Next Article in Journal
Classification of Benign and Malignant Renal Tumors Based on CT Scans and Clinical Data Using Machine Learning Methods
Previous Article in Journal
The Smart Governance Framework and Enterprise System’s Capability for Improving Bio-Business Licensing Services
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Risk-Based Approach for Selecting Company Key Performance Indicator in an Example of Financial Services

1
Research Department, SIA StarBridge, LV-1050 Riga, Latvia
2
Regional Economy and Economic Policy, Baltic International Academy, LV-1019 Riga, Latvia
*
Author to whom correspondence should be addressed.
Informatics 2023, 10(2), 54; https://doi.org/10.3390/informatics10020054
Submission received: 17 March 2023 / Revised: 16 May 2023 / Accepted: 29 May 2023 / Published: 19 June 2023

Abstract

:
Risk management is a highly important issue for Fintech companies; moreover, it is very specific and puts forward the serious requirements toward the top management of any financial institution. This study was devoted to specifying the risk factors affecting the finance and capital adequacy of financial institutions. The authors considered the different types of risks in combination, whereas other scholars usually analyze risks in isolation; however, the authors believe that it is necessary to consider their mutual impact. The risks were estimated using the PLS-SEM method in Smart PLS-4 software. The quality of the obtained model is very high according to all indicators. Five hypotheses related to finance and five hypotheses related to capital adequacy were considered. The impact of AML, cyber, and governance risks on capital adequacy was confirmed; the effect of governance and operational risks on finance was also confirmed. Other risks have no impact on finance and capital adequacy. It is interesting that risks associated with staff have no impact on finance and capital adequacy. The findings of this study can be easily applied by any financial institution for risk analysis. Moreover, this study can serve toward a better collaboration of scholars investigating the Fintech activities and practitioners working in this sphere. The authors present a novel approach for enhancing key performance indicators (KPIs) for Fintech companies, proposing utilizing metrics that are derived from the company’s specific risks, thereby introducing an innovative method for selecting KPIs based on the inherent risks associated with the Fintech’s business model. This model aligns the KPIs with the unique risk profile of the company, fostering a fresh perspective on performance measurement within the Fintech industry.

1. Introduction

The fifth wave of innovations led to the digitalization of company operations and, consequently, the entire economy. The challenges of business process management have yet to be extensively researched, although the digitalization of the economy is frequently discussed in scientific literature [1,2,3,4,5,6]. According to Verhoef [7], the analysis of the discussed digital formation must take a multidisciplinary approach because it is only seen from the perspective of management and finance, or as a transformational issue.
All economic actions that rely on digital resources or are significantly improved by their use, including digital technologies, digital infrastructure, digital services, and data, are included in the digital economy. All producers and consumers—including the government—who use these digital tools for commerce are subject to this [8]. At the G20 meeting in 2020, this definition was provided as a component of the OBSE report. The report’s authors specifically mentioned financial and insurance services as examples of services that are entirely available online.
The exchange of cryptographic assets is a type of utility that can be considered in addition to financial services as digital. The exchange of cryptocurrencies can be categorized as an entirely digital service, even though it is not a financial service according to EEA laws [9].
In areas such as accounting, marketing, entrepreneurship, and production, the digital transformation of the economy has unveiled new challenges for managing participating companies [10,11,12,13,14].
The state of the enterprise or its processes can be objectively measured at any time if we consider a particular case of digital transformation, where all aspects of the business have undergone such a transformation and the entire business cycle is in the digital space [15,16,17]. This is because all indicators of such an enterprise at any given time are digitized and accessible. Key revenue indicators (KPIs) for the business include those [18,19]. KPIs offer unbiased metrics for an organization over a predetermined time frame. However, even though the management implications of digital transformation are being actively researched, the key indicators still need to be put forth, where they could be used to immediately identify (on the spot) the specific business states from the perspective of management and aid in immediate decision making [18,19].
The current key financial indicators (KPIs) are criticized as unsuitable for the economy’s digital transformation. This lack of availability is demonstrated by the fact that these metrics need to accurately depict the state of the business and offer the required level of process transparency for effective strategic and tactical management [19].
In the past, businesses have used key financial indicators to look back at their past performance in order to predict the future performance or maintain control over regulatory indicators [20,21,22,23,24]. The authors believe that in order for these KPIs to be in line with the realities of the digital transformation of the economy, it is necessary to increase their use in predicting how the situation will develop in order to create trigger actions based on them that will correct the current situation and, if necessary, prompt the correction of the measures themselves and the tasks that the enterprise uses.
According to Horváth and Szabó [25], digitalization is the automation of procedures using information technology. Digitalization, which can be understood as using digital technologies and data (digitized and natively digital) to generate revenue, improve businesses, and replace/transform business processes (not just digitize them), necessitates new ways of speaking and collaborating in the workplace [10]. Therefore, the role of information technology as a manufacturing process rather than as an auxiliary tool is expanding [13,26,27,28]. Scholars are confident that there are problematic issues with KPIs determination [6,13,28,29]. The authors contend that if information technology is referred to as a production process, transparent metrics are required to assess its efficacy and to identify, similarly to financial indicators, the actions that should be taken to remedy the present situation.
The authors point out that a methodology is needed to identify a list of necessary and sufficient KPIs for each specific business or process due to the multiplicity and frequent uniqueness of processes in each particular business or its portion.
The authors used a multidisciplinary approach to identify how the managerial, financial, and technological aspects of exclusively providing services in the digital space affect the risks of the company and how these risks can be mitigated by immediately identifying KPIs that measure these risks and choosing a course of action based on the values of the chosen KPIs. They used the example of the cryptocurrency exchange business to illustrate their point.
There also investigated how these risks can be mitigated by immediately identifying KPIs that measure these risks and by defining a course of action based on the values of the chosen KPIs.
The research’s objective was to examine the risk factors that affect the choice of key performance indicators. This study is the first step in developing the methodology of choosing key performance indicators for each unique company using a risk-based approach.
The practical value of this research is in developing the methodology of the key performance indicators selection for the particular business by analyzing the key risk indicators of that business. The authors present a novel strategy used to enhance key performance indicators (KPIs) for Fintech companies, proposing using metrics derived from the company’s specific risks, thus introducing an innovative method for selecting KPIs based on the inherent risks associated with the business model of Fintech. This model aligns the KPIs with the company’s unique risk profile, providing a novel perspective on performance measurement in the Fintech industry.
Another novelty of this article is in considering the risks not as separate issues but in combination, which allows for seeing not only the interrelation between different groups of risks but also estimating their mutual impact on company performance. The usual case of considering these risks is not in combination but separately.
This research has a particular scientific value since it shows the relationship between key performance and risk indicators. It develops the methodology of this specific relationship definition for any company using digital approaches.
The practical value of the research is significantly higher: stakeholders such as banks, financial institutions, crypto-currency exchangers, and other institutions can use the results of this study to understand the issue of the general acceptance of information technologies through the key performance indicators selection; it allows them to select company financial indicators based on the specificity of their business, which may use electronic automatic management systems.

