Next Article in Journal / Special Issue
Decentralized Enterprise Risk Management Issues under Rapidly Changing Environments
Previous Article in Journal
Economic Policy Uncertainty and Cryptocurrency Market as a Risk Management Avenue: A Systematic Review
Previous Article in Special Issue
Sustainable Risk Management in IT Enterprises
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Case Study on a Potential Application of Failure Mode and Effects Analysis in Assessing Compliance Risks

Department of Management and Business Economics, Budapest University of Technology and Economics, 1117 Budapest, Hungary
*
Author to whom correspondence should be addressed.
Submission received: 28 July 2021 / Revised: 2 September 2021 / Accepted: 5 September 2021 / Published: 9 September 2021
(This article belongs to the Special Issue Advances in Sustainable Risk Management)

Abstract

:
Assessing and reducing compliance risks can now be considered one of the core criteria for business success. While failure mode and effect analysis (FMEA) is widely used in engineering, its application in the financial sector is quite novel, primarily related to compliance risk assessment. This paper presents the results of exploratory research based on the potential application of FMEA in a focus group of compliance experts at one of the largest Central and Eastern European commercial banks. This study aims to establish a process for assessing compliance risks that builds on the strengths of both the qualitative and quantitative assessment methods. Applying FMEA based on a nominal group technique and further statistical analysis provides an opportunity to compare expert assessments and the consensus level of the participants. As a result, the similarity or difference of the assessment patterns can be quantified, providing objective feedback on the evaluation. Finally, this paper proposes lifting the detectability of failures as an evaluation dimension to the same level of importance as the probability and impact of non-compliance and using agreement testing statistical methods.

1. Introduction

The rapidly changing legal environment created the compliance management function to monitor external and internal regulations and manage compliance. Porter and Kramer (2011) drew attention to the fact that a business is embedded in society; a company’s success and society’s development are interrelated. Organizational integrity means that operations follow a clear set of values that meet societal expectations. The efficient operation of compliance supports the realization of integrity by encouraging compliance with the rules. In addition, compliance and trust are highly related (Braithwaite and Makkai 1994; Faizal et al. 2017; Wong and Jensen 2020). Thus, compliance affects international and domestic reputation, partnerships, and competitiveness (Castelfranchi et al. 1998; Kaminski and Robu 2016; Heidinger and Gatzert 2018; Kim 2019). In contrast, Ayadi et al. (2016) indicated that specific regulatory (Basel Committee on Banking Supervision 2013) compliance has no association with bank efficiency.

1.1. Contextual Background

The first significant publications on organizational compliance management described the links between transparency, business ethics, and compliance (Paine 1994; Trevino et al. 1999). The Turner Review (2009) analyzed the global banking crisis, while Silverman (2008) gave a comprehensive overview of organizational compliance management. Compliance management can be considered advanced in some sectors, such as financial services. The results of previous studies (Danescu and Spatacean 2011; Saramawati and Lubis 2014; Safari et al. 2015; Nor et al. 2017) show that compliance in the banking sector is still a challenge in several countries.
From the regulatory perspective, the Federal Sentencing Guidelines for Organizations (Murphy 2002), last amended in 2018 (Federal Sentencing Guidelines for Organizations 2018); the Sarbanes-Oxley Act (2002); and the COSO Internal Control-Integrated Framework (COSO 2013) serve as basic guidelines for effective compliance management (McNally 2013). Thus, an up-to-date compliance approach includes following the letter and the spirit of laws and regulations.
Good corporate governance means setting up internal controls and internal infrastructure in such a way that they are capable of managing risks. Enterprisewide risk management (EWRM) practices help companies to improve decision-making and contribute to company survival and value creation (Manab et al. 2010). Ng et al. (2013) highlighted the negative relationship between risk management committee characteristics and risk-taking in Malaysian insurance companies. According to a study (Sheedy et al. 2019) that criticized the definition of risk culture (Sheedy et al. 2017), the relative priority given to risk management instead of other competing priorities (just like short-term profit) of a financial institute can lead to financial issues.
On the organizational level, an e-Delphi-based study presented a possible option for focus group consensus making, related to assessing compliance issues using the questionnaire technique (Velez et al. 2020). However, the level of agreement between the evaluators was calculated only using a simple majority without further statistical analysis (providing more detailed information to the decision-makers); the study introduced a novelty in assessing compliance issues.
Haji Shahverdi and Zomorodian (2020) used structured interviews, surveys, checklists and obtained expert opinions to model the risk assessment practices of one bank. The collected data were analyzed with a risk matrix, where each factor’s impact and probability of occurrence were determined. According to Losiewicz-Dniestrzanska (2015), traditional risk matrices can be applied in the compliance assessment process. However, strategically important information can stay hidden or be considered insignificant, related to detecting the risk. Therefore, methods with more criteria to assess compliance risks can provide a more detailed assessment result.
Since the assessment of compliance risks can be interpreted as a multicriteria decision-making problem, it is natural that the consensus on compliance topics is challenging. According to Nicolas and May (2017), there are no regulatory requirements for applying a specific ranking or rating system in prioritizing risk areas. However, an effective rating system should reasonably ensure consistent conclusions (Nicolas and May 2017). The consistency can be estimated using statistical data related to the evaluation.
The complexity of the risk assessment can usually be managed using three different methods: quantitative, qualitative and applying both. Typical approaches in quantitative assessment methods and processes are failure mode and effect analysis (FMEA) and its variants (Liu et al. 2013), risk matrixes (RM) (Losiewicz-Dniestrzanska 2015) and their variants (Qazi et al. 2021), as well as the combination of these methodologies, such as the partial risk map (PRISM) methodology (Bognár and Benedek 2021). The FMEA methodology can be used to assess the risk of potential or existing failures of specific processes and prevent their occurrence. According to Chapman (1998), the qualitative methods are usually represented by the nominal group technique (Coker et al. 2014), the Delphi method (Velez et al. 2020) or the brainstorming technique. In general, the evaluation processes can be managed based on focus groups (Sutton and Arnold 2013). The most important reason for applying the nominal group technique in the risk evaluation process is to involve evaluators in a structured meeting, enabling the production of reliable and first-hand information (Zainuddin et al. 2020).
Kim et al. (2012) proposed risk assessment measures specializing in financial companies based on the combination of quantitative and qualitative methods for financial information security risk identification.

