Risk-Based Approach for Selecting Company Key Performance Indicator in an Example of Financial Services

Abstract

Risk management is a highly important issue for Fintech companies; moreover, it is very specific and puts forward the serious requirements toward the top management of any financial institution. This study was devoted to specifying the risk factors affecting the finance and capital adequacy of financial institutions. The authors considered the different types of risks in combination, whereas other scholars usually analyze risks in isolation; however, the authors believe that it is necessary to consider their mutual impact. The risks were estimated using the PLS-SEM method in Smart PLS-4 software. The quality of the obtained model is very high according to all indicators. Five hypotheses related to finance and five hypotheses related to capital adequacy were considered. The impact of AML, cyber, and governance risks on capital adequacy was confirmed; the effect of governance and operational risks on finance was also confirmed. Other risks have no impact on finance and capital adequacy. It is interesting that risks associated with staff have no impact on finance and capital adequacy. The findings of this study can be easily applied by any financial institution for risk analysis. Moreover, this study can serve toward a better collaboration of scholars investigating the Fintech activities and practitioners working in this sphere. The authors present a novel approach for enhancing key performance indicators (KPIs) for Fintech companies, proposing utilizing metrics that are derived from the company’s specific risks, thereby introducing an innovative method for selecting KPIs based on the inherent risks associated with the Fintech’s business model. This model aligns the KPIs with the unique risk profile of the company, fostering a fresh perspective on performance measurement within the Fintech industry.

1. Introduction

The fifth wave of innovations led to the digitalization of company operations and, consequently, the entire economy. The challenges of business process management have yet to be extensively researched, although the digitalization of the economy is frequently discussed in scientific literature [1,2,3,4,5,6]. According to Verhoef [7], the analysis of the discussed digital formation must take a multidisciplinary approach because it is only seen from the perspective of management and finance, or as a transformational issue.

All economic actions that rely on digital resources or are significantly improved by their use, including digital technologies, digital infrastructure, digital services, and data, are included in the digital economy. All producers and consumers—including the government—who use these digital tools for commerce are subject to this [8]. At the G20 meeting in 2020, this definition was provided as a component of the OBSE report. The report’s authors specifically mentioned financial and insurance services as examples of services that are entirely available online.

The exchange of cryptographic assets is a type of utility that can be considered in addition to financial services as digital. The exchange of cryptocurrencies can be categorized as an entirely digital service, even though it is not a financial service according to EEA laws [9].

In areas such as accounting, marketing, entrepreneurship, and production, the digital transformation of the economy has unveiled new challenges for managing participating companies [10,11,12,13,14].

The state of the enterprise or its processes can be objectively measured at any time if we consider a particular case of digital transformation, where all aspects of the business have undergone such a transformation and the entire business cycle is in the digital space [15,16,17]. This is because all indicators of such an enterprise at any given time are digitized and accessible. Key revenue indicators (KPIs) for the business include those [18,19]. KPIs offer unbiased metrics for an organization over a predetermined time frame. However, even though the management implications of digital transformation are being actively researched, the key indicators still need to be put forth, where they could be used to immediately identify (on the spot) the specific business states from the perspective of management and aid in immediate decision making [18,19].

The current key financial indicators (KPIs) are criticized as unsuitable for the economy’s digital transformation. This lack of availability is demonstrated by the fact that these metrics need to accurately depict the state of the business and offer the required level of process transparency for effective strategic and tactical management [19].

In the past, businesses have used key financial indicators to look back at their past performance in order to predict the future performance or maintain control over regulatory indicators [20,21,22,23,24]. The authors believe that in order for these KPIs to be in line with the realities of the digital transformation of the economy, it is necessary to increase their use in predicting how the situation will develop in order to create trigger actions based on them that will correct the current situation and, if necessary, prompt the correction of the measures themselves and the tasks that the enterprise uses.

According to Horváth and Szabó [25], digitalization is the automation of procedures using information technology. Digitalization, which can be understood as using digital technologies and data (digitized and natively digital) to generate revenue, improve businesses, and replace/transform business processes (not just digitize them), necessitates new ways of speaking and collaborating in the workplace [10]. Therefore, the role of information technology as a manufacturing process rather than as an auxiliary tool is expanding [13,26,27,28]. Scholars are confident that there are problematic issues with KPIs determination [6,13,28,29]. The authors contend that if information technology is referred to as a production process, transparent metrics are required to assess its efficacy and to identify, similarly to financial indicators, the actions that should be taken to remedy the present situation.

The authors point out that a methodology is needed to identify a list of necessary and sufficient KPIs for each specific business or process due to the multiplicity and frequent uniqueness of processes in each particular business or its portion.

The authors used a multidisciplinary approach to identify how the managerial, financial, and technological aspects of exclusively providing services in the digital space affect the risks of the company and how these risks can be mitigated by immediately identifying KPIs that measure these risks and choosing a course of action based on the values of the chosen KPIs. They used the example of the cryptocurrency exchange business to illustrate their point.