2. Materials and Methods

Business continuity planning has become crucial in the digital economy because operations must always be conducted online [30]. Key risk indicators (KRIs) also assist in determining the likelihood of unfavorable situations that could impact a company’s business continuity [31]. By using key risk indicators, an organization can keep track of changes in risk and receive timely information about systemic and one-time events that may be connected to crisis situations that directly or indirectly impact an enterprise’s ability to carry out its operations.
KRIs, therefore, characterize and identify risks that have a significant manifestation in the business or deficiencies in control systems. They can be used alone or in conjunction with other fixed events associated with certain risks of the enterprise, such as balance sheet losses, audit results, and registration of customer complaints and suggestions.
Using fixed KRIs is not feasible due to the constant shift in risk events. Regularly reviewing these KRIs is necessary to safeguard the company from operational, reputational, and other risks. When the company has a thorough knowledge of the risks, it can accurately identify and choose the right risk indicators and consistently track performance using key performance indicators (KPIs) and other technologies that facilitate this process.
Therefore, the authors believe that, in order to choose process-grounded key performance indicators, it is necessary to analyze the enterprise’s risks, identify key risk indicators, and then choose key performance indicators describing the processes that lower risks in the identified areas. The risk indicators are closely connected with key performance indicators. Control and management of KPIs is required to decrease the company’s risks.
The authors attributed the companies’ risks to the following groups:
  • Governance Risks—The risk that the company’s rules, processes, and mechanisms, important for oversighting and decision making, function improperly. Governance risks relate to the directors’ decisions regarding board leadership, composition, and structure. Governance risks are associated with the resourcefulness and robustness of the company’s procedures for compliance with the relevant framework of laws, including the quality of reporting lines [23].
  • Operational Risks—The risk that the company experiences a loss due to inadequate or failed internal processes, people, systems, or external events [32,33].
  • Human Resources Risks—The risks that human resources pose on the company’s operations [34].
  • Health and Safety Risks—The risk of the company being exposed to a health and safety hazard that may result in harm, injury, death, or illness of an employee in a specific workplace [35].
  • Financial Risks—The risk a company may face that results in the possibility of losing money on an investment or business project [36].
  • Cyber Risks—This risk includes hardware and software failures, spam, viruses, malicious attacks, and other ICT matters [37].
  • Capital Adequacy Risks—Risks arising from the firm’s capital position, the adequacy of capital to support the level of current and anticipated business activities, and the access to further capital [38].
  • Environmental/External Risks—Risks arising from economic events that are out of the control of the corporate structure [39].
  • Law and Regulation Risks—The risk that the firm suffers financial, reputational, or litigation damage through failure to monitor, control, and eliminate or substantially reduce regulatory compliance risk [40].
  • Strategic Risks—The risk of loss arising from adverse business decisions that are poorly aligned to strategic goals, failed execution of policies and processes designed to meet those goals, and inability to respond to macroeconomic and industry dynamics. Strategic risks are also those risks associated with operating in a specific industry [41].
  • Financial Crime Risks—The risks that arise from the failure to prevent financial crime, money laundering, and market abuse [42].

2.1. Risk, Threats and Vulnerabilities

The effectiveness of the risk-based strategy depends on an accurate understanding of the risk to which the Fintech company is exposed. In this case, the risk is viewed as an inherent risk, or the risk one must take before adopting and implementing any processes, policies, controls, or other steps to lessen it. Before preparing for the interviews with the representatives of companies operating on the financial markets for risk assessment, the authors analyzed how risk might occur, keeping in mind two risk elements: vulnerabilities, or weaknesses that could be exploited for risk purposes, and threats, or outside forces that try to take advantage of company vulnerabilities [31,32,37,43,44].
The effect of the threat or vulnerability and the likelihood of the threat or vulnerability are the two factors that are used in the calculations for both threats and vulnerabilities. Whereas the likelihood of threats or vulnerabilities occurring during the reporting period is based on objective data, the effect of threats is determined by the expert assessment of risk managers.
Impact describes the kind and extent of damage that would result from exposing one or more vulnerabilities. Any risks that the authors outlined above could result in this harm. The combinations of likelihood and impact determine the inherent risk for the entity/person/process, etc. The authors proposed classifying list of threats and vulnerabilities, elaborated by the authors, according to effect and probability of the threat and vulnerability revealed within the aforementioned risks; the classified risks can be further utilized in questionnaires for financial institutions.
The risk analysis begins by determining the possible improper issues in the entity functioning. These drawbacks need to be compared to a probability metric that gauges the possibility that the event will occur.

2.2. Methods

Preliminary research was conducted to identify the components and indicators of the model. For this purpose, the authors interviewed 5 distinct financial and Fintech companies in the European Union. The authors employed risk element-specific questionnaires for these interviews.
The criteria for these companies’ selection are the following:
  • The respondent is a company registered in the European Union;
  • The company is regulated or supervised by the financial company supervisor;
  • The company has a risk management department or risk professionals;
  • The company is involved in the payment business;
  • Each risk event represents a threat or series of threats that exposes a company’s current vulnerabilities. The proper values of the vulnerabilities must be used to evaluate the threat impact or likelihood of the risk event.
The semi-structured interviews were conducted in 2017 and 2022. The model’s elements and indicators were collected during this time period, where 5 companies were interviewed.
The following criteria were prepared by the authors within the Table 1 for assessing the impacts of the threats and vulnerabilities by the participating companies:
The authors presented Table 2 with the following criteria to respondents to gauge the probability of threats and vulnerabilities:

2.2.1. Risk Calculation

In accordance with [45], the risk was calculated as follows:
I R = I m L
where:
  • IR—inherent risk;
  • Im—the impact of the risk;
  • L—the likelihood of the risk.
The probability and effect of the inherent risk were calculated by the authors as the average of the likelihood and impact of each threat and vulnerability combination that made up the risk. The final threat and vulnerability were calculated as the average of all factors involved in the computation, including threats, vulnerabilities, impacts, and likelihoods if the same risk generates multiple threats and vulnerabilities (Source: the formula developed by the authors).
I m = i = 1 n ( T i i + ( V i 1 + V i 2 + + V i m ) m ) n 2
where:
  • Im—the impact of the risk;
  • Tii—threat impact per each of the threats within the risk group;
  • Vi—vulnerabilities impact;
  • m—number of vulnerabilities per risk group;
  • n—number of threats per risk group.
L = i = 1 n ( T l i + ( V l 1 + V l 2 + + V l m ) m ) n 2
where:
  • L—the likelihood of the risk;
  • Tli—threat likelihood per each of the threats within the risk group;
  • Vl—vulnerabilities likelihood;
  • m—number of vulnerabilities per risk group;
  • n—number of threats per risk group.
The impact and likelihood was calculated based on the following classification (Table 3):
Inherent risk value interpretation—numeric ranges are as follows: very low (VL) is from 0 to 5, low (L) is from 5.01–10, medium (M) is from 10.01 to 15, high (H) is from 15.01 to 20, and very high (VH) is from 20.01 to 25.
For the simultaneous analysis of several statistical relationships, the researchers primarily used two methods for structural equation modeling (SEM): partial least squares structural equation modeling (PLS-SEM) and covariance-based structural equation modeling (CB- SEM) [46,47,48]. The PLS-SEM methodology was selected since this methodology is more effective for the small data samples, which are used for exploratory and confirmatory types of research, and does not put forward the requirements for data normal distribution. [49,50].
A practical causal-predictive analysis can be performed using PLS-SEM, which also explains the variance in the independent constructs [47,48]. PLS-SEM enables forecasting the behavior of an unusual entity by combining a regression-based path analysis and analysis of the most crucial components [51]. This method can also define mediating and moderating effects and illustrate direct and indirect relationships [52]. Most researchers working in cutting-edge fields favor this approach [46].
The PLS-SEM technique takes into account both an inner and an outer model. The outer model takes into account the relationships between the latent variables and their reported indicators, whereas the inner model takes into account the relationships between independent and dependent latent variables. Latent variables, also known as constructs, are variables that cannot be evaluated directly.
The same ground was applied to key performance indicators as it was to financial and capital adequacy risks. As a result, other risk groups determine the model assumptions that might impact them. Given that the risk groups mentioned above reflect both internal and external processes, the authors decided that internal processes should be represented by the risk groups chosen for the modeling:
  • Governance risk;
  • ICT risk;
  • Operational risk;
  • Financial crime risk;
  • Human resources risk.
The first group of hypotheses (H1–H5) related to financial risk:
H1. 
Governance Risk has a direct impact on company KPI.
H2. 
ICT Risk has a direct impact on company KPI.
H3. 
Operational Risk has a direct impact on company KPI.
H4. 
Financial Crime Risk has a direct impact on company KPI.
H5. 
Human Resource Risk has a direct impact on company KPI.
The second group of hypotheses (H6–H10) related to capital adequacy risk:
H6. 
Governance Risk has a direct impact on company KPI.
H7. 
ICT Risk directly impacts company KPI.
H8. 
Operational Risk directly impacts company KPI.
H9. 
Financial Crime Risk directly impacts company KPI.
H10. 
Human Resource Risk has a direct impact on company KPI.