1.2. Research Design

The primary motivation for this study is to describe a possible methodological process, which can lead compliance experts to an agreement on ranking compliance risks with the possibility of statistical monitoring of the level of agreement.
The study focuses on developing a risk assessment process based on focus groups, using multi-dimensional evaluations that can also provide feedback on the level of agreement of the evaluators. The research question of this paper is:
Can an FMEA-based compliance risk assessment process be developed, which can also monitor the level of group agreement?
Two assumptions are examined in this paper. On the one hand, it is assumed that:
Assumption 1.
Differences can be revealed between organizational peer reviews by applying FMEA as a nominal group technique (A1).
Furthermore, it is assumed that:
Assumption 2.
Using FMEA as a nominal group technique, it can be shown that the experts of a given organization evaluate the risks more similarly to each other but somewhat differently compared to an external expert (A2).
The paper is organized as follows. Section 2 presents the risk approach in compliance management. Section 3 introduces the methodology and the empirical study, including the materials. Section 4 presents the results, while Section 5 discusses the results obtained. Finally, Section 6 summarizes this paper, including propositions for future research.

2. Risk Approach in Compliance Management

In the last three decades, the extent of regulatory changes has led to their observance becoming an independent task. “Compliance is a rather complex concept, since it includes, among others, financial, economic, tax, business, legal, ethical, sustainability, and proprietary compliance as well” (Boros 2019, p. 547).
COSO’s integrated internal control framework sets out international practices for internal control. In the model, internal control is a process designed to provide reasonable assurance of achieving organizational objectives such as efficient and effective operation, reliability of financial reporting, and compliance with applicable laws and regulations (COSO 2013). Thus, the framework is also a fundamental document for the development of compliance functions. The risk-based and control-focused approach has gained ground since the 1990s. In the 20th century, “there was an increased demand for advanced risk management, corporate governance, management techniques, and information flow, so the design and development of internal control systems also gained ground” (Kovács and Szóka 2016, p. 69).
The scope of compliance management varies from sector to sector (e.g., public administration, pharmaceutical industry). As with the internal control system, compliance management dynamically adapts to the expectations set by the company’s operating environment. The quality management system, compliance management, and risk management are functions supporting the internal control system. Their relationship is unique for each organization and is continuously changing. Even within a sector, each actor independently interprets the set of requirements that define its activities.
Banks are “dangerous” plants, as they face a wide range of risks in their operations, and the degree of risk is much higher than that of other business actors. “Corporate governance compliance level represents a company’s actions to fulfill regulatory obligations that aim to protect the public from potential investment losses in the banking industry” (Zulfikar et al. 2020). Regulations and guidelines applicable to the sector (e.g., Solvency II) aim to reduce business risks. The control functions, described as the first–second–third line of defense since 2013 (Institute of Internal Auditors 2013), protect the organization, while actively and proactively supporting the business/operational areas. The “three-line model”, significantly updated in July 2020 by the Institute of Internal Auditors (2020), focuses on the support function and risk management. In addition, developed and proven compliance solutions in the financial sector can also serve as a model for other sectors.
The goal of a compliance culture is essentially enacting a lasting change in workplace attitudes and behaviors (Asthon 2015). Integrated compliance-integrity programs emphasize developing an ethical organizational culture. Organizational values may include customer focus, honesty, and fairness. Among the principles of corporate governance formulated by the Organization for Economic Co-operation and Development (OECD 2015), transparency and fair treatment can be considered values. In practice, following organizational values appears as an independent goal, value-driven behavior, or work style (Pulay 2021).
In compliance, there is a distinction between so-called hard and soft compliance. In the case of “hard compliance”, the compliance requirements are written down in law or as regulations, and the expectations are specific and measurable. As for “soft compliance”, compliance can be interpreted continuously, typically meaning the extent to which guidelines and recommendations are being followed.
The ISO 19600:2014 guidelines facilitate the design, implementation, evaluation and maintenance of a compliance system.
Figure 1 shows the risk management logic of the guidelines. The starting point is understanding the organization’s context (in the middle top), as is usual for ISO standards. Then, risks are assessed in three steps. The first step is to identify the relevant risks and risk areas. Risk identification is followed by an analysis of the expected impacts and probabilities of occurrence. This is followed by a ranking of risks and prioritization in the risk assessment step. Finally, the process is closed with managing risks, designing and operating appropriate controls. Ranked risks can serve as input for strategy making. Performance can be measured at every point in the process described, and communication tasks are associated with each step.
Every organization operates in a dynamic environment. Some risks may be caused by external events (e.g., the COVID-19 pandemic), and others by internal events (e.g., IT disruptions). Therefore, understanding and actively shaping the environment is a key input factor in operation. Besides knowing the relevant expectations and rules, this includes knowing the audit logic and practice of the relevant auditing authorities.
An in-depth understanding of ongoing environmental changes enhances a more accurate assessment of risks. According to the risk approach, the negative consequences (e.g., sanctions, claims for damages) and the neutral or positive effects (e.g., reputation, strengthening of corporate values) must be considered before making a decision. In general, managers tend to misjudge uncertainty, i.e., the probability of events occurring (Delen 2019). According to the model of bounded rationality theory (Jones 2002), decision-makers accept the first satisfactory solution. Data analysis helps to estimate risks. The role of informatics is significant in detecting compliance incidents, as supplementing traditional expertise with data analysis tools can reveal suspicious patterns and trends indicating abuse (Ambrus and Farkas 2019). The risk assessment should be carried out in a repetitive, almost continuous manner of refinement.
An integrated risk management system is a process-based risk management system that includes the complete identification, assessment and risk management preparation of the organization’s risks and monitoring action plans. For example, governance, risk and compliance management (GRC) is an integrated approach to corporate risk management. GRC, as a comprehensive system, ensures the sustainability of business operations by incorporating risk approach and compliance management into the corporate culture.
In summary, compliance management is closely related to risk management in the most general sense. The international recommendation ISO 19600:2014 recognizes a risk-based approach to compliance, a complex individual or organizational risk appetite. Diverse experiences and incentives can cause significant differences in the way in which individual experts assess risks, from assessing the context to incidents that arise.

3. Materials and Methods

Section 3.1 focuses on introducing FMEA methodology, and the applied statistical methods (Spearman correlation analysis and Kendall rank concordance analysis) are presented. Then, in Section 3.2, the process of the data collection and the characteristics of the data are presented.

