Next Article in Journal
Classification of Benign and Malignant Renal Tumors Based on CT Scans and Clinical Data Using Machine Learning Methods
Previous Article in Journal
The Smart Governance Framework and Enterprise System’s Capability for Improving Bio-Business Licensing Services
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:

Risk-Based Approach for Selecting Company Key Performance Indicator in an Example of Financial Services

Research Department, SIA StarBridge, LV-1050 Riga, Latvia
Regional Economy and Economic Policy, Baltic International Academy, LV-1019 Riga, Latvia
Author to whom correspondence should be addressed.
Informatics 2023, 10(2), 54;
Submission received: 17 March 2023 / Revised: 16 May 2023 / Accepted: 29 May 2023 / Published: 19 June 2023


Risk management is a highly important issue for Fintech companies; moreover, it is very specific and puts forward the serious requirements toward the top management of any financial institution. This study was devoted to specifying the risk factors affecting the finance and capital adequacy of financial institutions. The authors considered the different types of risks in combination, whereas other scholars usually analyze risks in isolation; however, the authors believe that it is necessary to consider their mutual impact. The risks were estimated using the PLS-SEM method in Smart PLS-4 software. The quality of the obtained model is very high according to all indicators. Five hypotheses related to finance and five hypotheses related to capital adequacy were considered. The impact of AML, cyber, and governance risks on capital adequacy was confirmed; the effect of governance and operational risks on finance was also confirmed. Other risks have no impact on finance and capital adequacy. It is interesting that risks associated with staff have no impact on finance and capital adequacy. The findings of this study can be easily applied by any financial institution for risk analysis. Moreover, this study can serve toward a better collaboration of scholars investigating the Fintech activities and practitioners working in this sphere. The authors present a novel approach for enhancing key performance indicators (KPIs) for Fintech companies, proposing utilizing metrics that are derived from the company’s specific risks, thereby introducing an innovative method for selecting KPIs based on the inherent risks associated with the Fintech’s business model. This model aligns the KPIs with the unique risk profile of the company, fostering a fresh perspective on performance measurement within the Fintech industry.

1. Introduction

The fifth wave of innovations led to the digitalization of company operations and, consequently, the entire economy. The challenges of business process management have yet to be extensively researched, although the digitalization of the economy is frequently discussed in scientific literature [1,2,3,4,5,6]. According to Verhoef [7], the analysis of the discussed digital formation must take a multidisciplinary approach because it is only seen from the perspective of management and finance, or as a transformational issue.
All economic actions that rely on digital resources or are significantly improved by their use, including digital technologies, digital infrastructure, digital services, and data, are included in the digital economy. All producers and consumers—including the government—who use these digital tools for commerce are subject to this [8]. At the G20 meeting in 2020, this definition was provided as a component of the OBSE report. The report’s authors specifically mentioned financial and insurance services as examples of services that are entirely available online.
The exchange of cryptographic assets is a type of utility that can be considered in addition to financial services as digital. The exchange of cryptocurrencies can be categorized as an entirely digital service, even though it is not a financial service according to EEA laws [9].
In areas such as accounting, marketing, entrepreneurship, and production, the digital transformation of the economy has unveiled new challenges for managing participating companies [10,11,12,13,14].
The state of the enterprise or its processes can be objectively measured at any time if we consider a particular case of digital transformation, where all aspects of the business have undergone such a transformation and the entire business cycle is in the digital space [15,16,17]. This is because all indicators of such an enterprise at any given time are digitized and accessible. Key revenue indicators (KPIs) for the business include those [18,19]. KPIs offer unbiased metrics for an organization over a predetermined time frame. However, even though the management implications of digital transformation are being actively researched, the key indicators still need to be put forth, where they could be used to immediately identify (on the spot) the specific business states from the perspective of management and aid in immediate decision making [18,19].
The current key financial indicators (KPIs) are criticized as unsuitable for the economy’s digital transformation. This lack of availability is demonstrated by the fact that these metrics need to accurately depict the state of the business and offer the required level of process transparency for effective strategic and tactical management [19].
In the past, businesses have used key financial indicators to look back at their past performance in order to predict the future performance or maintain control over regulatory indicators [20,21,22,23,24]. The authors believe that in order for these KPIs to be in line with the realities of the digital transformation of the economy, it is necessary to increase their use in predicting how the situation will develop in order to create trigger actions based on them that will correct the current situation and, if necessary, prompt the correction of the measures themselves and the tasks that the enterprise uses.
According to Horváth and Szabó [25], digitalization is the automation of procedures using information technology. Digitalization, which can be understood as using digital technologies and data (digitized and natively digital) to generate revenue, improve businesses, and replace/transform business processes (not just digitize them), necessitates new ways of speaking and collaborating in the workplace [10]. Therefore, the role of information technology as a manufacturing process rather than as an auxiliary tool is expanding [13,26,27,28]. Scholars are confident that there are problematic issues with KPIs determination [6,13,28,29]. The authors contend that if information technology is referred to as a production process, transparent metrics are required to assess its efficacy and to identify, similarly to financial indicators, the actions that should be taken to remedy the present situation.
The authors point out that a methodology is needed to identify a list of necessary and sufficient KPIs for each specific business or process due to the multiplicity and frequent uniqueness of processes in each particular business or its portion.
The authors used a multidisciplinary approach to identify how the managerial, financial, and technological aspects of exclusively providing services in the digital space affect the risks of the company and how these risks can be mitigated by immediately identifying KPIs that measure these risks and choosing a course of action based on the values of the chosen KPIs. They used the example of the cryptocurrency exchange business to illustrate their point.
There also investigated how these risks can be mitigated by immediately identifying KPIs that measure these risks and by defining a course of action based on the values of the chosen KPIs.
The research’s objective was to examine the risk factors that affect the choice of key performance indicators. This study is the first step in developing the methodology of choosing key performance indicators for each unique company using a risk-based approach.
The practical value of this research is in developing the methodology of the key performance indicators selection for the particular business by analyzing the key risk indicators of that business. The authors present a novel strategy used to enhance key performance indicators (KPIs) for Fintech companies, proposing using metrics derived from the company’s specific risks, thus introducing an innovative method for selecting KPIs based on the inherent risks associated with the business model of Fintech. This model aligns the KPIs with the company’s unique risk profile, providing a novel perspective on performance measurement in the Fintech industry.
Another novelty of this article is in considering the risks not as separate issues but in combination, which allows for seeing not only the interrelation between different groups of risks but also estimating their mutual impact on company performance. The usual case of considering these risks is not in combination but separately.
This research has a particular scientific value since it shows the relationship between key performance and risk indicators. It develops the methodology of this specific relationship definition for any company using digital approaches.
The practical value of the research is significantly higher: stakeholders such as banks, financial institutions, crypto-currency exchangers, and other institutions can use the results of this study to understand the issue of the general acceptance of information technologies through the key performance indicators selection; it allows them to select company financial indicators based on the specificity of their business, which may use electronic automatic management systems.