There also investigated how these risks can be mitigated by immediately identifying KPIs that measure these risks and by defining a course of action based on the values of the chosen KPIs.

The research’s objective was to examine the risk factors that affect the choice of key performance indicators. This study is the first step in developing the methodology of choosing key performance indicators for each unique company using a risk-based approach.

The practical value of this research is in developing the methodology of the key performance indicators selection for the particular business by analyzing the key risk indicators of that business. The authors present a novel strategy used to enhance key performance indicators (KPIs) for Fintech companies, proposing using metrics derived from the company’s specific risks, thus introducing an innovative method for selecting KPIs based on the inherent risks associated with the business model of Fintech. This model aligns the KPIs with the company’s unique risk profile, providing a novel perspective on performance measurement in the Fintech industry.

Another novelty of this article is in considering the risks not as separate issues but in combination, which allows for seeing not only the interrelation between different groups of risks but also estimating their mutual impact on company performance. The usual case of considering these risks is not in combination but separately.

This research has a particular scientific value since it shows the relationship between key performance and risk indicators. It develops the methodology of this specific relationship definition for any company using digital approaches.

The practical value of the research is significantly higher: stakeholders such as banks, financial institutions, crypto-currency exchangers, and other institutions can use the results of this study to understand the issue of the general acceptance of information technologies through the key performance indicators selection; it allows them to select company financial indicators based on the specificity of their business, which may use electronic automatic management systems.

2. Materials and Methods

Business continuity planning has become crucial in the digital economy because operations must always be conducted online [30]. Key risk indicators (KRIs) also assist in determining the likelihood of unfavorable situations that could impact a company’s business continuity [31]. By using key risk indicators, an organization can keep track of changes in risk and receive timely information about systemic and one-time events that may be connected to crisis situations that directly or indirectly impact an enterprise’s ability to carry out its operations.

KRIs, therefore, characterize and identify risks that have a significant manifestation in the business or deficiencies in control systems. They can be used alone or in conjunction with other fixed events associated with certain risks of the enterprise, such as balance sheet losses, audit results, and registration of customer complaints and suggestions.

Using fixed KRIs is not feasible due to the constant shift in risk events. Regularly reviewing these KRIs is necessary to safeguard the company from operational, reputational, and other risks. When the company has a thorough knowledge of the risks, it can accurately identify and choose the right risk indicators and consistently track performance using key performance indicators (KPIs) and other technologies that facilitate this process.

Therefore, the authors believe that, in order to choose process-grounded key performance indicators, it is necessary to analyze the enterprise’s risks, identify key risk indicators, and then choose key performance indicators describing the processes that lower risks in the identified areas. The risk indicators are closely connected with key performance indicators. Control and management of KPIs is required to decrease the company’s risks.

The authors attributed the companies’ risks to the following groups:

• Governance Risks—The risk that the company’s rules, processes, and mechanisms, important for oversighting and decision making, function improperly. Governance risks relate to the directors’ decisions regarding board leadership, composition, and structure. Governance risks are associated with the resourcefulness and robustness of the company’s procedures for compliance with the relevant framework of laws, including the quality of reporting lines [23].
• Operational Risks—The risk that the company experiences a loss due to inadequate or failed internal processes, people, systems, or external events [32,33].
• Human Resources Risks—The risks that human resources pose on the company’s operations [34].
• Health and Safety Risks—The risk of the company being exposed to a health and safety hazard that may result in harm, injury, death, or illness of an employee in a specific workplace [35].
• Financial Risks—The risk a company may face that results in the possibility of losing money on an investment or business project [36].
• Cyber Risks—This risk includes hardware and software failures, spam, viruses, malicious attacks, and other ICT matters [37].
• Capital Adequacy Risks—Risks arising from the firm’s capital position, the adequacy of capital to support the level of current and anticipated business activities, and the access to further capital [38].
• Environmental/External Risks—Risks arising from economic events that are out of the control of the corporate structure [39].
• Law and Regulation Risks—The risk that the firm suffers financial, reputational, or litigation damage through failure to monitor, control, and eliminate or substantially reduce regulatory compliance risk [40].
• Strategic Risks—The risk of loss arising from adverse business decisions that are poorly aligned to strategic goals, failed execution of policies and processes designed to meet those goals, and inability to respond to macroeconomic and industry dynamics. Strategic risks are also those risks associated with operating in a specific industry [41].
• Financial Crime Risks—The risks that arise from the failure to prevent financial crime, money laundering, and market abuse [42].