3.1. Methods

The traditional FMEA method was created in the 1960s, essentially as a tactical risk analysis methodology. However, the method has undergone significant development in the last sixty years, both in its application and methodological developments (Liu et al. 2013). The purpose of the FMEA is to assess the risks, usually for a product or process, and then reduce them through action plans (Huang et al. 2020). The traditional FMEA is a group method that builds on group assessment that develops during group members’ collective discussions. First, the team members involved in the risk assessment process determine what errors and failures may occur in the subject matter of the study, what the causes and consequences of these may be, and then assess the risks through several factors (Lo and Liou 2018).
The FMEA method evaluates the following three factors: the severity of the consequences, the frequency of occurrence, and the probability of detectability (Zhang et al. 2019). The method uses auxiliary tables for all three factors, which can characterize risks on a scale from one to ten in general, but not necessarily. The higher the risk, the higher the numerical value of that factor (Braglia 2000). Based on the value of the three factors, the resulting risk can be calculated. This is called the risk priority number (RPN), and its value is obtained according to the following formula:
RPN = S ∙ O ∙ D
In the formula, “S” indicates severity, “O” indicates occurrence, and “D” indicates the risk value for the detection factor. It follows from the product of the three values that the value of the RPN can take on its theoretical extremes between 1 and 1000.
Sorting the examined cases in descending order by RPN number, the riskiest ones can be identified, for which it is expedient to prioritize risk mitigation actions. Once the actions have been completed, the risk assessment is repeated. Then, based on the new list in descending order by RPN, the process can be restarted.
In the last few decades, scholars exerted significant effort in the quantitative development of the FMEA methodology, while the qualitative development has remained in the background. The most dominant part of these developments is related to the multicriteria decision making (MCDM) methods, such as the grey relational analysis (GRA)-based method (Chang et al. 2001), TOPSIS-based methods (Braglia et al. 2003; Lo et al. 2021), and many pairwise comparison methods using AHP or its variants (Chang 2015). In addition, the DEMATEL-based method (Seyed-Hosseini et al. 2006) has many citations in the quantitative methodological development of FMEA, as well as the VIKOR-based (Liu et al. 2012) and several DEA-based (Chin et al. 2009) methodologies. According to literature reviews, methodological developments have been increasing, especially in the last ten years (Liu et al. 2019; Huang et al. 2020).
One of the goals of FMEA is to provide a risk assessment on the interval scale measurement level. However, the scaling of the factors typically does not meet the preconditions of this level of measurement. Consequently, the RPN number can be best used to form ordinal scales. In this study, these variables are considered to compare individual peer reviews. Individual expert assessments are transformed to an ordinal measurement level so that individual expert opinions and group expert opinions can be professionally compared and examined. By examining the ranking statistically, it can be made visible how similar each expert opinion is. Spearman rank correlation calculation is used for these analyses.
Spearman’s rank correlation coefficient is a statistical method, which can be applied to describe the strength and direction of a relationship between two variables. The value of Spearman’s rank correlation coefficient is always between 1.0 and minus 1.0. If two rankings are the same, the coefficient will be equal to plus 1.0. If the two rankings are opposites, the coefficient will be minus 1.0. In the case of 0, the two rankings are independent of each other. In our empirical research, Spearman’s rank correlation coefficient was applied to analyze the pairwise similarity of the ranks of two compliance experts. In social sciences, 5% is set for the significance level of the coefficient. Therefore, in this research, a 5% significance level was applied.