2.2.2. Model Estimation Using the SmartPLS Software

Three steps made up the PLS-SEM analysis in SmartPLS:
  • The validity of the outer paradigm or construct was assessed. The research included looking into the indicator loadings for the theoretically determined constructs and evaluating the model’s validity and dependability. Additionally, it was established how many iterations would be necessary for SmartPLS to finish the evaluation.
  • The inner model (structural model) assessed how the categories related to one another. The coefficient of determination (R2), standardized path coefficients (B), and impact size (f2) were used to accomplish this.
  • A broad evaluation of the model (overall model evaluation) was conducted to determine how well the model fits the data. This can be accomplished in SmartPLS by applying the SRM exact fit parameters.
The authors used the following values, mentioned in the Table 4, for model evaluation in the software SmartPLS:
Poor dependability is indicated by values less than 0.5, and loading with a CR of less than 0.5 should be removed from the dataset. However, in this research, each loading had a design confidence greater than 0.5; therefore, they were all incorporated into the model loadings.

3. Results

3.1. Preliminary Research

The authors created a list of common threats and vulnerabilities in the payments sector. The aforementioned lists were created in collaboration with the risk experts of the chosen businesses. There are clear differences between the respondents engaged in the section on capital adequacy:
  • Banks (credit institutions) pay the government for funds that serve as guarantees for the customer deposits that they take. The government will use these funds to reimburse the customer funds in case of the bank’s bankruptcy. As a result, the only factor affecting capital adequacy is the liquidity of bank funds [69].
  • Customers’ funds must be protected by financial institutions (also known as electronic money institutions or payment institutions), and, in the event of bankruptcy, they must be reimbursed from these segregated funds accounts [70,71,72,73].
  • Companies that exchange cryptocurrency assets and other kinds of businesses mentioned in the second payment directive [72] are not legally required to separate customer funds, but they still face capital adequacy risks [74].
The capital adequacy goal is the same for all kinds of businesses, despite variations in the nature of the risk and its control methods. The authors contend that, because all business types use the same capital adequacy risk assessment criteria, it can be assumed that the tasks involved in risk management are comparable.
According to the respondents, all other criteria (risk groups) apply to all businesses, making it possible to evaluate corporate risks using the same lists of threats and vulnerabilities, impact, and likelihood criteria.
Threats and vulnerabilities were evaluated according to their capacity to address all risk groups in the preliminary definition of the threats and vulnerabilities. Table A1 of Appendix A contains the final list of threats, whereas Table A2 of Appendix A contains the final list of vulnerabilities.
The respondents who participated in the interviews filled out the likelihood and impact values of threats and vulnerabilities. The interviews’ threat impact estimations were recorded in Table A3 of Appendix A, and the threat likelihood was recorded in Table A4 of Appendix A. The interviews’ vulnerabilities impact estimations were recorded in Table A5 of Appendix A, and the threat likelihood was recorded in Table A6 of Appendix A.
According to the methodology, the authors determined the risk associated with each threat faced by each respondent, after which they computed the average number for each risk group and respondent. Table A7 in Appendix A serves as a record of the ultimate results table. These results were used as a data source for the PLS-SEM analysis in SmartPLS.

3.2. Outer Model Evaluation—Construct Validity

The relationships shown by the collection of hypotheses served as the foundation for the model created with the SmartPLS software. Since such a boundary value is acceptable for exploratory research, SmartPLS 4.0’s application of PLS-SEM led to the selection of indicators of latent variables with loadings > 0.60 as the first step (see Table 4). Since all of the latent variable values were greater than 0.60, they were all considered in the model.
All loading weights for each variable were greater than 0.6, so they were all considered.
The values of the construct validity metrics for the outer model, which are composite reliability (CR) and average variance extracted (AVE), were all within the necessary bounds (see Table 4), and are listed in Table 5. A high dependability and internal consistency values were shown for each construct. The composite reliability was >0.984, and the average variance extracted was >0.942, indicating that the considered variables accurately represented the latent constructs intended for measurement.
The discriminant validity assessment, which identifies the differences between the constructs within the model, is considered necessary for outer model estimation. The Fornell–Larcker criterion and the heterotrait–monotrait ratio of correlations are two commonly used techniques to assess the discriminating validity in PLS SEM (HTMT).
The Fornell–Larcker criterion is the most common measure for assessing the discriminant validity in PLS-SEM. In some situations, the Fornell–Larcker criterion is considered weaker, more prone to error, and ineffective [75,76]. A more stringent standard is the heterotrait–monotrait ratio of correlations (HTMT) approach [62]. Hair et al. [76] suggested using HTMT [63] rather than the Fornell–Larcker technique due to its exaggerations when detecting discriminant validity. However, it is also advised to consider the model’s setting and the researcher’s level of conservatism when evaluating the discriminant validity [77].
Cross-loads demonstrated that each indicator had the highest loads in the construct initially intended to measure, and that the results fully satisfied the Fornell–Larcker criterion (see Table 6). All hidden variables fulfilled the HTMT requirement (see Table 7). There is no risk of any kind that will demonstrate an absence of discriminant validity.
The cross-loading indicators show the perfect discriminate validity of the factors.
An indicator of the degree of multicollinearity in regression analysis is the variance inflation factor (VIF). In a multiple regression model, multicollinearity occurs when there is a correlation between several independent factors. Examining the variance inflation factor (VIF) values (see Table 8), which should not be greater than 3.3, allows for an examination of multicollinearity [65,66,67]. For this model, the highest variance inflation factor (VIF) was 2.665. As a result, multicollinearity is apparently not an issue.

3.3. Evaluation of the Inner Model (Structural Model). Verifying the Hypotheses

The inner model uses the coefficient of determination (R2), standardized path coefficients (β), and impact size (f2) to characterize the relationships between the constructs. Fewer than the permitted 10 iterations—7—were completed before the study was terminated [47,63].
As stated, we first looked into the model using the relationships specified in the model’s framework (see Figure 1).
In the present study, the R2 values for the constructs “Capital Adequacy Risk” and “Financial Risk” as the target variables of the model were of the greatest interest. The latent variables of the model explained that about 61.5% of the other types of risks affect the capital adequacy risk, and 32.0% of the other types of risk affect the financial risk (see Table 9). This is a relatively high level of R2, indicating that the research determined the key factors that can influence the financial and capital adequacy for Fintech companies and, most likely, in businesses of comparable size and infrastructure.
Only five of ten hypotheses regarding the precise relationship between risks and other factors were confirmed (see Table 10). At the same time, it was found that governance risk has the biggest overall impact on capital sufficiency risk (β = 0.742 ± 0.722), and that cyber risk has the smallest overall impact (β = 0.119 ± 0.802).