2.1. Risk, Threats and Vulnerabilities

The effectiveness of the risk-based strategy depends on an accurate understanding of the risk to which the Fintech company is exposed. In this case, the risk is viewed as an inherent risk, or the risk one must take before adopting and implementing any processes, policies, controls, or other steps to lessen it. Before preparing for the interviews with the representatives of companies operating on the financial markets for risk assessment, the authors analyzed how risk might occur, keeping in mind two risk elements: vulnerabilities, or weaknesses that could be exploited for risk purposes, and threats, or outside forces that try to take advantage of company vulnerabilities [31,32,37,43,44].

The effect of the threat or vulnerability and the likelihood of the threat or vulnerability are the two factors that are used in the calculations for both threats and vulnerabilities. Whereas the likelihood of threats or vulnerabilities occurring during the reporting period is based on objective data, the effect of threats is determined by the expert assessment of risk managers.

Impact describes the kind and extent of damage that would result from exposing one or more vulnerabilities. Any risks that the authors outlined above could result in this harm. The combinations of likelihood and impact determine the inherent risk for the entity/person/process, etc. The authors proposed classifying list of threats and vulnerabilities, elaborated by the authors, according to effect and probability of the threat and vulnerability revealed within the aforementioned risks; the classified risks can be further utilized in questionnaires for financial institutions.

The risk analysis begins by determining the possible improper issues in the entity functioning. These drawbacks need to be compared to a probability metric that gauges the possibility that the event will occur.

2.2. Methods

Preliminary research was conducted to identify the components and indicators of the model. For this purpose, the authors interviewed 5 distinct financial and Fintech companies in the European Union. The authors employed risk element-specific questionnaires for these interviews.

The criteria for these companies’ selection are the following:

• The respondent is a company registered in the European Union;
• The company is regulated or supervised by the financial company supervisor;
• The company has a risk management department or risk professionals;
• The company is involved in the payment business;
• Each risk event represents a threat or series of threats that exposes a company’s current vulnerabilities. The proper values of the vulnerabilities must be used to evaluate the threat impact or likelihood of the risk event.

The semi-structured interviews were conducted in 2017 and 2022. The model’s elements and indicators were collected during this time period, where 5 companies were interviewed.

The following criteria were prepared by the authors within the Table 1 for assessing the impacts of the threats and vulnerabilities by the participating companies:

Table 1. Threat evaluation criteria for internal processes.

Risk Group	Very High	High	Medium	Low	Very Low
Governance	More than 50% of decisions are not delivered for final execution, which is a critical failure. Making decisions too slowly results in crucial failures that make it impossible to carry out essential tasks. The impact threatens the initiative or organization’s continued existence.	A less than 50% failure rate occurs when choices are not delivered for final execution. Failure to make choices results in the breakdown of crucial processes, which lowers performance. The initiative, activity, or organization’s survival is in jeopardy.	Decisions are not provided in time for the last execution. Delays in making decisions have an effect on the company and lead to poorer performance, including missed goals. Although there is no threat to an organization’s existence, there may be a thorough evaluation.	Decisions are not provided in time for the last execution. Delays in making decisions have an effect on the company and lead to poorer performance, including missed goals. Although there is no threat to an organization’s existence, there may be a thorough evaluation.	Minor failures of the internal procedure’s execution.
Operational	A widespread or protracted halt to activities: -Inability to promote services effectively. -Dangerous market share loss threat.	To handle operational issues, significant internal and/or external resources must be committed: -Significant and/or ongoing business disruptions.	Implementing increased internal and/or external resources is necessary for handling operational challenges: -More extensive or widespread organizational inefficiency (s).	Aggravation of the resources that must be dedicated to resolving practical issues: -Minor inefficiencies in functioning.	Modest resources need to be committed to internal operational issues: -Insignificant operational inefficiency.
Financial	>EUR 990,000	EUR 330,000.01–EUR 990,000	EUR 160,000.01–EUR 330,000	EUR 30,000.01–EUR 160,000	<EUR 30,000
Human Resources	Protracted unavailability of critical skills/personnel.	Unavailability of critical skills of personnel.	Unavailability of core skills affecting services.	Minor impact to capability.	Minor skill impact.
Cyber	Destruction or complete loss of >50% of assets. Critical failure(s) preventing core activities from being performed. The impact threatens survival of the project or organization itself.	Extensive damage or loss of <50% of assets. Breakdown of key activities leading to reduction in performance. Survival of the project/activity/organization is threated.	Damage or loss of <20% of assets. Impact on organization resulting in reduced performance such as targets not being met. Organization’s existence is not threatened but could be subject to significant review.	Minor damage or loss of <5% of assets. Some impact on business areas in terms of delays and system quality but able to de dealt with at operational level.	Minor damage or vandalism of assets. Minimal impact on non-core business operations. The impact can be dealt with by routine operations.
Capital Adequacy	>50% of the capital	30–50% of the capital	15–30% of the capital	5–15% of the capital	<than 5% of the capital
Financial Crime	Extreme consequences	High consequences	Medium consequences	Low consequences	Minor consequences

Source: generated by the authors.

