About the Authors and This Research

This research was co-authored by Emil Ratter, Magdalena Kalbarczyk, and Katarzyna Pietrzyk-Wiszowaty—a team whose interdisciplinary background bridges European industrial practice and academic risk management scholarship. Magdalena Kalbarczyk holds an h-index of 2 with 11 cumulative citations, reflecting consistent engagement in the intersection of enterprise risk management and operational quality frameworks. The team's applied orientation distinguishes this paper from purely theoretical contributions: their findings are grounded in the practical constraints that real organizations face when deploying ISO 31000 frameworks.

Published in 2024 and already cited 4 times within its first year, the paper has attracted rapid attention from the ERM practitioner community—a strong indicator of its relevance to current management challenges. The full paper is available for independent review at https://doi.org/10.35808/ersj/3349. Winners Consulting Services Co. Ltd. encourages all interested readers to access the original research directly.

The Gap Between ISO 31000 Design and Operational Reality

The central problem this research addresses is one that any ERM practitioner in Taiwan will immediately recognize: ISO 31000:2018 is a robust and internationally respected risk management standard, but it is inherently principle-based. It defines what risk management should achieve—it does not prescribe how those achievements should be operationalized within daily workflows. This gap between framework design and day-to-day execution is where most ERM programs quietly fail.

The 2024 research by Ratter, Kalbarczyk, and Pietrzyk-Wiszowaty systematically maps the specific phases of the ISO 31000:2018 risk management process against a curated selection of Lean Management tools, identifying where each tool can augment the framework's practical effectiveness. The result is not a replacement of ISO 31000, but a methodological enrichment that gives organizations the operational vocabulary to make it work.

Core Finding One: FMEA Strengthens Systematic Risk Identification

The research demonstrates that Failure Mode and Effects Analysis (FMEA)—traditionally used in manufacturing quality management—can be directly applied to the Risk Identification phase of ISO 31000:2018. FMEA's structured methodology requires teams to systematically enumerate potential failure points, assess their severity and likelihood, and prioritize response. When applied to enterprise risk identification, this approach produces significantly more comprehensive risk inventories than ad hoc brainstorming or generic risk category checklists. This finding directly addresses a gap identified in COSO ERM frameworks as well: the requirement that risk identification be complete, repeatable, and defensible to boards and audit committees. FMEA provides exactly that structured evidentiary basis.

Core Finding Two: Value Stream Mapping Anchors Risk Assessment to Process Reality

Value Stream Mapping (VSM), another core Lean Management tool, enables organizations to visually represent every step in their operational value chain—and to identify precisely where risk events can materialize. The research finds that applying VSM to the ISO 31000:2018 "Establishing the Context" phase transforms risk assessment from abstract scoring into process-anchored analysis. This has a direct and powerful implication for KRI (Key Risk Indicator) design: rather than selecting KRIs based on intuition or peer benchmarking alone, organizations can use VSM to identify the specific process nodes where leading indicators of risk should be monitored. The result is a KRI architecture that can provide 30 to 90 days of advance warning before risk events escalate to material impact.

Core Finding Three: Lean Tools Enable Continuous Risk Monitoring, Not Just Annual Review

One of the most operationally significant conclusions of the research is that Lean Management tools—particularly visual management techniques like control charts and Kanban-style risk boards—can transform ISO 31000:2018 risk monitoring from a periodic audit function into a continuous operational discipline. For organizations operating under COSO ERM expectations of ongoing risk oversight, this represents a structural upgrade: risk management becomes embedded in how work is done, not layered on top of it as a separate compliance process.

Implications for Enterprise Risk Management Practice in Taiwan

Taiwan's corporate governance environment is evolving rapidly. The Financial Supervisory Commission (FSC) has progressively strengthened its expectations for risk disclosure among listed companies. Meanwhile, multinational supply chain partners increasingly require documented ERM frameworks as part of vendor qualification and ESG due diligence processes. In this context, the findings of this 2024 research carry three specific implications for Taiwanese enterprises:

Implication One: ISO 31000 Compliance Is Necessary But Not Sufficient. Many Taiwanese companies have completed ISO 31000 training or established initial risk documentation. However, without execution tools, these frameworks remain static artifacts rather than living management mechanisms. The research confirms that Lean Management tools provide the operational layer that makes ISO 31000 dynamic and self-sustaining.

Implication Two: Risk Matrices Must Be Process-Grounded. Risk matrices built without VSM or equivalent process-mapping tools tend to reflect organizational politics rather than operational reality. The research strongly suggests that any organization redesigning its risk matrix—whether under ISO 31000 or COSO ERM—should begin with process visualization, not scoring templates.

Implication Three: KRI Design Is a Strategic Investment. KRIs that are defined without reference to specific process failure modes will produce noise rather than signal. The FMEA-VSM integration recommended by this research gives organizations a disciplined method to design KRIs that are causally linked to actual risk drivers, dramatically improving their early warning effectiveness. This aligns with COSO ERM's emphasis on risk appetite monitoring through quantifiable indicators.