Kendall’s rank concordance coefficient is a non-parametric test. However, this statistic is often applied as a prerequisite for aggregating individual assessments into group assessment results in the social sciences. Based on the value of the coefficient, the difference between ranks (two or more ranks) can be described. The statistic is often used to compare different rankings of judges or evaluators. The value of the coefficient is between 0 and 1.0. If the rankings are the same, the coefficient will be equal to 1.0. If the rankings are complete opposites, the coefficient will be 0. As in Spearman’s rank correlation, a 5% significance level is applied in the analysis. The coefficient is generally applied in assessing the level of agreement between a couple of evaluators. If the coefficient has a low value, the ranks are regarded as essentially random, so the aggregation of the ranks should not be executed.
Both coefficients (Spearman’s rank correlation and Kendall’s rank concordance) are often used in qualitative assessments based on focus groups, since these coefficients can compare a small number of records (even just two) to each other.

3.2. Materials

The primer data collection of the study was performed at one of the largest Central and Eastern European commercial banks in January 2021. According to the literature, the optimum size of a focus group is between three and fourteen participants, excluding researchers (Bloor et al. 2001; Gill et al. 2008). Thus, six people participated in the focus group—three compliance experts from the headquarters of the commercial bank, one external compliance expert and two moderators. The selected bank experts had to fulfil the following criteria: having more than ten years of experience in compliance management in the banking sector, with over five years of experience at the current bank. On the other hand, the external expert had grounded regulatory knowledge and general compliance experience but little knowledge of the bank’s specific internal processes, compliance management system, and philosophy.
The steps of the empirical research are shown in Figure 2.
Before the workshop, the bank was asked to describe existing compliance risks. The focus, among the broadly applicable compliance risks, was on the administration of the bank branch. In all cases, the emphasis was that the bank administrator does not make the right decision in a given situation, so there is a risk of compliance due to the wrong decision.
Numerous bank branch administration-related compliance risks can appear in the processes of every bank. In the case study, the focus on was presenting the steps of an assessment methodology. Out of the total sum of thirty cases provided by the bank, six cases were selected randomly for the analysis. The methodology would be the same if more or fewer cases were involved. The risk assessment of the randomly selected cases was the task of the four experts. Table 1 briefly presents the situations selected for analysis.
In recent decades, there has been a broad theoretical consensus in the research community on which scales should be used to assess each dimension of risk assessment (Liu et al. 2013). Nevertheless, in practice, scales are often modified to meet the measurement or estimation requirements of the analyzed product or process (Bognár and Benedek 2021). The participants used the FMEA factor scales presented in Table 2, Table 3 and Table 4.
The FMEA factors were evaluated using four-point scales. As a result, the value of the risk index (RPN), the product of the three factors, can be between 1 and 64.
During the focus group workshop, the selected cases were made available to the experts. The experts then carried out the risk assessment individually, independently of each other, as a nominal group. In doing so, the evaluators rated the six cases according to the three scales previously defined. Table 5 summarizes the assessments of the four participants (“S”—severity, “O”—occurrence “D”—detection), including the calculated RPN values.
Table 6 shows the summary scoreboards. Two mergers of the individual results were performed. In one merger, the results of the risk assessment performed by all four experts were found. In the other case, only the results of compliance experts of the bank (“Compliance Expert 1”, “Compliance Expert 2”, “Compliance Expert 3”) were applied. The applied methodology for the aggregation was simple arithmetic averaging.
Based on the tables of individual and group risk assessments, it can be concluded that the risk assessment of each factor and the RPN indicator differ. Therefore, the tables describing the risk values are converted to the ranking tables shown in Table 7 and Table 8. Thus, the higher the risk value a case receives, the higher it ranks in the rankings.