3.4. Overall Model Assessment

Without a comprehensive model evaluation, a PLS-SEM study cannot be finished. Unfortunately, this estimate did not perform excellently; the result of the standardized root means squared residual (SRMR) was 0.089, whereas the necessary value is 0.080. This difference is not terrible though, so it is still worth taking into account the findings of this research.
Given these details, we can conclude that the task has been completed and the exploration has been successfully conducted, with a clear grasp of its limitations and future research directions. Therefore, given the relationship between various types of risks and financial and capital adequacy risks, we will explore some opportunities in the discussion section.

4. Discussion

The research results show that human resources risks (staff risk) do not correlate with the financial and capital adequacy risk. Assessing and addressing the possible risks associated with having a workforce is known as human resources risks. These risks are linked to employee behavior and how the company recruits, retains, and manages employees and other kinds of workers. Despite the numerous articles where scholars define the importance of labor force management for the management of the company, this research shows that, based on the evaluations of five Fintech companies working in different fields and countries and further model evaluation, risk related to labor force—inadequate management or absence—does not have a direct effect on the financial results of the company.
Another result of the research is related to governance risk. The governance risk shows a strong correlation with the capital adequacy risk. This result emphasizes that despite the high digitalization of the Fintech business, the major influence on the company’s financial results is as a result of the company governance. In other words, it is not the effectiveness of the IT systems of the company but the effectiveness of the governance provided by the company’s managerial board that plays a major role.
The authors of this research show that KPIs have an obvious relationship with KRIs. Scholars distinguish KPIs and KRIs. KRIs are used to identify the possible risks, whereas KPIs evaluate the company performance. Even now, many businesses use these terms interchangeably. KPIs are frequently made to provide a broad overview of organizational success. Thus, even though these metrics might not be able to provide sufficient early warning signals of a developing risk, they are crucial for trend analysis and performance monitoring. KRIs emphasize just the opposite.

Research Limitations

Data from five distinct types of Fintech companies were used in the study. In terms of size, the degree of digitalization, and customer service strategies, we believe that other types of Fintech companies will have similar influencing risks with respect to the financial and capital adequacy risks. However, they were not considered by the authors, which can be seen as a limitation of this study.
The group of factors selected to establish the model construct also poses a restriction. Although the authors made an effort to take into account all potential indicators, it is still possible to broaden the set of indicators used, add additional variables, or use a different technique for data analysis.
Additionally, survey errors, particularly coverage and sampling errors, are a component of sampling studies. There will almost certainly be a difference between the sample and the general community. The findings of a single sample research cannot be regarded as representative if a large-scale randomized study has not been carried out. In such circumstances, numerous sample studies carried out by various authors can yield representative results.
It should be emphasized that the types of risks involved in this study limited the way in which the model could be interpreted. The authors decided that internal processes should be represented by the internal risk groups chosen for the modeling because the risk groups mentioned above reflect both internal and external processes. This decision can be seen as a limitation of this research because internal processes should be represented by internal risk groups.

5. Conclusions

The authors analyzed the key risk indicators of the business and the correlations between the company’s risk indicators with the purpose of developing the methodology for the key performance indicators selection. By choosing suitable KPIs based on observations of the business events specified by the risk parametrizations, the digitalization of the financial services industry, or Fintech, puts forward the requirements for digitalizing the company’s management processes.
The model’s elements and indicators were identified through the preliminary research. The authors interviewed five financial and Fintech companies in the European Union for this reason. Together with the risk specialists of these companies, a final risk elements list was created and grouped within the questionnaires. The risk components evaluations, based on the above-mentioned questionnaires, were used as a data source for the model. Taking into account the sensitivity of the data regarding their risks, the interviewees consented to participate under the condition of anonymity.
The authors agree that a larger sample size would contribute to the robustness of the results. A larger sample would help to capture a broader range of perspectives and experiences, thereby increasing the reliability and generalizability of the findings. This could involve expanding the number of financial and Fintech companies interviewed or including a more diverse set of participants, such as regulators, industry experts, or academics.
However, the purpose of the research was to evaluate the novel concept of selecting KPIs based on the five distinct categories of Fintech business models represented by risk indicators. The goal was to gain rich insights from a smaller number of participants rather than aiming for statistical representativeness. This approach allows for a detailed exploration of the risk factors and their impact on finance and capital adequacy in specific contexts. It would be beneficial for future studies to consider both qualitative and quantitative approaches. This would provide a more comprehensive analysis by combining in-depth interviews with a larger survey or data analysis, ensuring a balanced and well-rounded investigation.
Within this research, the model was constructed based on the risk types, representing the internal processes of the company. The authors considered the following groups of risks: governance risk, ICT risk, operational risk, financial crime risk, and human resources risk, and their impact on finance and capital adequacy. The model verified the correlation of the risk, representing internal processes toward the financial risk and capital adequacy risk. The authors assume that financial and capital adequacy risks are connected to the financial KPIs of the company. The study was carried out using PLS-SEM in SmartPLS 4.0 software.
The research shows that all the risks considered in the model, except for staff risk, correlate with the financial and/or capital adequacy risk. Approximately 61.5% of the other categories of risks that affect capital adequacy risk and 32.0% of the other types of risks that affect financial risk were explained by latent variables in the obtained model. The primary factors influencing the different risk types that impact financial and capital adequacy risk were identified in this study. These data could be used to create manual or automated KPI selection and evaluation models for Fintech firms or other businesses with comparable degrees of digitalization.
Despite the lack of a definitive correlation between staff risk and financial or capital adequacy risk, since the related hypothesis was rejected, this element significantly influenced the creation of the model. Events pertaining to these categories of risks must be excluded from the final model construction and calculation.
As a result, this research identified the crucial elements influencing the growth of KPIs based on financial and capital adequacy risk.
Stakeholders in this procedure include all divisions of Fintech companies. The outcomes can be used as a foundation for initiatives that seek to automate performance results. The purpose of this study was to demonstrate that the unified methodology for Fintech’s risks brings additional benefits, apart from the risk management efficacy itself: the ability to select KPIs based on the unique business model of Fintech. The authors devised an innovative approach to selecting comprehensive KPIs, covering all aspects of the exact Fintech business model.
All divisions of Fintech companies are stakeholders in this procedure. The obtained results can be used as a foundation for initiatives oriented toward automating the performance results analysis.

Author Contributions

Conceptualization, O.C.; methodology, Y.P. and O.C.; software, D.C.; validation, O.C., Y.P. and D.C.; formal analysis, O.C.; investigation, O.C.; data curation, Y.P.; writing—original draft preparation, O.C.; writing—review and editing, Y.P.; visualization, D.C.; supervision, Y.P. All authors have read and agreed to the published version of the manuscript.

Funding

This research received no external funding.

Institutional Review Board Statement

Not applicable.

Informed Consent Statement

Not applicable.

Data Availability Statement

Data is contained within the Appendix A.

Conflicts of Interest

The authors declare no conflict of interest.