How Winners Consulting Services Co. Ltd. Helps Taiwanese Enterprises Act on These Findings

Winners Consulting Services Co. Ltd. (積穗科研股份有限公司) is one of Taiwan's few consulting firms with the capability to integrate ISO 31000, COSO ERM, and Lean Management methodologies into a unified, operational ERM mechanism. Our approach is built around the same insight that drives this 2024 research: frameworks are only as effective as the execution tools that bring them to life.

1. ERM Current State Diagnosis with ISO 31000:2018 Gap Analysis: We begin by mapping your existing risk management practices against the full ISO 31000:2018 process cycle—from context establishment through risk identification, assessment, treatment, and monitoring. We identify specifically which stages lack execution tool support, and where the integration of FMEA or VSM would yield the highest impact on risk identification completeness and KRI design quality.
2. Risk Matrix and KRI Redesign Using VSM and FMEA: We facilitate cross-functional Value Stream Mapping workshops to build a process-anchored risk map of your core business operations. Each high-risk process node is then equipped with FMEA-derived risk assessments and KRI definitions, producing a risk matrix that is directly connected to operational reality and capable of providing early warning signals 30 to 90 days in advance of material risk events.
3. Board-Level Risk Governance Integration Aligned with COSO ERM: We design your risk reporting architecture to connect operational risk monitoring with board-level governance expectations under the COSO ERM framework. This includes risk appetite statement development, KRI dashboard design, and quarterly risk review cycle facilitation—ensuring that risk management is a board-visible, strategically integrated discipline rather than a compliance function.

Frequently Asked Questions

We already have a risk matrix. Why isn't our ERM program actually working?

A risk matrix is a visualization tool, not an ERM mechanism. The most common reason risk matrices fail to drive management action is that they were built without process grounding—risks were identified through subjective brainstorming rather than systematic methods like FMEA, and scored without reference to actual operational workflows. This 2024 research confirms that risk matrices built without VSM-anchored process analysis tend to misallocate management attention and miss operationally significant risks. Winners Consulting Services Co. Ltd. recommends starting with an ERM diagnostic to identify whether your risk identification and assessment methods are producing reliable, actionable outputs under ISO 31000:2018 standards.

What are the compliance requirements for ISO 31000 implementation in Taiwan?

ISO 31000:2018 is a guidance standard, not a certification standard—there is no pass/fail compliance determination. However, Taiwanese listed companies face increasing disclosure expectations from the FSC regarding risk governance, and multinational supply chain partners increasingly require documented ERM frameworks aligned with recognized international standards. ISO 31000 provides the internationally recognized language for these disclosures. For companies subject to financial regulatory oversight, combining ISO 31000 with the COSO ERM framework provides the most robust documentation architecture for both operational risk management and board-level governance reporting.

What is the difference between ISO 31000 and COSO ERM, and which should Taiwanese companies use?

ISO 31000:2018 is a universal risk management guidance standard applicable to organizations of any size and industry. It focuses on the risk management process itself—how to identify, assess, treat, and monitor risks. COSO ERM (2017) is specifically designed to integrate risk management with corporate strategy and board governance, with strong emphasis on risk culture, risk appetite, and organizational performance. The two frameworks are complementary rather than competing. Winners Consulting Services Co. Ltd. recommends that Taiwanese listed companies adopt COSO ERM as the governance-level framework for board reporting, and ISO 31000 as the operational standard for process-level risk management—creating a two-tier ERM architecture that satisfies both regulatory and operational needs.

How long does ISO 31000 ERM implementation typically take, and what are the key steps?

For mid-sized Taiwanese enterprises (200 to 1,000 employees), a full ISO 31000 ERM implementation typically requires 90 to 180 days across four phases: Phase 1 (Days 1–30): Current state diagnosis and gap analysis against ISO 31000:2018. Phase 2 (Days 31–60): Risk governance architecture design, including risk matrix framework, KRI taxonomy, and risk appetite parameters. Phase 3 (Days 61–120): Departmental risk identification workshops using FMEA methodology, KRI implementation, and monitoring system setup. Phase 4 (Days 121–180): First risk review cycle, mechanism refinement, and board reporting integration. Winners Consulting Services Co. Ltd. offers a 90-day accelerated implementation track for organizations requiring rapid baseline ERM capability.

Why engage Winners Consulting Services Co. Ltd. for Enterprise Risk Management (ERM)?

Winners Consulting Services Co. Ltd. (積穗科研股份有限公司) offers a combination of capabilities that is rare in Taiwan's ERM consulting market: deep expertise in both ISO 31000 and COSO ERM frameworks, combined with practical experience in Lean Management tool integration for risk management execution. We