2. Materials and Methods

Business continuity planning has become crucial in the digital economy because operations must always be conducted online [30]. Key risk indicators (KRIs) also assist in determining the likelihood of unfavorable situations that could impact a company’s business continuity [31]. By using key risk indicators, an organization can keep track of changes in risk and receive timely information about systemic and one-time events that may be connected to crisis situations that directly or indirectly impact an enterprise’s ability to carry out its operations.
KRIs, therefore, characterize and identify risks that have a significant manifestation in the business or deficiencies in control systems. They can be used alone or in conjunction with other fixed events associated with certain risks of the enterprise, such as balance sheet losses, audit results, and registration of customer complaints and suggestions.
Using fixed KRIs is not feasible due to the constant shift in risk events. Regularly reviewing these KRIs is necessary to safeguard the company from operational, reputational, and other risks. When the company has a thorough knowledge of the risks, it can accurately identify and choose the right risk indicators and consistently track performance using key performance indicators (KPIs) and other technologies that facilitate this process.
Therefore, the authors believe that, in order to choose process-grounded key performance indicators, it is necessary to analyze the enterprise’s risks, identify key risk indicators, and then choose key performance indicators describing the processes that lower risks in the identified areas. The risk indicators are closely connected with key performance indicators. Control and management of KPIs is required to decrease the company’s risks.
The authors attributed the companies’ risks to the following groups:
  • Governance Risks—The risk that the company’s rules, processes, and mechanisms, important for oversighting and decision making, function improperly. Governance risks relate to the directors’ decisions regarding board leadership, composition, and structure. Governance risks are associated with the resourcefulness and robustness of the company’s procedures for compliance with the relevant framework of laws, including the quality of reporting lines [23].
  • Operational Risks—The risk that the company experiences a loss due to inadequate or failed internal processes, people, systems, or external events [32,33].
  • Human Resources Risks—The risks that human resources pose on the company’s operations [34].
  • Health and Safety Risks—The risk of the company being exposed to a health and safety hazard that may result in harm, injury, death, or illness of an employee in a specific workplace [35].
  • Financial Risks—The risk a company may face that results in the possibility of losing money on an investment or business project [36].
  • Cyber Risks—This risk includes hardware and software failures, spam, viruses, malicious attacks, and other ICT matters [37].
  • Capital Adequacy Risks—Risks arising from the firm’s capital position, the adequacy of capital to support the level of current and anticipated business activities, and the access to further capital [38].
  • Environmental/External Risks—Risks arising from economic events that are out of the control of the corporate structure [39].
  • Law and Regulation Risks—The risk that the firm suffers financial, reputational, or litigation damage through failure to monitor, control, and eliminate or substantially reduce regulatory compliance risk [40].
  • Strategic Risks—The risk of loss arising from adverse business decisions that are poorly aligned to strategic goals, failed execution of policies and processes designed to meet those goals, and inability to respond to macroeconomic and industry dynamics. Strategic risks are also those risks associated with operating in a specific industry [41].
  • Financial Crime Risks—The risks that arise from the failure to prevent financial crime, money laundering, and market abuse [42].

2.1. Risk, Threats and Vulnerabilities

The effectiveness of the risk-based strategy depends on an accurate understanding of the risk to which the Fintech company is exposed. In this case, the risk is viewed as an inherent risk, or the risk one must take before adopting and implementing any processes, policies, controls, or other steps to lessen it. Before preparing for the interviews with the representatives of companies operating on the financial markets for risk assessment, the authors analyzed how risk might occur, keeping in mind two risk elements: vulnerabilities, or weaknesses that could be exploited for risk purposes, and threats, or outside forces that try to take advantage of company vulnerabilities [31,32,37,43,44].
The effect of the threat or vulnerability and the likelihood of the threat or vulnerability are the two factors that are used in the calculations for both threats and vulnerabilities. Whereas the likelihood of threats or vulnerabilities occurring during the reporting period is based on objective data, the effect of threats is determined by the expert assessment of risk managers.
Impact describes the kind and extent of damage that would result from exposing one or more vulnerabilities. Any risks that the authors outlined above could result in this harm. The combinations of likelihood and impact determine the inherent risk for the entity/person/process, etc. The authors proposed classifying list of threats and vulnerabilities, elaborated by the authors, according to effect and probability of the threat and vulnerability revealed within the aforementioned risks; the classified risks can be further utilized in questionnaires for financial institutions.
The risk analysis begins by determining the possible improper issues in the entity functioning. These drawbacks need to be compared to a probability metric that gauges the possibility that the event will occur.

2.2. Methods

Preliminary research was conducted to identify the components and indicators of the model. For this purpose, the authors interviewed 5 distinct financial and Fintech companies in the European Union. The authors employed risk element-specific questionnaires for these interviews.
The criteria for these companies’ selection are the following:
  • The respondent is a company registered in the European Union;
  • The company is regulated or supervised by the financial company supervisor;
  • The company has a risk management department or risk professionals;
  • The company is involved in the payment business;
  • Each risk event represents a threat or series of threats that exposes a company’s current vulnerabilities. The proper values of the vulnerabilities must be used to evaluate the threat impact or likelihood of the risk event.
The semi-structured interviews were conducted in 2017 and 2022. The model’s elements and indicators were collected during this time period, where 5 companies were interviewed.
The following criteria were prepared by the authors within the Table 1 for assessing the impacts of the threats and vulnerabilities by the participating companies:
The authors presented Table 2 with the following criteria to respondents to gauge the probability of threats and vulnerabilities:

2.2.1. Risk Calculation

In accordance with [45], the risk was calculated as follows:
I R = I m L
  • IR—inherent risk;
  • Im—the impact of the risk;
  • L—the likelihood of the risk.
The probability and effect of the inherent risk were calculated by the authors as the average of the likelihood and impact of each threat and vulnerability combination that made up the risk. The final threat and vulnerability were calculated as the average of all factors involved in the computation, including threats, vulnerabilities, impacts, and likelihoods if the same risk generates multiple threats and vulnerabilities (Source: the formula developed by the authors).
I m = i = 1 n ( T i i + ( V i 1 + V i 2 + + V i m ) m ) n 2
  • Im—the impact of the risk;
  • Tii—threat impact per each of the threats within the risk group;
  • Vi—vulnerabilities impact;
  • m—number of vulnerabilities per risk group;
  • n—number of threats per risk group.
L = i = 1 n ( T l i + ( V l 1 + V l 2 + + V l m ) m ) n 2
  • L—the likelihood of the risk;
  • Tli—threat likelihood per each of the threats within the risk group;
  • Vl—vulnerabilities likelihood;
  • m—number of vulnerabilities per risk group;
  • n—number of threats per risk group.
The impact and likelihood was calculated based on the following classification (Table 3):
Inherent risk value interpretation—numeric ranges are as follows: very low (VL) is from 0 to 5, low (L) is from 5.01–10, medium (M) is from 10.01 to 15, high (H) is from 15.01 to 20, and very high (VH) is from 20.01 to 25.
For the simultaneous analysis of several statistical relationships, the researchers primarily used two methods for structural equation modeling (SEM): partial least squares structural equation modeling (PLS-SEM) and covariance-based structural equation modeling (CB- SEM) [46,47,48]. The PLS-SEM methodology was selected since this methodology is more effective for the small data samples, which are used for exploratory and confirmatory types of research, and does not put forward the requirements for data normal distribution. [49,50].
A practical causal-predictive analysis can be performed using PLS-SEM, which also explains the variance in the independent constructs [47,48]. PLS-SEM enables forecasting the behavior of an unusual entity by combining a regression-based path analysis and analysis of the most crucial components [51]. This method can also define mediating and moderating effects and illustrate direct and indirect relationships [52]. Most researchers working in cutting-edge fields favor this approach [46].
The PLS-SEM technique takes into account both an inner and an outer model. The outer model takes into account the relationships between the latent variables and their reported indicators, whereas the inner model takes into account the relationships between independent and dependent latent variables. Latent variables, also known as constructs, are variables that cannot be evaluated directly.
The same ground was applied to key performance indicators as it was to financial and capital adequacy risks. As a result, other risk groups determine the model assumptions that might impact them. Given that the risk groups mentioned above reflect both internal and external processes, the authors decided that internal processes should be represented by the risk groups chosen for the modeling:
  • Governance risk;
  • ICT risk;
  • Operational risk;
  • Financial crime risk;
  • Human resources risk.
The first group of hypotheses (H1–H5) related to financial risk:
Governance Risk has a direct impact on company KPI.
ICT Risk has a direct impact on company KPI.
Operational Risk has a direct impact on company KPI.
Financial Crime Risk has a direct impact on company KPI.
Human Resource Risk has a direct impact on company KPI.
The second group of hypotheses (H6–H10) related to capital adequacy risk:
Governance Risk has a direct impact on company KPI.
ICT Risk directly impacts company KPI.
Operational Risk directly impacts company KPI.
Financial Crime Risk directly impacts company KPI.
Human Resource Risk has a direct impact on company KPI.

2.2.2. Model Estimation Using the SmartPLS Software

Three steps made up the PLS-SEM analysis in SmartPLS:
  • The validity of the outer paradigm or construct was assessed. The research included looking into the indicator loadings for the theoretically determined constructs and evaluating the model’s validity and dependability. Additionally, it was established how many iterations would be necessary for SmartPLS to finish the evaluation.
  • The inner model (structural model) assessed how the categories related to one another. The coefficient of determination (R2), standardized path coefficients (B), and impact size (f2) were used to accomplish this.
  • A broad evaluation of the model (overall model evaluation) was conducted to determine how well the model fits the data. This can be accomplished in SmartPLS by applying the SRM exact fit parameters.
The authors used the following values, mentioned in the Table 4, for model evaluation in the software SmartPLS:
Poor dependability is indicated by values less than 0.5, and loading with a CR of less than 0.5 should be removed from the dataset. However, in this research, each loading had a design confidence greater than 0.5; therefore, they were all incorporated into the model loadings.

3. Results

3.1. Preliminary Research

The authors created a list of common threats and vulnerabilities in the payments sector. The aforementioned lists were created in collaboration with the risk experts of the chosen businesses. There are clear differences between the respondents engaged in the section on capital adequacy:
  • Banks (credit institutions) pay the government for funds that serve as guarantees for the customer deposits that they take. The government will use these funds to reimburse the customer funds in case of the bank’s bankruptcy. As a result, the only factor affecting capital adequacy is the liquidity of bank funds [69].
  • Customers’ funds must be protected by financial institutions (also known as electronic money institutions or payment institutions), and, in the event of bankruptcy, they must be reimbursed from these segregated funds accounts [70,71,72,73].
  • Companies that exchange cryptocurrency assets and other kinds of businesses mentioned in the second payment directive [72] are not legally required to separate customer funds, but they still face capital adequacy risks [74].
The capital adequacy goal is the same for all kinds of businesses, despite variations in the nature of the risk and its control methods. The authors contend that, because all business types use the same capital adequacy risk assessment criteria, it can be assumed that the tasks involved in risk management are comparable.
According to the respondents, all other criteria (risk groups) apply to all businesses, making it possible to evaluate corporate risks using the same lists of threats and vulnerabilities, impact, and likelihood criteria.
Threats and vulnerabilities were evaluated according to their capacity to address all risk groups in the preliminary definition of the threats and vulnerabilities. Table A1 of Appendix A contains the final list of threats, whereas Table A2 of Appendix A contains the final list of vulnerabilities.
The respondents who participated in the interviews filled out the likelihood and impact values of threats and vulnerabilities. The interviews’ threat impact estimations were recorded in Table A3 of Appendix A, and the threat likelihood was recorded in Table A4 of Appendix A. The interviews’ vulnerabilities impact estimations were recorded in Table A5 of Appendix A, and the threat likelihood was recorded in Table A6 of Appendix A.
According to the methodology, the authors determined the risk associated with each threat faced by each respondent, after which they computed the average number for each risk group and respondent. Table A7 in Appendix A serves as a record of the ultimate results table. These results were used as a data source for the PLS-SEM analysis in SmartPLS.