Appendix A

Table A1. The list of threats.
Table A1. The list of threats.
Threat GroupThreatGovernance RisksOperational RisksHuman Resources RisksFinancial RisksICT RisksCapital Adequacy RisksFinancial Crime Risks
1 Ecosystem pollutionAir pollution XX
2 Ecosystem pollutionEnvironmental accidents XX
3 Extreme weather eventsEarthquake XX
4 Extreme weather eventsFlooding XX
5 Extreme weather eventsHurricane XX
6 Extreme weather eventsLightning XX
7 Extreme weather eventsHeat waves XX
8 Extreme weather eventsFire XX
9 Ecosystem pollutionWater scarcity—Lack or insufficient supply of water XX
10 Market riskPublic policy change—Pollution control regulations X
11 Market riskShifting sentiment—Changes in consumer preference for certain products X
12 Remote workPandemicXXXXX
13 Company cultureHarassment X
14 Company cultureDiscrimination X
15 Company cultureEavesdropping X X
16 Humane resourceIllegal import/export of software XXX
17 Humane resourceIllegal use of software XXX
18 Humane resourceMaintenance error XX X
19 Humane resourceMisuse of resources XX X
20 Humane resourceOperational support staff error XXXX
21 Humane resourceStaff shortage XXXX
22 Humane resourceStaff mistakes XXXXXX
23 Manipulated dataMalware X XX
24 SupplyUse of software in an unauthorized way X
25 Manipulated dataCommunications infiltration X
26 Manipulated dataMisrouting or rerouting of messages X X X
27 Manipulated dataUnauthorized use of software X
28 Manipulated dataUnauthorized use of storage media X
29 Manipulated dataWillful damage X XXXX
30 Remote workMasquerading of user identity X X
31 Remote workNetwork access by unauthorized persons X X
32 Remote workRepudiation (e.g., of services, transactions, sending/receiving messages) X X
33 Remote workUse of software by unauthorized users X
34 CommunicationDamage to communication lines/cables X XX
35 CommunicationFailure of communications services X X
36 CommunicationFailure of network components X
37 CommunicationTraffic overloading X
38 CommunicationTransmission errors X
39 CommunicationUse of network facilities in an unauthorized way X
40 HardwareAir conditioning failure X XXX
41 HardwareBomb attack XXX
42 HardwareDeterioration of storage media XXX
43 HardwareHardware failure X
44 HardwareIndustrial action X
45 HardwareTheftXXXXXX
46 SupplyFailure of power supply X
47 SupplyPower fluctuation X
48 SupplySoftware failureXXXXXXX
49 Customer-related threats—CustomerClient works in high-risk sector X
50 Customer-related threats—CustomerUBO of the company works in high-risk sector X
51 Customer-related threats—CustomerRepresentative of the private individual works in high-risk sector X
52 Customer-related threats—CustomerClient family member of politically exposed person X
53 Customer-related threats—CustomerUBO family member of politically exposed person X
54 Customer-related threats—CustomerClient representative family member of politically exposed person X
55 Customer-related threats—CustomerClient representative associated to politically exposed person X
56 Customer-related threats—CustomerClient associated to politically exposed person X
57 Customer-related threats—CustomerClient representative politically exposed person X
58 Customer-related threats—CustomerClient foreign politically exposed person X
59 Customer-related threats—CustomerUBO foreign politically exposed person X
60 Customer-related threats—CustomerClient representative foreign politically exposed person X
61 Customer-related threats—CustomerClient domestical politically exposed person (PEP) X
62 Customer-related threats—CustomerUBO domestical politically exposed person (PEP) X
63 Customer-related threats—CustomerClient representative domestical politically exposed person (PEP) X
64 Customer-related threats—CustomerCompany incorporation type X
65 Customer-related threats—CustomerConcealment of beneficial ownership X
66 Customer-related threats—CustomerShell company X
67 Customer-related threats—CustomerShell bank X
68 Customer-related threats—TransactionsHigh turnover X
69 Customer-related threats—CustomerReliable bad adverse media X
70 Customer-related threats—CustomerNon-reliable bad adverse media X
71 Customer-related threats—CustomerReceived request to freeze customer’s UBO (FIAU, MFSA, police, court, etc.)X X XX
72 Customer-related threats—CustomerReceived request to freeze customer’s UBO (FIAU, MFSA, police, court, etc.)X X XX
73 Customer-related threats—TransactionsReceived request to monitor customer’s transaction (FIAU);X X XX
74 Customer-related threats—TransactionsInformation request (FIAU, MFSA, police, court)X X
75 Customer-related threats—TransactionsSTR/STA submitted regarding the customer or their UBO;X X
76 Customer-related threats—TransactionsSTR/STA submitted regarding the customer’s UBO;X X
77 Customer-related threats—CustomerCustomer in the terrorist listX X XX
78 Customer-related threats—CustomerCustomer UBO in the terrorist listX X XX
79 Customer-related threats—CustomerCustomer representative in the terrorist listX X XX
80 Customer-related threats—CustomerSanctions on the customer X XX
81 Customer-related threats—CustomerSanctions on the customer shareholders or UBOs X XX
82 Customer-related threats—CustomerSanctions on the customer representative X XX
83 Customer-related threats—CustomerIdentity fraud X XX
84 Customer-related threats—CustomerNon-identified parties account usage X
85 Customer-related threats—CustomerFalse/incorrect personal data X
86 Customer-related threats—CustomerFalse/incorrect personal data of UBO, or authorized/representative persons. X
87 Customer-related threats—CustomerFalse/incorrect personal data of customer representative X
88 Customer-related threats—CustomerCustomer issue bearer shares X
89 Customer-related threats—CustomerComplex ownership structure and opaque business structures (e.g., non-transparent, with several layers) X
90 Customer-related threats—TransactionsTax evasion X
91 Customer-related threats—TransactionsLocal criminal groups X
92 Customer-related threats—TransactionsDrug trafficking X
93 Customer-related threats—TransactionsFraud and misappropriation X
94 Customer-related threats—TransactionsCorruption and bribery X
95 Customer-related threats—TransactionsSmuggling X
96 Customer-related threats—TransactionsTheft and receipt of stolen goods X
97 Customer-related threats—TransactionsArmed robbery X
98 Customer-related threats—TransactionsLiving on the earnings of prostitution X
99 Customer-related threats—TransactionsUsury X
100 Customer-related threats—TransactionsIllegal gambling and violations of the Gaming Act X
101 Customer-related threats—TransactionsHuman trafficking X
102 Customer-related threats—TransactionsArms trafficking X
103 Customer-related threats—TransactionsSmuggling of persons X
104 Customer-related threats—TransactionsUnlicensed financial services X
105 Customer-related threats—TransactionsTerrorism and terrorist financing—Raising funds from criminal activities X
106 Customer-related threats—TransactionsTerrorism and terrorist financing—Raising funds from legal activity X
107 Customer-related threats—TransactionsSexual exploitation, including sexual exploitation of children X
108 Customer-related threats—TransactionsCounterfeiting currency X
109 Customer-related threats—TransactionsEnvironmental crime (illegal fishing, logging, dumping, mining, constrictions) X
110 Customer-related threats—TransactionsMurder, grievous bodily injury X
111 Customer-related threats—TransactionsCounterfeiting and piracy of products X
112 Customer-related threats—TransactionsKidnapping, illegal restraint, and hostage taking X
113 Customer-related threats—TransactionsExtortion X
114 Customer-related threats—TransactionsForgery X
115 Customer-related threats—TransactionsPiracy (i.e., maritime) X
116 Customer-related threats—TransactionsInsider trading and market manipulation X
117 Customer-related threats—TransactionsUnauthorized (unlicensed) commercial activity X
118 Customer-related threats—ProductProduct risk—SEPA payments X X
119 Customer-related threats—ProductProduct risk—SWIFT payments X X