4. Results

The research results are presented according to the research assumptions described in Section 1.2. Therefore, the results related to the first assumption (A1) are described first.
Table 5 provides a partial answer to the first assumption, as the evaluation tables of the organization’s experts are different. The necessary step to complete the analyses was transforming the expert result tables into ordinal evaluations. These rankings are presented in Table 7. Next, rank correlation and rank concordance analysis was performed.
Regarding the first assumption (A1), the differences between organizational peer reviews were examined separately using Spearman’s rank correlation and Kendall’s rank concordance coefficients.
Table 9 shows the results of Spearman’s rank correlation analysis. Again, the Spearman rho value is below 1.0 for any expert comparison, showing a significant difference in the result at the 5% significance level in only one case. This case is highlighted in the table.
Table 10 shows the results of Kendall’s rank concordance analysis.
The previous correlation analysis results show that the Kendall W values cannot reach 1.0 either. However, the table shows that the Kendall W values fluctuate around 0.9 and are significant at the 5% significance level in all cases.
The results related to the second assumption (A2) are described below. Table 5 and Table 7 provide data for this analysis. Finally, Table 11 shows the correlations of the rankings of each internal expert and the external expert using Spearman’s rank correlation.
Including the external expert, the Spearman rho value is below 1.0, showing significant similarity at the 5% significance level of the results in only one case. This case is highlighted in the table. Table 12 shows Kendall’s rank concordance analysis results calculated for the rankings of the external expert and the compliance experts of the bank.
For the four rankings formed with the involvement of an external expert, the Kendall W values are significant at the 5% significance level. Reading the results in Table 10 and Table 12 together shows that the Kendall rank concordance values were reduced with the involvement of an external expert. This phenomenon is particularly significant for RPN (dropping from 0.948 to 0.757).

5. Discussion and Managerial Implications

5.1. Discussion

It can be concluded that very similar assessments were made, as the Spearman rho values were all significant and close to 1.0, except for one case. The examination of the group-level agreement shows that the agreement between the compliance experts of the bank is significant, as the Kendall W value is significant in all cases and close to 1.0. However, using a simple majority to indicate a group’s agreement level (Velez et al. 2020) is a possible option. As for decision support, Kendall’s rank concordance coefficient provides more detailed information. According to Nicolas and May (2017), an effective rating system should reasonably ensure consistent conclusions, and the statistical monitoring of the results supports this.
The tables assessing the severity, occurrence, and detection created to assess compliance risks are sufficiently good descriptors of risk levels, and experts see the risks behind each case in a similar way. With the traditional FMEA methodology, the above cannot be examined, as individual assessments are not available there. In this respect, the risk assessment methodology based on the nominal group technique is presented, in which the participants carry out the risk assessment independently, provides feedback on its applicability. It examines whether the independent expert opinions differ too much. In the case of significant discrepancies, averaging the evaluations would not give a reliable result. Focus on other short-term activities can shift the focus away from risk management (Sheedy et al. 2019), while monitoring the agreement level of the evaluators can enhance focus on risk management.
It can be stated that the external expert sees the emphasis on the organization’s compliance risks significantly differently. This finding is supported by the pairwise comparison of the rankings of the external expert and the organizational experts, which resulted in a significantly similar ranking in only one case. Furthermore, Spearman rho values are particularly low for detectability and RPN values, in which case there is a significant difference in evaluations. In this respect, it can be stated that the method can select experts based on their knowledge. This selection can be based on a pairwise and group comparison of the patterns of the individual rankings, and several conclusions can be drawn from them, which are presented in Section 6.
Referring to the application of the risk matrices in assessing compliance issues (Losiewicz-Dniestrzanska 2015), the most significant differences are between the assessments by the detection factor of FMEA. The only non-significant result between the assessments of the organizational experts is produced using the detection rating factor (Table 9). On the other hand, the most significant difference between the assessments of organizational and external experts is in the detection rating (Table 11). This result highlights the relative importance of the detection rating factor and the application of FMEA instead of risk matrices (Haji Shahverdi and Zomorodian 2020), since the detection rating factor summarizes a lot of information, which can be taken into account during the assessment. Additionally, the application of the FMEA instead of risk matrixes can be advised in other operation fields (Qazi et al. 2021).
As the Kendall W values are sufficiently high for the totals of the results of the evaluation of the compliance experts of the bank, the section of Table 6 entitled “Aggregate evaluations (involving the compliance experts of the bank)” can be considered as part of the risk assessment scoreboard. Furthermore, Table 8, namely the section entitled “Aggregate rankings (involving the compliance experts of the bank)”, can be considered the risk assessment ranking table. Finally, Table 13 shows the six cases in descending order of RPN values based on the evaluations of the compliance experts of the bank.
It is recommended to introduce measures to reduce the level of risk in each case, in the above order. For example, in case “C”, corrective or developmental measures are expected to be worthwhile to increase detectability or decrease frequency. Following a successful action, it is advisable to repeat the risk assessment and the risk mitigation measures until an extent is reached where the level of risk can already be tolerated compared to the cost of risk reduction.