The authors presented Table 2 with the following criteria to respondents to gauge the probability of threats and vulnerabilities:

Table 2. Vulnerabilities evaluation criteria.

Very High	High	Medium	Low	Very Low
Event is expected to occur in most circumstances 90–100%.	Event will probably occur in most circumstances 60–90%.	Event is as likely to occur as to not occur 35–60%.	Event could occur at some point in time 10–35%.	Event may only occur in exceptional circumstances 0–10%.

Source: generated by the authors.

2.2.1. Risk Calculation

In accordance with [45], the risk was calculated as follows:

$$\mathrm{I}\mathrm{R}=\mathrm{I}\mathrm{m}\ast \mathrm{L}$$

(1)

where:

• IR—inherent risk;
• Im—the impact of the risk;
• L—the likelihood of the risk.

The probability and effect of the inherent risk were calculated by the authors as the average of the likelihood and impact of each threat and vulnerability combination that made up the risk. The final threat and vulnerability were calculated as the average of all factors involved in the computation, including threats, vulnerabilities, impacts, and likelihoods if the same risk generates multiple threats and vulnerabilities (Source: the formula developed by the authors).

$$\mathrm{I}\mathrm{m}=\frac{\sum _{\mathrm{i}=1}^{\mathrm{n}}({\mathrm{T}\mathrm{i}}_{\mathrm{i}}+\frac{{(\mathrm{V}\mathrm{i}}_1+{\mathrm{V}\mathrm{i}}_2+\dots +{\mathrm{V}\mathrm{i}}_{\mathrm{m}})}{\mathrm{m}})}{\mathrm{n}\ast 2}$$

(2)

where:

• Im—the impact of the risk;
• Ti_i—threat impact per each of the threats within the risk group;
• Vi—vulnerabilities impact;
• m—number of vulnerabilities per risk group;
• n—number of threats per risk group.

$$\mathrm{L}=\frac{\sum _{\mathrm{i}=1}^{\mathrm{n}}({\mathrm{T}\mathrm{l}}_{\mathrm{i}}+\frac{({\mathrm{V}\mathrm{l}}_1+{\mathrm{V}\mathrm{l}}_2+\dots +{\mathrm{V}\mathrm{l}}_{\mathrm{m}})}{\mathrm{m}})}{\mathrm{n}\mathrm{\ast }2}$$

(3)

where:

• L—the likelihood of the risk;
• Tl_i—threat likelihood per each of the threats within the risk group;
• Vl—vulnerabilities likelihood;
• m—number of vulnerabilities per risk group;
• n—number of threats per risk group.

The impact and likelihood was calculated based on the following classification (Table 3):

Table 3. The use weights of components.

Numeric Value	Letter Abbreviation	Title
1	VL	Very low/irrelevant
2	L	Low
3	M	Medium
4	H	High
5	VH	Very high

Source: generated by the authors.

Inherent risk value interpretation—numeric ranges are as follows: very low (VL) is from 0 to 5, low (L) is from 5.01–10, medium (M) is from 10.01 to 15, high (H) is from 15.01 to 20, and very high (VH) is from 20.01 to 25.

For the simultaneous analysis of several statistical relationships, the researchers primarily used two methods for structural equation modeling (SEM): partial least squares structural equation modeling (PLS-SEM) and covariance-based structural equation modeling (CB- SEM) [46,47,48]. The PLS-SEM methodology was selected since this methodology is more effective for the small data samples, which are used for exploratory and confirmatory types of research, and does not put forward the requirements for data normal distribution. [49,50].

A practical causal-predictive analysis can be performed using PLS-SEM, which also explains the variance in the independent constructs [47,48]. PLS-SEM enables forecasting the behavior of an unusual entity by combining a regression-based path analysis and analysis of the most crucial components [51]. This method can also define mediating and moderating effects and illustrate direct and indirect relationships [52]. Most researchers working in cutting-edge fields favor this approach [46].

The PLS-SEM technique takes into account both an inner and an outer model. The outer model takes into account the relationships between the latent variables and their reported indicators, whereas the inner model takes into account the relationships between independent and dependent latent variables. Latent variables, also known as constructs, are variables that cannot be evaluated directly.

The same ground was applied to key performance indicators as it was to financial and capital adequacy risks. As a result, other risk groups determine the model assumptions that might impact them. Given that the risk groups mentioned above reflect both internal and external processes, the authors decided that internal processes should be represented by the risk groups chosen for the modeling:

• Governance risk;
• ICT risk;
• Operational risk;
• Financial crime risk;
• Human resources risk.

The first group of hypotheses (H1–H5) related to financial risk:

H1. 

Governance Risk has a direct impact on company KPI.

H2. 

ICT Risk has a direct impact on company KPI.

H3. 

Operational Risk has a direct impact on company KPI.

H4. 

Financial Crime Risk has a direct impact on company KPI.