3.2. Outer Model Evaluation—Construct Validity

The relationships shown by the collection of hypotheses served as the foundation for the model created with the SmartPLS software. Since such a boundary value is acceptable for exploratory research, SmartPLS 4.0’s application of PLS-SEM led to the selection of indicators of latent variables with loadings > 0.60 as the first step (see Table 4). Since all of the latent variable values were greater than 0.60, they were all considered in the model.
All loading weights for each variable were greater than 0.6, so they were all considered.
The values of the construct validity metrics for the outer model, which are composite reliability (CR) and average variance extracted (AVE), were all within the necessary bounds (see Table 4), and are listed in Table 5. A high dependability and internal consistency values were shown for each construct. The composite reliability was >0.984, and the average variance extracted was >0.942, indicating that the considered variables accurately represented the latent constructs intended for measurement.
The discriminant validity assessment, which identifies the differences between the constructs within the model, is considered necessary for outer model estimation. The Fornell–Larcker criterion and the heterotrait–monotrait ratio of correlations are two commonly used techniques to assess the discriminating validity in PLS SEM (HTMT).
The Fornell–Larcker criterion is the most common measure for assessing the discriminant validity in PLS-SEM. In some situations, the Fornell–Larcker criterion is considered weaker, more prone to error, and ineffective [75,76]. A more stringent standard is the heterotrait–monotrait ratio of correlations (HTMT) approach [62]. Hair et al. [76] suggested using HTMT [63] rather than the Fornell–Larcker technique due to its exaggerations when detecting discriminant validity. However, it is also advised to consider the model’s setting and the researcher’s level of conservatism when evaluating the discriminant validity [77].
Cross-loads demonstrated that each indicator had the highest loads in the construct initially intended to measure, and that the results fully satisfied the Fornell–Larcker criterion (see Table 6). All hidden variables fulfilled the HTMT requirement (see Table 7). There is no risk of any kind that will demonstrate an absence of discriminant validity.
The cross-loading indicators show the perfect discriminate validity of the factors.
An indicator of the degree of multicollinearity in regression analysis is the variance inflation factor (VIF). In a multiple regression model, multicollinearity occurs when there is a correlation between several independent factors. Examining the variance inflation factor (VIF) values (see Table 8), which should not be greater than 3.3, allows for an examination of multicollinearity [65,66,67]. For this model, the highest variance inflation factor (VIF) was 2.665. As a result, multicollinearity is apparently not an issue.

3.3. Evaluation of the Inner Model (Structural Model). Verifying the Hypotheses

The inner model uses the coefficient of determination (R2), standardized path coefficients (β), and impact size (f2) to characterize the relationships between the constructs. Fewer than the permitted 10 iterations—7—were completed before the study was terminated [47,63].
As stated, we first looked into the model using the relationships specified in the model’s framework (see Figure 1).
In the present study, the R2 values for the constructs “Capital Adequacy Risk” and “Financial Risk” as the target variables of the model were of the greatest interest. The latent variables of the model explained that about 61.5% of the other types of risks affect the capital adequacy risk, and 32.0% of the other types of risk affect the financial risk (see Table 9). This is a relatively high level of R2, indicating that the research determined the key factors that can influence the financial and capital adequacy for Fintech companies and, most likely, in businesses of comparable size and infrastructure.
Only five of ten hypotheses regarding the precise relationship between risks and other factors were confirmed (see Table 10). At the same time, it was found that governance risk has the biggest overall impact on capital sufficiency risk (β = 0.742 ± 0.722), and that cyber risk has the smallest overall impact (β = 0.119 ± 0.802).

3.4. Overall Model Assessment

Without a comprehensive model evaluation, a PLS-SEM study cannot be finished. Unfortunately, this estimate did not perform excellently; the result of the standardized root means squared residual (SRMR) was 0.089, whereas the necessary value is 0.080. This difference is not terrible though, so it is still worth taking into account the findings of this research.
Given these details, we can conclude that the task has been completed and the exploration has been successfully conducted, with a clear grasp of its limitations and future research directions. Therefore, given the relationship between various types of risks and financial and capital adequacy risks, we will explore some opportunities in the discussion section.

4. Discussion

The research results show that human resources risks (staff risk) do not correlate with the financial and capital adequacy risk. Assessing and addressing the possible risks associated with having a workforce is known as human resources risks. These risks are linked to employee behavior and how the company recruits, retains, and manages employees and other kinds of workers. Despite the numerous articles where scholars define the importance of labor force management for the management of the company, this research shows that, based on the evaluations of five Fintech companies working in different fields and countries and further model evaluation, risk related to labor force—inadequate management or absence—does not have a direct effect on the financial results of the company.
Another result of the research is related to governance risk. The governance risk shows a strong correlation with the capital adequacy risk. This result emphasizes that despite the high digitalization of the Fintech business, the major influence on the company’s financial results is as a result of the company governance. In other words, it is not the effectiveness of the IT systems of the company but the effectiveness of the governance provided by the company’s managerial board that plays a major role.
The authors of this research show that KPIs have an obvious relationship with KRIs. Scholars distinguish KPIs and KRIs. KRIs are used to identify the possible risks, whereas KPIs evaluate the company performance. Even now, many businesses use these terms interchangeably. KPIs are frequently made to provide a broad overview of organizational success. Thus, even though these metrics might not be able to provide sufficient early warning signals of a developing risk, they are crucial for trend analysis and performance monitoring. KRIs emphasize just the opposite.