120 Customer-related threats—ProductProduct risk—money send X X
121 Customer-related threats—ProductProduct risk—payment cards X X
122 Customer-related threats—ProductProduct risk—card purchases X X
123 Customer-related threats—ProductProduct risk—card cash withdrawal X X
124 Customer-related threats—ProductProduct risk—card credit voucher X X
125 Customer-related threats—ProductProduct risk—cor. accounts payments X X
126 Customer-related threats—ProductProduct risk—cash operations X X
127 Customer-related threats—ProductProduct risk—transaction to cryptocurrency X X
128 Customer-related threats—ProductProduct risk—transaction to gambling X X
129 Customer-related threats—ProductProduct risk—transaction received from sanctioned country X X X
130 Customer-related threats—ProductProduct risk—transaction sent to sanctioned country X X X
131 Customer-related threats—ProductProduct risk—transaction sent/received to/from sanctioned entity. X X XX
132 Customer-related threats—ProductProduct risk—transactions sent to high-risk country (high AML, terrorism, criminal, corruption/bribery level) X X X
133 Customer-related threats—ProductProduct risk—transactions received from high-risk country (high AML, terrorism, criminal, corruption/bribery level) X X X
134 Customer-related threats—ProductProduct risk—transaction counteragent is included in terrorist list X X XX
135 Customer-related threats—GeographicCustomer’s geographical location is in country with comprehensive sanctions X X X
136 Customer-related threats—GeographicUBO of the customer geographical location is in country with comprehensive sanctions X X X
137 Customer-related threats—GeographicCustomer representative geographical location is in country with comprehensive sanctions X X X
138 Customer-related threats—GeographicCustomer’s geographical location or their financial connections is in high-risk country (high AML, terrorism, criminal, corruption/bribery level) X X X
139 Customer-related threats—GeographicUBO of the customer’s geographical location or their financial connections is in high-risk country (high AML, terrorism, criminal, corruption/bribery level) X X X
140 Customer-related threats—GeographicCustomer’s representative geographical location or their financial connections is in high-risk country (high AML, terrorism, criminal, corruption/bribery level) X X X
141 Customer-related threats—GeographicGeographical location of institution, branches X X X
142 Customer-related threats—CustomerFace-to-face identification X X
143 Customer-related threats—CustomerIdentification by distributor X X
144 Customer-related threats—CustomerNon-face-to-face identification X X
145 Customer-related threats—TransactionsTransaction initiated in the shop X
146 Customer-related threats—TransactionsTransaction initiated remotely X
147 Customer-related threats—TransactionsTransaction initiated by PISP X
148 Credit riskUnallowed overdraftsXX X X
149 Credit riskUnallowed overdrafts with reservesXX X X
150 Market riskRecession X X
151 Market riskPolitical turmoil X X
152 Market riskChanges in interest rates X X
153 Market riskTerrorist/pirates attacks X X X
154 Market riskWarXXXXXXX
155 Market riskStrikes XXX X
156 Unsystematic riskRegulators finesXX X XX
157 Unsystematic riskProduct supply suspensionXX X XX
158 Unsystematic riskLaw casesXXXX XX
159 Market riskProduct price change on the market/product not competitiveXX X X
160 ComplianceProduct area of use violenceXX X X
161 ComplianceProduct licensor regulation violationXX X X
162 ComplianceCurrent product does not correspond to new regulators normsXX X XX
163 CompliancePayment systems regulation violenceXX X X
164 CompliancePartner due diligence absenceXX X XX
165 ComplianceSign agreement with the out-source without prior approval from regulatorXX X X
166 ComplianceUse of cloud solutions, rendered services not in accordance with EBA regulation X XXX
167 ComplianceDo not support PISP, AISPXX XXX
168 ComplianceDo not apply SCA in accordance with normsXX XXX
169 ComplianceFinancial institution operates below the minimum regulatory capital ratios or with negative own fundsXX X X
170 ComplianceCorrespondent bank deducts funds without approval from customer funds segregation account X X X
171 ComplianceThe customer “Right to Be Forgotten” was not realizedXXXXXX
172 ComplianceThe customers data were shared with GDPR violationXXXXXX
173 ComplianceBreach of payment card data XX XXX
174 ComplianceDisclosure of protected health informationXXXX XX
175 ComplianceNot appointed or trained data protection officer XXXXXX
176 ComplianceNot easy to identify and/or no data upon customer request available X X X
177 ComplianceThe business continuity plan not testedXX X
178 ComplianceThe ICT risk not assessed and/or reportedX X
179 ComplianceGovernance risk not assessed and/or reportedX
180 ComplianceOperational risk not assessed and/or reportedXX
181 ComplianceHuman resource risk not assessed and/or reportedX X
182 ComplianceHealth and safety risk not assessed and/or reportedX
183 ComplianceFinancial risk not assessed and/or reportedX X
184 ComplianceCapital adequacy risk not assessed and/or reportedX X
185 ComplianceEnvironmental/external risk not assessed and/or reportedX
186 ComplianceLaw/compliance risk not assessed and/or reportedX
187 ComplianceStrategic risk not assessed and/or reported X
188 ComplianceFinancial crime risk not assessed and/or reportedX X
189 ComplianceThe compliance officer was not assignedX X
190 ComplianceThe MLRO was not assignedX X X
191 ComplianceThe risk officer was not assignedX X
192 ComplianceThe internal auditor was not assignedXXXXXXX
193 ComplianceBoard director shortageXXXX X
194 ComplianceBoard directors not approved by regulatorsXXXX X
195 ComplianceSenior management not approved by regulators (if applicable)XXXX X
196 ComplianceUnresolved/unassessed conflict of interestsXXXXXXX
197 Change riskImplementation of the new distribution channels without POG approvalXXXXXXX
198 Change riskImplementing new requirements to customers without POG approvalXX XXXX
199 Change riskImplementing new product/service or their changes without POG approvalXX XXXX
200 Change riskImplementing new/variation of tariffs before prior customer approvalXX X X
201 Change riskImplementing new/variation of tariffs without POG approvalXX X X
202 Change riskElimination of the product/services before prior customer’s approvalXX X XX
203 Change riskElimination of the product/services without POG approvalXX X XX
204 Change riskCountry/audience change without POG approvalXX XXXX
205 Change riskCountry/audience elimination before prior customer’s notificationXX XXXX
206 Change riskNo execution of the regulatory changes in the requested time periodXX XXXX
207 Reputational riskPoor customer support serviceXX
208 Reputational riskLack of secure e/m banking platformXX XXX
209 Reputational riskFraud and corruption related to the financial institutionXXXX X
210 Reputational riskUnreasonable account block or product unavailabilityXX X X
211 Reputational riskUnclear/incorrect information to the customers (tariffs, extracts)XX X
212 Reputational riskHosting country reputation
213 Reputational riskNegative review on social mediaXX
214 Reputational riskUnreasonably long customer onboardXX XXXX
215 Reputational riskUnreasonably long customer request processingXX X XX
216 Reputational riskLow shareholders trustX
217 Reputational riskProduct functioning errorsXX XXX
Source: generated by the authors.
Table A2. The list of vulnerabilities.
Table A2. The list of vulnerabilities.
VulnerabilityGovernance RisksOperational RisksHuman Resources RisksFinancial RisksICT RisksCapital Adequacy RisksFinancial Crime Risks
Absence of clear and comprehensive governance policyX
Lack of information exchange between departmentsXX X
Lack of strategy plan or its actualizationX
Lack of record keeping of the board decisionX
Lack of board decision notification to the staffX X
Lack/improper policies/procedures describing internal processesXXXXXXX