H5. 

Human Resource Risk has a direct impact on company KPI.

The second group of hypotheses (H6–H10) related to capital adequacy risk:

H6. 

Governance Risk has a direct impact on company KPI.

H7. 

ICT Risk directly impacts company KPI.

H8. 

Operational Risk directly impacts company KPI.

H9. 

Financial Crime Risk directly impacts company KPI.

H10. 

Human Resource Risk has a direct impact on company KPI.

2.2.2. Model Estimation Using the SmartPLS Software

Three steps made up the PLS-SEM analysis in SmartPLS:

• The validity of the outer paradigm or construct was assessed. The research included looking into the indicator loadings for the theoretically determined constructs and evaluating the model’s validity and dependability. Additionally, it was established how many iterations would be necessary for SmartPLS to finish the evaluation.
• The inner model (structural model) assessed how the categories related to one another. The coefficient of determination (R²), standardized path coefficients (B), and impact size (f²) were used to accomplish this.
• A broad evaluation of the model (overall model evaluation) was conducted to determine how well the model fits the data. This can be accomplished in SmartPLS by applying the SRM exact fit parameters.

The authors used the following values, mentioned in the Table 4, for model evaluation in the software SmartPLS:

Table 4. Recommended assessment of PLS-SEM.

Assessment	Description	Criteria
Construct validity (outer model)
Number of iterations	Sum of the outer weights’ changes between two iterations [52]	5–10
	Maximum number of iterations [53]	300
Item reliability	Indicators loadings (IL) [54,55,56,57]	>0.70 (highly satisfactory)
		>0.50≤0.70 (acceptable)
		>0.40≤0.50 (week)
Convergent validity (the study variables represent the latent constructs intended for measurement, as demonstrated by convergent validity)	Design reliability, a gauge of the scale components’ internal coherence [56,58]—(CR)	>0.80 [59] (satisfactory)
		>0.70≤0.80 (acceptable)
		>0.60≤0.70 (an acceptable range in exploratory study is 0.60 to 0.70)
	Average variance extracted (AVE)	>0.5 [60]
		AVE > 0.5 and CR ≤ 0.6 [61]
Discriminant validity	Fornell and Larcker (F&L), in SmartPLS—divergent validity heterotrait: monotrait ratios (HTMT) [62,63]	Confidence intervals should not contain a value of 1; values lower than 0.85 for conceptually different constructs and below 0.90 for similar constructs
Structural model (inner model)
Coefficient of determination	The preferred number is a greater one [52,64]—R2	0.67 (substantial)
		0.33 (average)
		0.19 (weak)
Standardized path coefficients	Identify the importance and the confidence intervals—B (β)	from −1 to +1.
Effect size	The strength of the connection between two variables in a population is measured by the effect size—f2	0.35 (strong effects)
		0.15 (moderate)
		0.02 (weak)
Variance inflation factor	An indicator of the degree of multicollinearity (VIF)	VIF ≤ 3.3 [65,66,67]
Final model evaluation
Fit measures	Standardized root mean square residual (SRMR)—the disparity between the observed correlation and the model-implied correlation matrix is known as the SRMR. As a result, it enables evaluation of the (model) fit criterion using the average magnitude of the discrepancies between observed and anticipated correlations [62].	≤0.08

Developed by authors based on the [68].

Poor dependability is indicated by values less than 0.5, and loading with a CR of less than 0.5 should be removed from the dataset. However, in this research, each loading had a design confidence greater than 0.5; therefore, they were all incorporated into the model loadings.

3. Results

3.1. Preliminary Research

The authors created a list of common threats and vulnerabilities in the payments sector. The aforementioned lists were created in collaboration with the risk experts of the chosen businesses. There are clear differences between the respondents engaged in the section on capital adequacy:

• Banks (credit institutions) pay the government for funds that serve as guarantees for the customer deposits that they take. The government will use these funds to reimburse the customer funds in case of the bank’s bankruptcy. As a result, the only factor affecting capital adequacy is the liquidity of bank funds [69].
• Customers’ funds must be protected by financial institutions (also known as electronic money institutions or payment institutions), and, in the event of bankruptcy, they must be reimbursed from these segregated funds accounts [70,71,72,73].
• Companies that exchange cryptocurrency assets and other kinds of businesses mentioned in the second payment directive [72] are not legally required to separate customer funds, but they still face capital adequacy risks [74].

The capital adequacy goal is the same for all kinds of businesses, despite variations in the nature of the risk and its control methods. The authors contend that, because all business types use the same capital adequacy risk assessment criteria, it can be assumed that the tasks involved in risk management are comparable.

According to the respondents, all other criteria (risk groups) apply to all businesses, making it possible to evaluate corporate risks using the same lists of threats and vulnerabilities, impact, and likelihood criteria.