Research Limitations

Data from five distinct types of Fintech companies were used in the study. In terms of size, the degree of digitalization, and customer service strategies, we believe that other types of Fintech companies will have similar influencing risks with respect to the financial and capital adequacy risks. However, they were not considered by the authors, which can be seen as a limitation of this study.
The group of factors selected to establish the model construct also poses a restriction. Although the authors made an effort to take into account all potential indicators, it is still possible to broaden the set of indicators used, add additional variables, or use a different technique for data analysis.
Additionally, survey errors, particularly coverage and sampling errors, are a component of sampling studies. There will almost certainly be a difference between the sample and the general community. The findings of a single sample research cannot be regarded as representative if a large-scale randomized study has not been carried out. In such circumstances, numerous sample studies carried out by various authors can yield representative results.
It should be emphasized that the types of risks involved in this study limited the way in which the model could be interpreted. The authors decided that internal processes should be represented by the internal risk groups chosen for the modeling because the risk groups mentioned above reflect both internal and external processes. This decision can be seen as a limitation of this research because internal processes should be represented by internal risk groups.

5. Conclusions

The authors analyzed the key risk indicators of the business and the correlations between the company’s risk indicators with the purpose of developing the methodology for the key performance indicators selection. By choosing suitable KPIs based on observations of the business events specified by the risk parametrizations, the digitalization of the financial services industry, or Fintech, puts forward the requirements for digitalizing the company’s management processes.
The model’s elements and indicators were identified through the preliminary research. The authors interviewed five financial and Fintech companies in the European Union for this reason. Together with the risk specialists of these companies, a final risk elements list was created and grouped within the questionnaires. The risk components evaluations, based on the above-mentioned questionnaires, were used as a data source for the model. Taking into account the sensitivity of the data regarding their risks, the interviewees consented to participate under the condition of anonymity.
The authors agree that a larger sample size would contribute to the robustness of the results. A larger sample would help to capture a broader range of perspectives and experiences, thereby increasing the reliability and generalizability of the findings. This could involve expanding the number of financial and Fintech companies interviewed or including a more diverse set of participants, such as regulators, industry experts, or academics.
However, the purpose of the research was to evaluate the novel concept of selecting KPIs based on the five distinct categories of Fintech business models represented by risk indicators. The goal was to gain rich insights from a smaller number of participants rather than aiming for statistical representativeness. This approach allows for a detailed exploration of the risk factors and their impact on finance and capital adequacy in specific contexts. It would be beneficial for future studies to consider both qualitative and quantitative approaches. This would provide a more comprehensive analysis by combining in-depth interviews with a larger survey or data analysis, ensuring a balanced and well-rounded investigation.
Within this research, the model was constructed based on the risk types, representing the internal processes of the company. The authors considered the following groups of risks: governance risk, ICT risk, operational risk, financial crime risk, and human resources risk, and their impact on finance and capital adequacy. The model verified the correlation of the risk, representing internal processes toward the financial risk and capital adequacy risk. The authors assume that financial and capital adequacy risks are connected to the financial KPIs of the company. The study was carried out using PLS-SEM in SmartPLS 4.0 software.
The research shows that all the risks considered in the model, except for staff risk, correlate with the financial and/or capital adequacy risk. Approximately 61.5% of the other categories of risks that affect capital adequacy risk and 32.0% of the other types of risks that affect financial risk were explained by latent variables in the obtained model. The primary factors influencing the different risk types that impact financial and capital adequacy risk were identified in this study. These data could be used to create manual or automated KPI selection and evaluation models for Fintech firms or other businesses with comparable degrees of digitalization.
Despite the lack of a definitive correlation between staff risk and financial or capital adequacy risk, since the related hypothesis was rejected, this element significantly influenced the creation of the model. Events pertaining to these categories of risks must be excluded from the final model construction and calculation.
As a result, this research identified the crucial elements influencing the growth of KPIs based on financial and capital adequacy risk.
Stakeholders in this procedure include all divisions of Fintech companies. The outcomes can be used as a foundation for initiatives that seek to automate performance results. The purpose of this study was to demonstrate that the unified methodology for Fintech’s risks brings additional benefits, apart from the risk management efficacy itself: the ability to select KPIs based on the unique business model of Fintech. The authors devised an innovative approach to selecting comprehensive KPIs, covering all aspects of the exact Fintech business model.
All divisions of Fintech companies are stakeholders in this procedure. The obtained results can be used as a foundation for initiatives oriented toward automating the performance results analysis.

Author Contributions

Conceptualization, O.C.; methodology, Y.P. and O.C.; software, D.C.; validation, O.C., Y.P. and D.C.; formal analysis, O.C.; investigation, O.C.; data curation, Y.P.; writing—original draft preparation, O.C.; writing—review and editing, Y.P.; visualization, D.C.; supervision, Y.P. All authors have read and agreed to the published version of the manuscript.


This research received no external funding.

Institutional Review Board Statement

Not applicable.

Informed Consent Statement

Not applicable.

Data Availability Statement

Data is contained within the Appendix A.

Conflicts of Interest

The authors declare no conflict of interest.