Lack of the procedure/policies/reports approval procedure by the boardX
Lack of financial reportingXX X XX
Lack of job descriptionsXXX X X
Absence of the critical skills management procedureXXX
Critical skills shortage XX X X
Lack of/insufficient staff training XX X X
Lack of the product oversign and governance/change controlX X
Failure to adhere to the company’s policies or procedures XXXXXXX
Failure to enforce policiesXXXXXXX
Failure to stack to the distributors/out-source company approval procedure X X
Lack of an exit strategy for co-operation with distributors/out-source companies X X
Failure to protect prices with the distributor/out-source company X X X
Failure of distributor/out-source company/supplier to supply service X XX X
Lack of a business continuity plan or its insufficiencyXXXXX
Failure to diversifyXXXXXXX
Unsupervised work by suppliers or cleaning staff X X
Lack of security awareness XX X
Poorly documented software X X
Lack of monitoring mechanismsXX XXXX
Inadequate or careless use of physical access control to buildings, rooms, and offices X X
Lack of physical protection for the building, doors, and windows X
Location in an area susceptible to flood and fire X X
Unprotected storage X XX X
Insufficient maintenance/faulty installation of storage media X
Lack of periodic equipment replacement schemes X
Susceptibility to humidity, dust, and soiling X X
Susceptibility to temperature variations X X
Susceptibility to voltage variations X
Unprotected communication lines X
Poor joint cabling X
Lack of identification and authentication mechanisms X X X
Unprotected sensitive traffic XXXX X
Inadequate network management X
Lack of care at disposal X X
Complicated user interface X X
Lack of audit trailXX XX X
No or insufficient product/software/process testing X XX X
Poor password management X
Unclear or incomplete specification for developers X XXXX
Uncontrolled downloading and using software XX
Well-known gap in the software/process still in covering X XXXX
Wrong allocation of access rights X XX X
Insufficient or irregular water supply X X
Inappropriate CDD/EDD procedure X X
Inappropriate cash management XXX XX
Failure to identify risk-related eventsXXXXXXX
Failure to identify beneficiary/customer X X X
Failure to report to supervising organizationsXXXXXXX
Failure to respond/communicate with the regulatorsXXXXXXX
Lack of incident-reporting mechanismXXXXXXX
Lack of staff stress relief possibilities and trainings X
Bad ergonomics of the work place
Bad or absent noise control
Poor housekeeping X
Missing or insufficient lighting
Missing or expired or not verified extinguishers/fire-extinguishing mechanisms X
Correspondent bank stability risk X X X
Failure to define product prices in accordance with the market X
Failure to manage assets volatility risk X
Lack of liquidity X X X
Staff fraud X X
Staff mistakes X XX X
Incorrect accounting/business model application X X X
Internal processes incompliant with current legal norms and regulationsXXXXXXX
Lack of or improper customer funds segregation/capital rate calculation mechanism X X
Failure of the management to review and evaluate capital adequacy/customer funds segregation assessments and strategiesXX X X
Failure to define and control segregated funds access from the side of the correspondent bankXX X X
Poorly described and managed suppliers’ invoices payments procedure X X X
Lack of or improper overdraft management procedure X X X
Lack of or improper company liabilities management procedure X X X
Lack of or improper data privacy procedureXXXXX
Lack of a data protection officer or roleXXXXXX
Source: generated by the authors.
Table A3. The list of threats impacts per respondent.
Table A3. The list of threats impacts per respondent.
Governance RisksOperational RisksHuman Resources RisksFinancial RisksICT RisksCapital Adequacy RisksFinancial Crime RisksGovernance RisksOperational RisksHuman Resources RisksFinancial RisksICT RisksCapital Adequacy RisksFinancial Crime RisksGovernance RisksOperational RisksHuman Resources RisksFinancial RisksICT RisksCapital Adequacy RisksFinancial Crime RisksGovernance RisksOperational RisksHuman Resources RisksFinancial RisksICT RisksCapital Adequacy RisksFinancial Crime RisksGovernance RisksOperational RisksHuman Resources RisksFinancial RisksICT RisksCapital Adequacy RisksFinancial Crime Risks
Respondent 1Respondent 2Respondent 3Respondent 4Respondent 5
100034000002300000220000022000003400
200034000002300000220000022000003400
300044000004400000440000022000004400
400044000004400000220000033000004400
500034000003400000320000033000003400
600024000002400000230000023000002400
700043000004300000430000022000004300
800055000005500000550000055000005500
900033000003300000330000022000003300
1000020000002000000200000020000002000
1100030000003000000300000030000003000
1243434005443400444340044434004343400
1300500000040000004000000300000050000
1400500000040000004000000400000050000
1500304000020300002020000302000030400
1600134000013400001240000224000013400
1700434000043400004340000334000043400
1804104000410400031040004204000410400
1903105000210300021030003303000310500
2005254000525400042440004344000525400
2104434000343400033330004343000443400
2205453540545354043434304343430545354
2303034000303400030340004044000303400
2400004000000400000030000004000000400
2500005000000400000040000004000000500
2603004040200303020030303003030300404
2700004000000400000040000004000000400
2800003000000300000030000003000000300
2905044440404444040444404044440504444
3001004000100400010030002003000100400
3105005000400400040040004004000500500
3204004000400400040040004004000400400
3300004000000400000040000004000000400
3403034000303400030340003034000303400
3504004000500400050040005004000400400
3600004000000400000040000004000000400
3700004000000400000040000004000000400
3800003000000300000040000004000000300
3900004000000400000030000003000000400
4003045300304430030242002023200304530
4100055500005550000555000055500005550
4200055500005550000444000044400005550
4300004000000400000040000004000000400
4400004000000400000040000004000000400
4524144403314440231343023134302414440
4600004000000400000030000003000000400
4700004000000400000030000003000000400
4825155552515555251353525135352515555
4900000020000003000000300000030000002
5000000020000003000000300000030000002
5100000020000002000000200000020000002
5200000020000004000000400000040000002
5300000040000004000000400000040000004
5400000040000004000000400000040000004
5500000040000004000000400000040000004
5600000040000004000000400000040000004
5700000040000004000000400000040000004
5800000040000004000000400000040000004
5900000040000004000000400000040000004
6000000040000004000000400000040000004
6100000040000004000000400000040000004
6200000040000004000000400000040000004
6300000040000004000000400000040000004
6400000030000003000000300000030000003
6500000040000004000000400000040000004
6600000010000001000000100000010000001
6700000040000004000000400000040000004
6800000040000004000000400000040000004
6900000030000003000000300000030000003
7000000020000003000000300000030000002
7120030353004045300303530030352003035
7220030353004045300303530030352003035
7320030343004044300303430030342003034
7420000042000004200000420000042000004
7520000053000005300000530000052000005
7620000053000005300000530000052000005
7720030354003035200303520030352003035
7820030354003035200303520030352003035
7920030354003035200303520030352003035
8000030350003035000202500020250003035
8100030350003035000303500030350003035
8200030350003035000303500030350003035
8300020230002024000202400020240002023
8400000030000002000000200000020000003
8500000030000003000000300000030000003
8600000030000003000000300000030000003
8700000030000003000000300000030000003
8800000040000004000000400000040000004
8900000030000003000000300000030000003
9000000050000005000000500000050000005
9100000050000005000000500000050000005
9200000040000004000000400000040000004
9300000040000004000000400000040000004
9400000040000004000000400000040000004
9500000040000004000000400000040000004
9600000040000004000000400000040000004
9700000040000004000000400000040000004