5.2. Managerial Implications

How can the proposed process contribute to risk management or mitigation? As shown in Figure 1, risk assessment, analysis, and evaluation are essential risk treatment or management prerequisites. Out of the three FMEA factors, the frequency of occurrence and the severity of the consequences are widely used dimensions in risk matrices. One important novelty of the FMEA’s application in the financial sector is elevating the detectability of failures as an evaluation dimension to the same level of importance. If the available data support FMEA factor assessment (i.e., frequency or time series data), they could provide a better basis for decision-making. Furthermore, the authors propose supplementing the risk analysis of the ISO 19600:2014 guidelines with the dimension of failure detection.
Comparative analysis of expert evaluations may provide information on the lack of particular knowledge or experience. On the contrary, it can reveal new perspectives or raise awareness on new issues, contributing to a better understanding of the organization’s risk exposure. The individual evaluation of risks in this process can be completed with a later group-level discussion of the results. Furthermore, the cases involved in the process might be imported into training for new entrants or other specific compliance training (such as on worker safety and the behavior of sales representatives).
From a management perspective, it is vital that using this process does not require extra resources or infrastructure. Having robust compliance risk assessments can reduce fines or penalties in the case of potential non-compliance, according to FSGO in the US. In addition, compliance boards might consider using consensus or agreement testing beyond the 19600:2014 guidelines. Finally, an effectively designed compliance risk assessment process helps to allocate resources efficiently and to identify responsible risk owners for managing each type of compliance risk.

6. Conclusions

This study aimed to describe a possible methodological process for monitoring group-level agreement on ranking compliance risks. First, a brief introduction to compliance management, compliance risk assessment and risk assessment methodologies was presented.
In response to the research question formulated in Section 1.2, the process based on the FMEA method to assess compliance risks may be worthwhile. The proposed process can also be used in monitoring the level of group agreement. However, it can only be suitable for comparing expert assessments if they perform the FMEA-based risk analysis as a nominal group, i.e., independently.
Two assumptions have been examined in this paper. Considering the first assumption, the results highlight that FMEA used as a nominal group technique may provide an opportunity to compare the assessments of compliance risk evaluators and compare the individual assessments with the aggregated results. Understanding quantified disagreement in the views of experts can be beneficial in the development of compliance management systems. In addition, these differences draw attention to the differing interpretations of phenomena.
Considering the second assumption, the results show that applying the methodology may allow different expert assessments to be distinguished from the others. In addition to the regular monitoring of employee knowledge, this method can also provide an opportunity to identify new perspectives. If one assessment differs significantly from the others, it may contain essential new insights or other elements.
Section 2 presents how compliance management is closely related to risk management in the most general sense. ISO 19600:2014 recognizes a risk-based approach to compliance. Diverse experiences and incentives can cause significant differences in the ways in which individual experts assess risks, from assessing the operational context to incidents that arise.
The primary data collection of the case study was performed at one of the largest Central and Eastern European commercial banks in January 2021. The steps of the empirical research, the materials used, the FMEA methodology and the applied statistical methods (Spearman correlation analysis and Kendall rank concordance analysis) are detailed in Section 3. The presented method goes beyond risk matrices, which are typically prevalent in the financial sector. Instead, the risk assessment methodology is based on the nominal group technique, in which the participants carry out the risk assessment independently.
The results are presented in Section 4. The tables assessing the severity, occurrence, and ease of detection of compliance risks are sufficiently good descriptors of risk levels. The group-level agreement shows that the agreement between the compliance experts of the bank is significant. Table 10 and Table 12 together show that the levels of agreement on the ranking of compliance risks (Kendall rank concordance values) were reduced with the involvement of an external expert.
In Section 5, the results are discussed. The risk assessment methodology based on the nominal group technique provides feedback on its applicability. It examines whether the independent expert opinions differ too much. In the case of significant discrepancies, averaging the evaluations would not give a reliable result. In this study, the external expert evaluated the organization’s compliance risks significantly differently, especially in evaluating the ease of detection.
In the future, it is worthwhile to carry out studies to see if there is any trend in the assessment of each type of risk for clearly identifiable risks. Similar to the above argument, it is agreed that the research should be carried out in the knowledge of regional categorizing variables in the bank’s domestic and international branch network, providing research opportunities, according to which the possible regional impact could be described.
Furthermore, future research could examine whether the individual expert results are more closely or weakly related to the group results if the risk assessment is performed as a nominal group.
By changing the described case study (number of cases, evaluators, application of relative scaling instead of auxiliary tables), evaluations and conclusions can be drawn using statistical methods formed based on high measurement level variables. Thus, it is possible to present a more nuanced image with a sufficiently large number of sample elements.