Appendix A

Table A1. The list of threats.
Table A1. The list of threats.
Threat GroupThreatGovernance RisksOperational RisksHuman Resources RisksFinancial RisksICT RisksCapital Adequacy RisksFinancial Crime Risks
1 Ecosystem pollutionAir pollution XX
2 Ecosystem pollutionEnvironmental accidents XX
3 Extreme weather eventsEarthquake XX
4 Extreme weather eventsFlooding XX
5 Extreme weather eventsHurricane XX
6 Extreme weather eventsLightning XX
7 Extreme weather eventsHeat waves XX
8 Extreme weather eventsFire XX
9 Ecosystem pollutionWater scarcity—Lack or insufficient supply of water XX
10 Market riskPublic policy change—Pollution control regulations X
11 Market riskShifting sentiment—Changes in consumer preference for certain products X
12 Remote workPandemicXXXXX
13 Company cultureHarassment X
14 Company cultureDiscrimination X
15 Company cultureEavesdropping X X
16 Humane resourceIllegal import/export of software XXX
17 Humane resourceIllegal use of software XXX
18 Humane resourceMaintenance error XX X
19 Humane resourceMisuse of resources XX X
20 Humane resourceOperational support staff error XXXX
21 Humane resourceStaff shortage XXXX
22 Humane resourceStaff mistakes XXXXXX
23 Manipulated dataMalware X XX
24 SupplyUse of software in an unauthorized way X
25 Manipulated dataCommunications infiltration X
26 Manipulated dataMisrouting or rerouting of messages X X X
27 Manipulated dataUnauthorized use of software X
28 Manipulated dataUnauthorized use of storage media X
29 Manipulated dataWillful damage X XXXX
30 Remote workMasquerading of user identity X X
31 Remote workNetwork access by unauthorized persons X X
32 Remote workRepudiation (e.g., of services, transactions, sending/receiving messages) X X
33 Remote workUse of software by unauthorized users X
34 CommunicationDamage to communication lines/cables X XX
35 CommunicationFailure of communications services X X
36 CommunicationFailure of network components X
37 CommunicationTraffic overloading X
38 CommunicationTransmission errors X
39 CommunicationUse of network facilities in an unauthorized way X
40 HardwareAir conditioning failure X XXX
41 HardwareBomb attack XXX
42 HardwareDeterioration of storage media XXX
43 HardwareHardware failure X
44 HardwareIndustrial action X
45 HardwareTheftXXXXXX
46 SupplyFailure of power supply X
47 SupplyPower fluctuation X
48 SupplySoftware failureXXXXXXX
49 Customer-related threats—CustomerClient works in high-risk sector X
50 Customer-related threats—CustomerUBO of the company works in high-risk sector X
51 Customer-related threats—CustomerRepresentative of the private individual works in high-risk sector X
52 Customer-related threats—CustomerClient family member of politically exposed person X
53 Customer-related threats—CustomerUBO family member of politically exposed person X
54 Customer-related threats—CustomerClient representative family member of politically exposed person X
55 Customer-related threats—CustomerClient representative associated to politically exposed person X
56 Customer-related threats—CustomerClient associated to politically exposed person X
57 Customer-related threats—CustomerClient representative politically exposed person X
58 Customer-related threats—CustomerClient foreign politically exposed person X
59 Customer-related threats—CustomerUBO foreign politically exposed person X
60 Customer-related threats—CustomerClient representative foreign politically exposed person X
61 Customer-related threats—CustomerClient domestical politically exposed person (PEP) X
62 Customer-related threats—CustomerUBO domestical politically exposed person (PEP) X
63 Customer-related threats—CustomerClient representative domestical politically exposed person (PEP) X
64 Customer-related threats—CustomerCompany incorporation type X
65 Customer-related threats—CustomerConcealment of beneficial ownership X
66 Customer-related threats—CustomerShell company X
67 Customer-related threats—CustomerShell bank X
68 Customer-related threats—TransactionsHigh turnover X
69 Customer-related threats—CustomerReliable bad adverse media X
70 Customer-related threats—CustomerNon-reliable bad adverse media X
71 Customer-related threats—CustomerReceived request to freeze customer’s UBO (FIAU, MFSA, police, court, etc.)X X XX
72 Customer-related threats—CustomerReceived request to freeze customer’s UBO (FIAU, MFSA, police, court, etc.)X X XX
73 Customer-related threats—TransactionsReceived request to monitor customer’s transaction (FIAU);X X XX
74 Customer-related threats—TransactionsInformation request (FIAU, MFSA, police, court)X X
75 Customer-related threats—TransactionsSTR/STA submitted regarding the customer or their UBO;X X
76 Customer-related threats—TransactionsSTR/STA submitted regarding the customer’s UBO;X X
77 Customer-related threats—CustomerCustomer in the terrorist listX X XX
78 Customer-related threats—CustomerCustomer UBO in the terrorist listX X XX
79 Customer-related threats—CustomerCustomer representative in the terrorist listX X XX
80 Customer-related threats—CustomerSanctions on the customer X XX
81 Customer-related threats—CustomerSanctions on the customer shareholders or UBOs X XX
82 Customer-related threats—CustomerSanctions on the customer representative X XX
83 Customer-related threats—CustomerIdentity fraud X XX
84 Customer-related threats—CustomerNon-identified parties account usage X
85 Customer-related threats—CustomerFalse/incorrect personal data X
86 Customer-related threats—CustomerFalse/incorrect personal data of UBO, or authorized/representative persons. X
87 Customer-related threats—CustomerFalse/incorrect personal data of customer representative X
88 Customer-related threats—CustomerCustomer issue bearer shares X
89 Customer-related threats—CustomerComplex ownership structure and opaque business structures (e.g., non-transparent, with several layers) X
90 Customer-related threats—TransactionsTax evasion X
91 Customer-related threats—TransactionsLocal criminal groups X
92 Customer-related threats—TransactionsDrug trafficking X
93 Customer-related threats—TransactionsFraud and misappropriation X
94 Customer-related threats—TransactionsCorruption and bribery X
95 Customer-related threats—TransactionsSmuggling X
96 Customer-related threats—TransactionsTheft and receipt of stolen goods X
97 Customer-related threats—TransactionsArmed robbery X
98 Customer-related threats—TransactionsLiving on the earnings of prostitution X
99 Customer-related threats—TransactionsUsury X
100 Customer-related threats—TransactionsIllegal gambling and violations of the Gaming Act X
101 Customer-related threats—TransactionsHuman trafficking X
102 Customer-related threats—TransactionsArms trafficking X
103 Customer-related threats—TransactionsSmuggling of persons X
104 Customer-related threats—TransactionsUnlicensed financial services X
105 Customer-related threats—TransactionsTerrorism and terrorist financing—Raising funds from criminal activities X
106 Customer-related threats—TransactionsTerrorism and terrorist financing—Raising funds from legal activity X
107 Customer-related threats—TransactionsSexual exploitation, including sexual exploitation of children X
