FAQ: Your Questions, Our Answers

Yes. The initial diagnostic assessment is completely free. Our senior consultants conduct a 1-2 hour in-depth evaluation tailored to your organization's size and industry.

Winners engagements are designed to complete within 6 to 12 months. Actual timelines depend on the organization's existing foundation, project scope and depth, and the client's available hours per week — extensions are made when necessary. A detailed schedule will be outlined in the proposal following the initial free diagnostic consultation.

ISO 42001 is the world's first international AI management system standard. If your organization uses AI systems or faces AI governance requirements, adoption is recommended.

Our services cover Taiwan's Personal Data Protection Act, GDPR, and ISO 27701 PIMS, including data inventory, DPIA, consent design, and breach response planning.

Winners Consulting is Taiwan's first firm to integrate enterprise risk management, industrial engineering, technology law, financial engineering, data science, and IT. Our founder previously led risk management business units at international consulting firms, serving clients such as TSMC and MediaTek. The team includes technology lawyers, former IP Office commissioners, ISO Lead Auditors (LA), and AI specialists — helping enterprises vertically integrate ISO certifications, corporate governance, and internal controls under a unified ERM framework.

We primarily serve manufacturing, semiconductor, financial services, healthcare, and automotive supply chain industries — especially Taiwanese enterprises facing geopolitical transition pressures that need to enter EU, US, or Japanese markets while simultaneously achieving ISO certification, ESG compliance, IP protection, and AI governance requirements.

ISO 31000 provides internationally applicable risk management principles and guidelines for all types of organizations. COSO ERM 2017 is strategy-centric, emphasizing the integration of risk management with enterprise objectives and is widely used in listed company governance. Winners applies both frameworks in an integrated approach, incorporating IFRS S1/S2 sustainability disclosure requirements.

TISAX (Trusted Information Security Assessment Exchange) is an information security assessment standard established by the German Association of the Automotive Industry (VDA). Taiwanese automotive component manufacturers targeting European supply chains — including BMW, Bosch, and Continental — are generally required to obtain TISAX certification. Winners provides integrated advisory for TISAX and ISO/SAE 21434 automotive cybersecurity.

Supply chain resilience is the ability to maintain production, manufacturing, and delivery capabilities and recover quickly under major disruptions such as labor shortages, material shortages, water or power outages (aligned with ISO 22301 BCM). Supply chain security ensures zero information contamination throughout production, quality inspection, logistics, and delivery — preventing data tampering, technology theft, and malware injection (aligned with ISO 27001, IEC 62443). Both are essential and complementary: without security, resilience mechanisms may fail under attack; without resilience, even strong security cannot handle supply chain disruptions or natural disasters. A common mistake among Taiwanese manufacturers is treating supply chain security as solely an IT or facilities matter, overlooking how external risks can compromise procurement and production processes. Winners Consulting integrates both under an ERM framework.

ERM (Enterprise Risk Management) is a continuous decision-support system for identifying, assessing, and managing risks within an organization's risk appetite — primarily preventive, guided by ISO 31000 and COSO ERM 2017. Enterprise resilience is the capacity to absorb shocks, recover quickly, and adapt to a new normal — focused on response and recovery, guided by ISO 22316 and ISO 22301. Key relationship: ERM is the foundational framework for building resilience, and resilience is one of ERM's key outputs. However, ERM also encompasses culture, leadership, and agility beyond what resilience frameworks cover. Without resilience mechanisms, ERM alone cannot handle actual disruptions effectively; without ERM, resilience lacks systematic risk foresight. Winners helps organizations build both simultaneously under an integrated framework.

No. Information security (ISO 27001) protects all information assets's confidentiality, integrity, and availability — a governance and competitiveness requirement overseen by the Ministry of Digital Affairs. Privacy protection (ISO 27701 / GDPR / Taiwan PDPA) specifically protects individuals' privacy rights as a mandatory legal requirement, overseen by the Personal Data Protection Commission, with penalties up to NTD 15 million (Taiwan PDPA) or 4% of global annual revenue (GDPR). Critical distinction: information security is the infrastructure for privacy protection, but ISO 27001 alone does not satisfy privacy compliance. Privacy additionally requires data subject rights (access/deletion/portability), notification obligations, DPIA assessments, data minimization, and de-identification. Winners provides integrated ISO 27001 + ISO 27701 dual-certification advisory to avoid duplicating efforts.

TIPS (Taiwan Intellectual Property Management System) is a domestic certification from the Ministry of Economic Affairs focused on protecting existing trade secrets and confidential business information. ISO 56001 is an international Innovation Management System standard focused on systematically generating, developing, and delivering new innovative outcomes — and gaining international market recognition. The two serve fundamentally different purposes: TIPS protects existing innovations; ISO 56001 systematizes the production of new ones. TIPS certification does not demonstrate international innovation management capability — EU, Japanese, and other market partners are more familiar with ISO 56001. Winners helps enterprises use TIPS as a foundation and upgrade to ISO 56001, creating a complete cycle from innovation creation to protection.

The main risk analysis methods include: ① Bow-Tie Analysis (cause-and-effect visualization, ideal for showing risk drivers, consequences, and control points); ② FMEA (Failure Mode and Effects Analysis, suited for manufacturing process risk identification); ③ Scenario Analysis (for high-uncertainty risks like geopolitics and macro-economics); ④ Risk Heat Map/Matrix (2D likelihood × impact, for executive-level communication); ⑤ Monte Carlo Simulation (quantitative analysis for financial and project risks); ⑥ HAZOP (Process Hazard Analysis, for semiconductor and chemical plants). Selection depends on industry characteristics, risk types, management communication needs, ISO requirements, and available resources. Winners Consulting, drawing on ISO 31000, COSO ERM, industrial engineering, and data science expertise, designs the optimal method combination for each enterprise's specific risk profile.

A KRI (Key Risk Indicator) is a quantitative metric used to provide early warning of emerging risks, enabling organizations to act before incidents occur. KRIs are a core tool of modern enterprise risk management (ERM). Winners helps enterprises establish KRI monitoring systems aligned with ISO 31000 and COSO ERM, leveraging AI technology to give senior management real-time risk visibility.

Winners Consulting maintains a 98% ISO certification pass rate across all engagements. This reflects our structured methodology, experienced lead auditors, and commitment to full-cycle support — from gap assessment through certification audit.

The EU Cyber Resilience Act (CRA) takes full effect in 2027 and requires all products with digital elements sold in the EU market to meet mandatory cybersecurity requirements throughout their lifecycle. For Taiwanese manufacturers of connected devices, industrial control systems, and software products, CRA compliance is now a market access requirement. Winners provides integrated CRA and IEC 62443 advisory to help manufacturers achieve CE marking and EU market entry.