Threats and vulnerabilities were evaluated according to their capacity to address all risk groups in the preliminary definition of the threats and vulnerabilities. Table A1 of Appendix A contains the final list of threats, whereas Table A2 of Appendix A contains the final list of vulnerabilities.

The respondents who participated in the interviews filled out the likelihood and impact values of threats and vulnerabilities. The interviews’ threat impact estimations were recorded in Table A3 of Appendix A, and the threat likelihood was recorded in Table A4 of Appendix A. The interviews’ vulnerabilities impact estimations were recorded in Table A5 of Appendix A, and the threat likelihood was recorded in Table A6 of Appendix A.

According to the methodology, the authors determined the risk associated with each threat faced by each respondent, after which they computed the average number for each risk group and respondent. Table A7 in Appendix A serves as a record of the ultimate results table. These results were used as a data source for the PLS-SEM analysis in SmartPLS.

3.2. Outer Model Evaluation—Construct Validity

The relationships shown by the collection of hypotheses served as the foundation for the model created with the SmartPLS software. Since such a boundary value is acceptable for exploratory research, SmartPLS 4.0’s application of PLS-SEM led to the selection of indicators of latent variables with loadings > 0.60 as the first step (see Table 4). Since all of the latent variable values were greater than 0.60, they were all considered in the model.

All loading weights for each variable were greater than 0.6, so they were all considered.

The values of the construct validity metrics for the outer model, which are composite reliability (CR) and average variance extracted (AVE), were all within the necessary bounds (see Table 4), and are listed in Table 5. A high dependability and internal consistency values were shown for each construct. The composite reliability was >0.984, and the average variance extracted was >0.942, indicating that the considered variables accurately represented the latent constructs intended for measurement.

Table 5. Measurement values.

Constructs	CR	AVE	Composite Reliability (rho_a)
Cyber Risk	0.995	0.981	1.005
Operational Risk	0.976	0.912	0.995
Financial Risk	0.970	0.894	0.980
Financial Crime Risk	0.989	0.9s54	1.073
Human Resource Risk	0.992	0.968	1.004
Governance Risk	0.983	0.935	0.994
Capital Adequacy Risk	0.986	0.947	0.988

Source: generated by the authors on the basis of SmartPls 4.0.

The discriminant validity assessment, which identifies the differences between the constructs within the model, is considered necessary for outer model estimation. The Fornell–Larcker criterion and the heterotrait–monotrait ratio of correlations are two commonly used techniques to assess the discriminating validity in PLS SEM (HTMT).

The Fornell–Larcker criterion is the most common measure for assessing the discriminant validity in PLS-SEM. In some situations, the Fornell–Larcker criterion is considered weaker, more prone to error, and ineffective [75,76]. A more stringent standard is the heterotrait–monotrait ratio of correlations (HTMT) approach [62]. Hair et al. [76] suggested using HTMT [63] rather than the Fornell–Larcker technique due to its exaggerations when detecting discriminant validity. However, it is also advised to consider the model’s setting and the researcher’s level of conservatism when evaluating the discriminant validity [77].

Cross-loads demonstrated that each indicator had the highest loads in the construct initially intended to measure, and that the results fully satisfied the Fornell–Larcker criterion (see Table 6). All hidden variables fulfilled the HTMT requirement (see Table 7). There is no risk of any kind that will demonstrate an absence of discriminant validity.

Table 6. Fornell–Larcker criterion.

	AML	Capital Adequacy	Cyber	Finance	Governance	Operational	Staff
AML	0.977
Capital Adequacy	0.253	0.973
Cyber	−0.657	−0.264	0.991
Finance	0.255	0.490	−0.121	0.945
Governance	0.127	0.755	−0.344	0.304	0.967
Operational	0.492	0.334	−0.258	0.526	0.311	0.955
Staff	−0.311	−0.110	0.171	−0.128	−0.020	−0.004	0.984

Source: generated by the authors on the basis of SmartPls 4.0.

Table 7. HTMT requirement.

	AML	Capital Adequacy	Cyber	Finance	Governance	Operational	Staff
AML
Capital Adequacy	0.215
Cyber	0.659	0.261
Finance	0.232	0.483	0.138
Governance	0.127	0.756	0.343	0.291
Operational	0.490	0.315	0.247	0.529	0.299
Staff	0.325	0.108	0.168	0.127	0.053	0.046

Source: generated by the authors on the basis of SmartPls 4.0.

The cross-loading indicators show the perfect discriminate validity of the factors.

An indicator of the degree of multicollinearity in regression analysis is the variance inflation factor (VIF). In a multiple regression model, multicollinearity occurs when there is a correlation between several independent factors. Examining the variance inflation factor (VIF) values (see Table 8), which should not be greater than 3.3, allows for an examination of multicollinearity [65,66,67]. For this model, the highest variance inflation factor (VIF) was 2.665. As a result, multicollinearity is apparently not an issue.