108 Customer-related threats—TransactionsCounterfeiting currency X
109 Customer-related threats—TransactionsEnvironmental crime (illegal fishing, logging, dumping, mining, constrictions) X
110 Customer-related threats—TransactionsMurder, grievous bodily injury X
111 Customer-related threats—TransactionsCounterfeiting and piracy of products X
112 Customer-related threats—TransactionsKidnapping, illegal restraint, and hostage taking X
113 Customer-related threats—TransactionsExtortion X
114 Customer-related threats—TransactionsForgery X
115 Customer-related threats—TransactionsPiracy (i.e., maritime) X
116 Customer-related threats—TransactionsInsider trading and market manipulation X
117 Customer-related threats—TransactionsUnauthorized (unlicensed) commercial activity X
118 Customer-related threats—ProductProduct risk—SEPA payments X X
119 Customer-related threats—ProductProduct risk—SWIFT payments X X
120 Customer-related threats—ProductProduct risk—money send X X
121 Customer-related threats—ProductProduct risk—payment cards X X
122 Customer-related threats—ProductProduct risk—card purchases X X
123 Customer-related threats—ProductProduct risk—card cash withdrawal X X
124 Customer-related threats—ProductProduct risk—card credit voucher X X
125 Customer-related threats—ProductProduct risk—cor. accounts payments X X
126 Customer-related threats—ProductProduct risk—cash operations X X
127 Customer-related threats—ProductProduct risk—transaction to cryptocurrency X X
128 Customer-related threats—ProductProduct risk—transaction to gambling X X
129 Customer-related threats—ProductProduct risk—transaction received from sanctioned country X X X
130 Customer-related threats—ProductProduct risk—transaction sent to sanctioned country X X X
131 Customer-related threats—ProductProduct risk—transaction sent/received to/from sanctioned entity. X X XX
132 Customer-related threats—ProductProduct risk—transactions sent to high-risk country (high AML, terrorism, criminal, corruption/bribery level) X X X
133 Customer-related threats—ProductProduct risk—transactions received from high-risk country (high AML, terrorism, criminal, corruption/bribery level) X X X
134 Customer-related threats—ProductProduct risk—transaction counteragent is included in terrorist list X X XX
135 Customer-related threats—GeographicCustomer’s geographical location is in country with comprehensive sanctions X X X
136 Customer-related threats—GeographicUBO of the customer geographical location is in country with comprehensive sanctions X X X
137 Customer-related threats—GeographicCustomer representative geographical location is in country with comprehensive sanctions X X X
138 Customer-related threats—GeographicCustomer’s geographical location or their financial connections is in high-risk country (high AML, terrorism, criminal, corruption/bribery level) X X X
139 Customer-related threats—GeographicUBO of the customer’s geographical location or their financial connections is in high-risk country (high AML, terrorism, criminal, corruption/bribery level) X X X
140 Customer-related threats—GeographicCustomer’s representative geographical location or their financial connections is in high-risk country (high AML, terrorism, criminal, corruption/bribery level) X X X
141 Customer-related threats—GeographicGeographical location of institution, branches X X X
142 Customer-related threats—CustomerFace-to-face identification X X
143 Customer-related threats—CustomerIdentification by distributor X X
144 Customer-related threats—CustomerNon-face-to-face identification X X
145 Customer-related threats—TransactionsTransaction initiated in the shop X
146 Customer-related threats—TransactionsTransaction initiated remotely X
147 Customer-related threats—TransactionsTransaction initiated by PISP X
148 Credit riskUnallowed overdraftsXX X X
149 Credit riskUnallowed overdrafts with reservesXX X X
150 Market riskRecession X X
151 Market riskPolitical turmoil X X
152 Market riskChanges in interest rates X X
153 Market riskTerrorist/pirates attacks X X X
154 Market riskWarXXXXXXX
155 Market riskStrikes XXX X
156 Unsystematic riskRegulators finesXX X XX
157 Unsystematic riskProduct supply suspensionXX X XX
158 Unsystematic riskLaw casesXXXX XX
159 Market riskProduct price change on the market/product not competitiveXX X X
160 ComplianceProduct area of use violenceXX X X
161 ComplianceProduct licensor regulation violationXX X X
162 ComplianceCurrent product does not correspond to new regulators normsXX X XX
163 CompliancePayment systems regulation violenceXX X X
164 CompliancePartner due diligence absenceXX X XX
165 ComplianceSign agreement with the out-source without prior approval from regulatorXX X X
166 ComplianceUse of cloud solutions, rendered services not in accordance with EBA regulation X XXX
167 ComplianceDo not support PISP, AISPXX XXX
168 ComplianceDo not apply SCA in accordance with normsXX XXX
169 ComplianceFinancial institution operates below the minimum regulatory capital ratios or with negative own fundsXX X X
170 ComplianceCorrespondent bank deducts funds without approval from customer funds segregation account X X X
171 ComplianceThe customer “Right to Be Forgotten” was not realizedXXXXXX
172 ComplianceThe customers data were shared with GDPR violationXXXXXX
173 ComplianceBreach of payment card data XX XXX
174 ComplianceDisclosure of protected health informationXXXX XX
175 ComplianceNot appointed or trained data protection officer XXXXXX
176 ComplianceNot easy to identify and/or no data upon customer request available X X X
177 ComplianceThe business continuity plan not testedXX X
178 ComplianceThe ICT risk not assessed and/or reportedX X
179 ComplianceGovernance risk not assessed and/or reportedX
180 ComplianceOperational risk not assessed and/or reportedXX
181 ComplianceHuman resource risk not assessed and/or reportedX X
182 ComplianceHealth and safety risk not assessed and/or reportedX
183 ComplianceFinancial risk not assessed and/or reportedX X
184 ComplianceCapital adequacy risk not assessed and/or reportedX X
185 ComplianceEnvironmental/external risk not assessed and/or reportedX
186 ComplianceLaw/compliance risk not assessed and/or reportedX
187 ComplianceStrategic risk not assessed and/or reported X
188 ComplianceFinancial crime risk not assessed and/or reportedX X
189 ComplianceThe compliance officer was not assignedX X
190 ComplianceThe MLRO was not assignedX X X
191 ComplianceThe risk officer was not assignedX X
192 ComplianceThe internal auditor was not assignedXXXXXXX
193 ComplianceBoard director shortageXXXX X
194 ComplianceBoard directors not approved by regulatorsXXXX X
195 ComplianceSenior management not approved by regulators (if applicable)XXXX X
196 ComplianceUnresolved/unassessed conflict of interestsXXXXXXX
197 Change riskImplementation of the new distribution channels without POG approvalXXXXXXX
198 Change riskImplementing new requirements to customers without POG approvalXX XXXX
199 Change riskImplementing new product/service or their changes without POG approvalXX XXXX