Author Contributions

Conceptualization, methodology, writing—original draft preparation, and writing—review and editing, F.B. and P.B. Both authors have read and agreed to the published version of the manuscript.

Funding

This research received no external funding.

Institutional Review Board Statement

Not applicable.

Informed Consent Statement

Not applicable.

Data Availability Statement

Not applicable.

Conflicts of Interest

The authors declare no conflict of interest.

References

  1. Ambrus, István, and Ádám Farkas. 2019. Az informatika szerepe a compliance-ben; forensic data analytics (FDA). In A Compliance Alapkérdései—Az Etikus Vállalati Működés Elmélete és Gyakorlata. Budapest: Wolters Kluwer, pp. 44–45. [Google Scholar]
  2. Asthon, Jeanette. 2015. 15 years of whistleblowing protection under the Public Interest Disclosure Act 1998: Are we still shooting the messenger. Industrial Law Journal 44: 29–52. [Google Scholar] [CrossRef]
  3. Ayadi, Rym, Sami Ben Naceur, Barbara Casu, and Barry Quinn. 2016. Does Basel compliance matter for bank performance? Journal of Financial Stability 23: 15–32. [Google Scholar] [CrossRef] [Green Version]
  4. Basel Committee on Banking Supervision. 2013. Principles for Effective Risk Data Aggeration and Risk Reporting. Available online: http://www.bis.org/publ/bcbs222.pdf (accessed on 6 September 2021).
  5. Bloor, Michael, Jane Frankland, Michelle Thomas, and Kate Robson. 2001. Focus Groups in Social Research. London: Sage Publications. [Google Scholar]
  6. Bognár, Ferenc, and Petra Benedek. 2021. A Novel Risk Assessment Methodology: A Case Study of the PRISM Methodology in a Compliance Management Sensitive Sector. Acta Polytechnica Hungarica 18: 89–108. [Google Scholar] [CrossRef]
  7. Boros, Anita. 2019. Compliance Audit Issues of State-owned Business Associations. Public Finance Quarterly 64: 542–58. [Google Scholar] [CrossRef]
  8. Braglia, Marcello, Marco Frosolini, and Roberto Montanari. 2003. Fuzzy TOPSIS approach for failure mode, effects and criticality analysis. Quality and Reliability Engineering International 19: 425–43. [Google Scholar] [CrossRef]
  9. Braglia, Marcello. 2000. MAFMA: Multi-attribute failure mode analysis. International Journal of Quality and Reliability Management 17: 1017–33. [Google Scholar] [CrossRef] [Green Version]
  10. Braithwaite, John, and Toni Makkai. 1994. Trust and Compliance. Policing & Society 4: 1–12. [Google Scholar] [CrossRef]
  11. Castelfranchi, Cristiano, Rosaria Conte, and Mario Paolucci. 1998. Normative reputation and the costs of compliance. Journal of Artificial Societies and Social Simulation 1: 3. [Google Scholar]
  12. Chang, Ching-Liang, Ping-Hung Liu, and Chiu-Chi Wei. 2001. Failure mode and effects analysis using grey theory. Integrated Manufacturing Systems 12: 211–16. [Google Scholar] [CrossRef]
  13. Chang, Kuei-Hu. 2015. Generalized multi-attribute failure mode analysis. Neurocomputing 175: 90–100. [Google Scholar] [CrossRef]
  14. Chapman, Robert J. 1998. The effectiveness of working group risk identification and assessment techniques. International Journal of Project Management 16: 333–43. [Google Scholar] [CrossRef]
  15. Chin, Kwai-Sang, Ying-Ming Wanga, Gary K. K. Poon, and Jian-Bo Yang. 2009. Failure mode and effects analysis by data envelopment analysis. Decision Support Systems 48: 246–56. [Google Scholar] [CrossRef]
  16. Coker, Joshua, Analia Castiglioni, F. Stanford Massie, Stephen W. Russell, Terrance Shaneyfelt, Lisa L. Willett, Carlos A. Estrada, Ryan R. Kraemer, Jason L. Morris, and Martin Rodriguez. 2014. Evaluation of an Advanced Physical Diagnosis Course Using Consumer Preferences Methods: The Nominal Group Technique. The American Journal of the Medical Sciences 347: 199–205. [Google Scholar] [CrossRef]
  17. COSO. 2013. Internal Control—Integrated Framework, Executive Summary. Available online: https://www.coso.org/Documents/990025P-Executive-Summary-final-may20.pdf (accessed on 23 August 2021).