Table 8. Inner model collinearity statistics (VIF).

	Capital Adequacy	Finance
AML	2.665	2.665
Capital Adequacy
Cyber	2.124	2.124
Finance
Governance	1.320	1.320
Operational	1.575	1.575
Staff	1.154	1.154

Source: generated by the authors on the basis of SmartPls 4.0. Background color: it shows that this row excluded from calculation.

3.3. Evaluation of the Inner Model (Structural Model). Verifying the Hypotheses

The inner model uses the coefficient of determination (R²), standardized path coefficients (β), and impact size (f²) to characterize the relationships between the constructs. Fewer than the permitted 10 iterations—7—were completed before the study was terminated [47,63].

As stated, we first looked into the model using the relationships specified in the model’s framework (see Figure 1).

Figure 1. Structural model risk types relations. (Source: generated by the authors based on PLS-SEM in SmartPLS 4.0.)

In the present study, the R² values for the constructs “Capital Adequacy Risk” and “Financial Risk” as the target variables of the model were of the greatest interest. The latent variables of the model explained that about 61.5% of the other types of risks affect the capital adequacy risk, and 32.0% of the other types of risk affect the financial risk (see Table 9). This is a relatively high level of R², indicating that the research determined the key factors that can influence the financial and capital adequacy for Fintech companies and, most likely, in businesses of comparable size and infrastructure.

Table 9. Direct effects.

Risk Group	β	f2	STDEV	2.5%	97.5%
AML risk → Capital adequacy	0.150	0.061	0.233	−0.229	0.680
AML risk → Finance	0.016	0.000	1.614	−0.602	0.765
Cyber risk → Capital adequacy	0.119	0.039	0.198	−0.179	0.592
Cyber risk → Finance	0.072	0.006	0.294	−0.470	0.663
Governance risk → Capital adequacy	0.742	1.202	0.278	0.223	1.223
Governance risk → Finance	0.218	0.044	1.482	−0.674	0.995
Operational risk → Capital adequacy	0.013	0.000	0.244	−0.467	0.433
Operational risk → Finance	0.447	0.044	3.507	−0.732	0.950
Staff risk → Capital adequacy	−0.062	0.005	0.393	−1.153	0.401
Staff risk → Finance	−0.200	0.023	1.175	−1.099	1.177

Source: generated by the authors on the basis of SmartPls 4.0.

Only five of ten hypotheses regarding the precise relationship between risks and other factors were confirmed (see Table 10). At the same time, it was found that governance risk has the biggest overall impact on capital sufficiency risk (β = 0.742 ± 0.722), and that cyber risk has the smallest overall impact (β = 0.119 ± 0.802).

Table 10. Result of hypotheses testing.

	Hypotheses	Result of Checking
H1	AML risk → Capital adequacy	Confirmed
H2	AML risk → Finance	Not Confirmed
H3	Cyber risk → Capital adequacy	Confirmed
H4	Cyber risk → Finance	Not Confirmed
H5	Governance risk → Capital adequacy	Confirmed
H6	Governance risk → Finance	Confirmed
H7	Operational risk → Capital adequacy	Not Confirmed
H8	Operational risk → Finance	Confirmed
H9	Staff risk → Capital adequacy	Not Confirmed
H10	Staff risk → Finance	Not Confirmed

Source: generated by the authors on the basis of SmartPls 4.0.

3.4. Overall Model Assessment

Without a comprehensive model evaluation, a PLS-SEM study cannot be finished. Unfortunately, this estimate did not perform excellently; the result of the standardized root means squared residual (SRMR) was 0.089, whereas the necessary value is 0.080. This difference is not terrible though, so it is still worth taking into account the findings of this research.

Given these details, we can conclude that the task has been completed and the exploration has been successfully conducted, with a clear grasp of its limitations and future research directions. Therefore, given the relationship between various types of risks and financial and capital adequacy risks, we will explore some opportunities in the discussion section.

4. Discussion

The research results show that human resources risks (staff risk) do not correlate with the financial and capital adequacy risk. Assessing and addressing the possible risks associated with having a workforce is known as human resources risks. These risks are linked to employee behavior and how the company recruits, retains, and manages employees and other kinds of workers. Despite the numerous articles where scholars define the importance of labor force management for the management of the company, this research shows that, based on the evaluations of five Fintech companies working in different fields and countries and further model evaluation, risk related to labor force—inadequate management or absence—does not have a direct effect on the financial results of the company.

Another result of the research is related to governance risk. The governance risk shows a strong correlation with the capital adequacy risk. This result emphasizes that despite the high digitalization of the Fintech business, the major influence on the company’s financial results is as a result of the company governance. In other words, it is not the effectiveness of the IT systems of the company but the effectiveness of the governance provided by the company’s managerial board that plays a major role.