200 Change riskImplementing new/variation of tariffs before prior customer approvalXX X X
201 Change riskImplementing new/variation of tariffs without POG approvalXX X X
202 Change riskElimination of the product/services before prior customer’s approvalXX X XX
203 Change riskElimination of the product/services without POG approvalXX X XX
204 Change riskCountry/audience change without POG approvalXX XXXX
205 Change riskCountry/audience elimination before prior customer’s notificationXX XXXX
206 Change riskNo execution of the regulatory changes in the requested time periodXX XXXX
207 Reputational riskPoor customer support serviceXX
208 Reputational riskLack of secure e/m banking platformXX XXX
209 Reputational riskFraud and corruption related to the financial institutionXXXX X
210 Reputational riskUnreasonable account block or product unavailabilityXX X X
211 Reputational riskUnclear/incorrect information to the customers (tariffs, extracts)XX X
212 Reputational riskHosting country reputation
213 Reputational riskNegative review on social mediaXX
214 Reputational riskUnreasonably long customer onboardXX XXXX
215 Reputational riskUnreasonably long customer request processingXX X XX
216 Reputational riskLow shareholders trustX
217 Reputational riskProduct functioning errorsXX XXX
Source: generated by the authors.
Table A2. The list of vulnerabilities.
Table A2. The list of vulnerabilities.
VulnerabilityGovernance RisksOperational RisksHuman Resources RisksFinancial RisksICT RisksCapital Adequacy RisksFinancial Crime Risks
Absence of clear and comprehensive governance policyX
Lack of information exchange between departmentsXX X
Lack of strategy plan or its actualizationX
Lack of record keeping of the board decisionX
Lack of board decision notification to the staffX X
Lack/improper policies/procedures describing internal processesXXXXXXX
Lack of the procedure/policies/reports approval procedure by the boardX
Lack of financial reportingXX X XX
Lack of job descriptionsXXX X X
Absence of the critical skills management procedureXXX
Critical skills shortage XX X X
Lack of/insufficient staff training XX X X
Lack of the product oversign and governance/change controlX X
Failure to adhere to the company’s policies or procedures XXXXXXX
Failure to enforce policiesXXXXXXX
Failure to stack to the distributors/out-source company approval procedure X X
Lack of an exit strategy for co-operation with distributors/out-source companies X X
Failure to protect prices with the distributor/out-source company X X X
Failure of distributor/out-source company/supplier to supply service X XX X
Lack of a business continuity plan or its insufficiencyXXXXX
Failure to diversifyXXXXXXX
Unsupervised work by suppliers or cleaning staff X X
Lack of security awareness XX X
Poorly documented software X X
Lack of monitoring mechanismsXX XXXX
Inadequate or careless use of physical access control to buildings, rooms, and offices X X
Lack of physical protection for the building, doors, and windows X
Location in an area susceptible to flood and fire X X
Unprotected storage X XX X
Insufficient maintenance/faulty installation of storage media X
Lack of periodic equipment replacement schemes X
Susceptibility to humidity, dust, and soiling X X
Susceptibility to temperature variations X X
Susceptibility to voltage variations X
Unprotected communication lines X
Poor joint cabling X
Lack of identification and authentication mechanisms X X X
Unprotected sensitive traffic XXXX X
Inadequate network management X
Lack of care at disposal X X
Complicated user interface X X
Lack of audit trailXX XX X
No or insufficient product/software/process testing X XX X
Poor password management X
Unclear or incomplete specification for developers X XXXX
Uncontrolled downloading and using software XX
Well-known gap in the software/process still in covering X XXXX
Wrong allocation of access rights X XX X
Insufficient or irregular water supply X X
Inappropriate CDD/EDD procedure X X
Inappropriate cash management XXX XX
Failure to identify risk-related eventsXXXXXXX
Failure to identify beneficiary/customer X X X
Failure to report to supervising organizationsXXXXXXX
Failure to respond/communicate with the regulatorsXXXXXXX
Lack of incident-reporting mechanismXXXXXXX
Lack of staff stress relief possibilities and trainings X
Bad ergonomics of the work place
Bad or absent noise control
Poor housekeeping X
Missing or insufficient lighting
Missing or expired or not verified extinguishers/fire-extinguishing mechanisms X
Correspondent bank stability risk X X X
Failure to define product prices in accordance with the market X
Failure to manage assets volatility risk X
Lack of liquidity X X X
Staff fraud X X
Staff mistakes X XX X
Incorrect accounting/business model application X X X
Internal processes incompliant with current legal norms and regulationsXXXXXXX
Lack of or improper customer funds segregation/capital rate calculation mechanism X X
Failure of the management to review and evaluate capital adequacy/customer funds segregation assessments and strategiesXX X X
Failure to define and control segregated funds access from the side of the correspondent bankXX X X
Poorly described and managed suppliers’ invoices payments procedure X X X
Lack of or improper overdraft management procedure X X X
Lack of or improper company liabilities management procedure X X X
Lack of or improper data privacy procedureXXXXX
Lack of a data protection officer or roleXXXXXX
Source: generated by the authors.
Table A3. The list of threats impacts per respondent.
Table A3. The list of threats impacts per respondent.
Governance RisksOperational RisksHuman Resources RisksFinancial RisksICT RisksCapital Adequacy RisksFinancial Crime RisksGovernance RisksOperational RisksHuman Resources RisksFinancial RisksICT RisksCapital Adequacy RisksFinancial Crime RisksGovernance RisksOperational RisksHuman Resources RisksFinancial RisksICT RisksCapital Adequacy RisksFinancial Crime RisksGovernance RisksOperational RisksHuman Resources RisksFinancial RisksICT RisksCapital Adequacy RisksFinancial Crime RisksGovernance RisksOperational RisksHuman Resources RisksFinancial RisksICT RisksCapital Adequacy RisksFinancial Crime Risks
Respondent 1Respondent 2Respondent 3Respondent 4Respondent 5
Source: generated by the authors based on the respondents’ completed questionnaire.
Table A4. The list of threats likelihood per respondent.
Table A4. The list of threats likelihood per respondent.
Governance RisksOperational RisksHuman Resources RisksFinancial RisksICT RisksCapital Adequacy RisksFinancial Crime RisksGovernance RisksOperational RisksHuman Resources RisksFinancial RisksICT RisksCapital Adequacy RisksFinancial Crime RisksGovernance RisksOperational RisksHuman Resources RisksFinancial RisksICT RisksCapital Adequacy RisksFinancial Crime RisksGovernance RisksOperational RisksHuman Resources RisksFinancial RisksICT RisksCapital Adequacy RisksFinancial Crime RisksGovernance RisksOperational RisksHuman Resources RisksFinancial RisksICT RisksCapital Adequacy RisksFinancial Crime Risks
Respondent 1Respondent 2Respondent 3Respondent 4Respondent 5