9800000040000004000000400000040000004
9900000040000004000000400000040000004
10000000040000004000000400000040000004
10100000040000004000000400000040000004
10200000040000004000000400000040000004
10300000040000004000000400000040000004
10400000030000003000000300000030000003
10500000050000005000000500000050000005
10600000050000005000000500000050000005
10700000030000003000000300000030000003
10800000030000003000000300000030000003
10900000020000002000000200000020000002
11000000020000002000000200000020000002
11100000030000003000000300000030000003
11200000020000002000000200000020000002
11300000020000002000000200000020000002
11400000020000002000000200000020000002
11500000020000001000000100000010000002
11600000020000001000000100000010000002
11700000030000003000000300000030000003
11803000030400004040000404000040300003
11903000030400004020000203000030300003
12004000040400005010000101000010400004
12104000040400004010000101000010400004
12204000040400003010000101000010400004
12305000050400005010000101000010500005
12403000030300003010000101000010300003
12504000040400004040000404000040400004
12605000050500005010000101000010500005
12703000030400004040000404000040300003
12803000030500005050000505000050300003
12905050050505005050500505050050505005
13005050050505005050500505050050505005
13105030350503035050303505030350503035
13205030350503035050303505030350503035
13305030350503035050303505030350503035
13405030350503035050303505030350503035
13504040050404005040400404040040404005
13604040050404005040400404040040404005
13704040050404005040400404040040404005
13804040040404004040400404040040404004
13904040040404004040400404040040404004
14004040040404004040400404040040404004
14103010030301003030100303010030301003
14204000020400003040000304000030400002
14305000040500004050000405000040500004
14405000040500004050000405000040500004
14500000020000002000000100000010000002
14600000030000003000000300000030000003
14700000040000004000000100000010000004
14844040403303030110101011010104404040
14944040403304040110101011010104404040
15001040000303000020200002020000104000
15101040000103000010300001030000104000
15201030000304000020200002020000103000
15305050040404004020200302020030505004
15454555545455554545555454555545455554
15504530300111010011101001110100453030
15655050555505055550505555050555505055
15735030343403034450404445040443503034
15834350543335054333505433350543435054
15942040403204040320404032040404204040
16054050502203030330303033030305405050
16154050503304040330404033040405405050
16233050543405054340505434050543305054
16334040403404040340404034040403404040
16442030343203034320303432030344203034
16542030304203030420303042030304203030
16602035300203530030353003035300203530
16732044404304440110111011011103204440
16832044404304440220222022022203204440
16953050504305050220202022020205305050
17005030300103030010101001010100503030
17142443403144340314434031443404244340
17242444403244440324444032444404244440
17344044404404440110111011011104404440
17433540432234043223404322340433354043
17542135304213530421353042135304213530
17604004040400404040040404004040400404
17742003003100300310030031003004200300
17840005004000500400050040005004000500
17930000003000000300000030000003000000
18033000003400000340000034000003300000
18130300003030000303000030300003030000
18230000003000000300000030000003000000
18330030003004000300400030040003003000
18430000303000040300004030000403000030
18530000003000000300000030000003000000
18630000003000000300000030000003000000
18730000003000000300000030000003000000
18840000044000004400000440000044000004
18940400004040000404000040400004040000
19050400055040005504000550400055040005
19140400003040000304000030400004040000
19244443444444344444434444443444444344
19333320203332020333202033320203332020
19432310102231010223101022310103231010
19532310101111010111101011110103231010
19642544433254443325444332544434254443
19734343442324344232333423233343434344
19833032342303234230323423032343303234
19933032343303234330323433032343303234
20033030303303030330303033030303303030
20133040404404040440404044040403304040
20233030342303034230303423030343303034
20333030342303034230303423030343303034
20433032341303234130323413032343303234
20533032341303234130323413032343303234
20643054544405454440545444054544305454
20745000003500000350000035000004500000
20842034303203430440444044044404203430
20934350502223030222303022230303435050
21024004041200303120030312003032400404
21143000043300003330000333000034300004
21200000000000000000000000000000000000
21323000002200000330000033000002300000
21424043442101211210121121012112404344
21544030343403034340303434030344403034
21621000001100000110000011000002100000
21744045404304540430454043045404404540
Source: generated by the authors based on the respondents’ completed questionnaire.
Table A4. The list of threats likelihood per respondent.
Table A4. The list of threats likelihood per respondent.
Governance RisksOperational RisksHuman Resources RisksFinancial RisksICT RisksCapital Adequacy RisksFinancial Crime RisksGovernance RisksOperational RisksHuman Resources RisksFinancial RisksICT RisksCapital Adequacy RisksFinancial Crime RisksGovernance RisksOperational RisksHuman Resources RisksFinancial RisksICT RisksCapital Adequacy RisksFinancial Crime RisksGovernance RisksOperational RisksHuman Resources RisksFinancial RisksICT RisksCapital Adequacy RisksFinancial Crime RisksGovernance RisksOperational RisksHuman Resources RisksFinancial RisksICT RisksCapital Adequacy RisksFinancial Crime Risks
Respondent 1Respondent 2Respondent 3Respondent 4Respondent 5
100011000001100000110000011000001100
200011000001100000110000011000001100
300022000002200000110000011000002200
400022000001100000220000022000001100
500045000002200000220000033000002200
600034000003300000330000022000003300
700033000002200000110000011000002200
800032000002200000220000022000002200
900021000001100000110000011000001100
1000030000002000000200000020000002000
1100030000002000000200000020000002000
1244444004444400444440044444004444400
1300300000010000002000000200000010000
1400300000010000002000000100000010000
1500303000030300001010000101000030300
1600111000011100001110000111000011100
1700222000022200002220000222000033300
1803303000330300022020002202000330300
1903303000330400022020002202000330300
2003333000424300032330002232000333300
2104444000221200011110001111000222200
2203333340312222032222203222220333332
2303033000203300020220002022000303300
2400001000000100000010000001000000200
2500001000000100000010000001000000300
2601001010100101010010101001010200202
2700001000000100000010000001000000200
2800001000000100000010000001000000200
2903033330203332020222202022220202222
3004004000300300020020002002000300300
3103003000100100010010001001000200200
3201001000300300020020002002000300300
3300001000000100000010000001000000200
3401011000101200010120001012000202200
3504101000320200022020002202000330300
3600001000000100000010000001000000200
3700004000000300000030000003000000300
3800001000000100000010000001000000200
3900003000000200000020000002000000200
4001011100202320020222002022200202220
4100022200001110000111000011100001110
4200011100001110000111000011100001110
4300001000000100000010000001000000300
4400003000000300000030000003000000300
4533333302322220111222011122202222220
4600001000000200000020000002000000200
4700001000000100000010000001000000200
4844444443424444332333433233343313334
4900000030000002000000200000020000002
5000000030000003000000300000030000002
5100000010000001000000100000010000001
5200000040000004000000400000040000001
5300000030000003000000300000030000001
5400000010000001000000100000010000001
5500000010000001000000100000010000001
5600000030000003000000300000030000001
5700000010000001000000100000010000001
5800000030000003000000300000030000001
5900000030000003000000300000030000001
6000000010000001000000100000010000001
6100000030000003000000300000030000001
6200000030000003000000300000030000001
6300000010000001000000100000010000001
6400000020000003000000300000030000001
6500000030000004000000400000040000001
6600000030000003000000300000030000001
67000000200000010000001000000