The authors of this research show that KPIs have an obvious relationship with KRIs. Scholars distinguish KPIs and KRIs. KRIs are used to identify the possible risks, whereas KPIs evaluate the company performance. Even now, many businesses use these terms interchangeably. KPIs are frequently made to provide a broad overview of organizational success. Thus, even though these metrics might not be able to provide sufficient early warning signals of a developing risk, they are crucial for trend analysis and performance monitoring. KRIs emphasize just the opposite.

Research Limitations

Data from five distinct types of Fintech companies were used in the study. In terms of size, the degree of digitalization, and customer service strategies, we believe that other types of Fintech companies will have similar influencing risks with respect to the financial and capital adequacy risks. However, they were not considered by the authors, which can be seen as a limitation of this study.

The group of factors selected to establish the model construct also poses a restriction. Although the authors made an effort to take into account all potential indicators, it is still possible to broaden the set of indicators used, add additional variables, or use a different technique for data analysis.

Additionally, survey errors, particularly coverage and sampling errors, are a component of sampling studies. There will almost certainly be a difference between the sample and the general community. The findings of a single sample research cannot be regarded as representative if a large-scale randomized study has not been carried out. In such circumstances, numerous sample studies carried out by various authors can yield representative results.

It should be emphasized that the types of risks involved in this study limited the way in which the model could be interpreted. The authors decided that internal processes should be represented by the internal risk groups chosen for the modeling because the risk groups mentioned above reflect both internal and external processes. This decision can be seen as a limitation of this research because internal processes should be represented by internal risk groups.

5. Conclusions

The authors analyzed the key risk indicators of the business and the correlations between the company’s risk indicators with the purpose of developing the methodology for the key performance indicators selection. By choosing suitable KPIs based on observations of the business events specified by the risk parametrizations, the digitalization of the financial services industry, or Fintech, puts forward the requirements for digitalizing the company’s management processes.

The model’s elements and indicators were identified through the preliminary research. The authors interviewed five financial and Fintech companies in the European Union for this reason. Together with the risk specialists of these companies, a final risk elements list was created and grouped within the questionnaires. The risk components evaluations, based on the above-mentioned questionnaires, were used as a data source for the model. Taking into account the sensitivity of the data regarding their risks, the interviewees consented to participate under the condition of anonymity.

The authors agree that a larger sample size would contribute to the robustness of the results. A larger sample would help to capture a broader range of perspectives and experiences, thereby increasing the reliability and generalizability of the findings. This could involve expanding the number of financial and Fintech companies interviewed or including a more diverse set of participants, such as regulators, industry experts, or academics.

However, the purpose of the research was to evaluate the novel concept of selecting KPIs based on the five distinct categories of Fintech business models represented by risk indicators. The goal was to gain rich insights from a smaller number of participants rather than aiming for statistical representativeness. This approach allows for a detailed exploration of the risk factors and their impact on finance and capital adequacy in specific contexts. It would be beneficial for future studies to consider both qualitative and quantitative approaches. This would provide a more comprehensive analysis by combining in-depth interviews with a larger survey or data analysis, ensuring a balanced and well-rounded investigation.

Within this research, the model was constructed based on the risk types, representing the internal processes of the company. The authors considered the following groups of risks: governance risk, ICT risk, operational risk, financial crime risk, and human resources risk, and their impact on finance and capital adequacy. The model verified the correlation of the risk, representing internal processes toward the financial risk and capital adequacy risk. The authors assume that financial and capital adequacy risks are connected to the financial KPIs of the company. The study was carried out using PLS-SEM in SmartPLS 4.0 software.

The research shows that all the risks considered in the model, except for staff risk, correlate with the financial and/or capital adequacy risk. Approximately 61.5% of the other categories of risks that affect capital adequacy risk and 32.0% of the other types of risks that affect financial risk were explained by latent variables in the obtained model. The primary factors influencing the different risk types that impact financial and capital adequacy risk were identified in this study. These data could be used to create manual or automated KPI selection and evaluation models for Fintech firms or other businesses with comparable degrees of digitalization.

Despite the lack of a definitive correlation between staff risk and financial or capital adequacy risk, since the related hypothesis was rejected, this element significantly influenced the creation of the model. Events pertaining to these categories of risks must be excluded from the final model construction and calculation.

As a result, this research identified the crucial elements influencing the growth of KPIs based on financial and capital adequacy risk.

Stakeholders in this procedure include all divisions of Fintech companies. The outcomes can be used as a foundation for initiatives that seek to automate performance results. The purpose of this study was to demonstrate that the unified methodology for Fintech’s risks brings additional benefits, apart from the risk management efficacy itself: the ability to select KPIs based on the unique business model of Fintech. The authors devised an innovative approach to selecting comprehensive KPIs, covering all aspects of the exact Fintech business model.

All divisions of Fintech companies are stakeholders in this procedure. The obtained results can be used as a foundation for initiatives oriented toward automating the performance results analysis.