  18. Danescu, Tatiana, and Ovidiu Spatacean. 2011. Assessing complience with corporate governance principles in case of Romanian financial investment companies. Annales Universitatis Apulensis Series Oeconomica 13: 338–50. [Google Scholar]
  19. Delen, Dursun. 2019. Introduction to Business Analytics and Decision-making. In Prescriptive Analytics: The Final Frontier for Evidence-Based Management and Optimal Decision Making. Upper Saddle River: Pearson FT Press. [Google Scholar]
  20. Faizal, Sellywati M., Mohd Rizal Palil, Ruhanita Maelah, and Rosiati Ramli. 2017. Perception on justice, trust and tax compliance behavior in Malaysia. Kasetsart Journal of Social Sciences 38: 226–32. [Google Scholar] [CrossRef]
  21. Federal Sentencing Guidelines for Organizations. 2018. Guidelines Manual Annotated. Chapter 8. Available online: https://www.ussc.gov/guidelines/2018-guidelines-manual/ (accessed on 23 August 2021).
  22. Gill, Paul, Kate F. Steward, Elizabeth Treasure, and Barbara L. Chadwick. 2008. Methods of data collection in qualitative research: Interviews and focus groups. British Dental Journal 204: 291–95. [Google Scholar] [CrossRef] [PubMed]
  23. Haji Shahverdi, Donya, and Gholam R. Zomorodian. 2020. Compliance risk assessment by modeling the documents of the International Organization for Standardization and the guidelines of the Tradeway Commission (Case study of one of the operating banks). Journal of Business Management 12: 274–91. [Google Scholar]
  24. Heidinger, Dinah, and Nadine Gatzert. 2018. Awareness, determinants and value of reputation risk management: Empirical evidence from the banking and insurance industry. Journal of Banking and Finance 91: 106–18. [Google Scholar] [CrossRef]
  25. Huang, Jia, Jian-Xin You, Hu-Chen Liu, and Ming-Shun Song. 2020. Failure mode and effect analysis improvement: A systematic literature review and future research agenda. Reliability Engineering and System Safety 199: 106885. [Google Scholar] [CrossRef]
  26. Institute of Internal Auditors. 2013. The Three Lines of Defense in Effective Risk Management and Control. Available online: https://na.theiia.org/standards-guidance/Public%20Documents/PP%20The%20Three%20Lines%20of%20Defense%20in%20Effective%20Risk%20Management%20and%20Control.pdf (accessed on 23 August 2021).
  27. Institute of Internal Auditors. 2020. The IAA’s Three Lines Model. Available online: https://global.theiia.org/about/about-internal-auditing/Public%20Documents/Three-Lines-Model-Updated.pdf (accessed on 23 August 2021).
  28. ISO. 2014. Compliance Management Systems Guidelines. ISO 19600:2014. [Google Scholar]
  29. Jones, Bryan D. 2002. Bounded Rationality and Public Policy: Herbert A. Simon and the Decisional Foundation of Collective Choice. Policy Sciences 35: 269–84. [Google Scholar] [CrossRef]
  30. Kaminski, Piotr, and Kate Robu. 2016. A Best-Practice Model for Bank Compliance. Available online: www.mckinsey.com/business-functions/risk/our-insights/a-best-practice-model-for-bank-compliance (accessed on 23 August 2021).
  31. Kim, Ae C., Su M. Lee, and Dong H. Lee. 2012. Compliance risk assessment measures of financial information security using system dynamics. International Journal of Security and its Applications 6: 191–200. [Google Scholar]
  32. Kim, Matthew D. 2019. Reputation and Compliance with International Human Rights Law: Experimental Evidence from the US and South Korea. Journal of East Asian Studies 19: 215–38. [Google Scholar] [CrossRef]
  33. Kovács, Tamás, and Károly Szóka. 2016. Belső kontrollfunkciók a pénzügyi intézményekben—Szabályozás és annak felépítése Magyarországon. Gazdaság és Társadalom 3: 69–82. [Google Scholar] [CrossRef]
  34. Liu, Hu-Chen, Long Liu, and Nan Liu. 2013. Risk evaluation approaches in failure mode and effects analysis: A literature review. Expert Systems with Applications 40: 828–38. [Google Scholar] [CrossRef]
  35. Liu, Hu-Chen, Long Liu, Nan Liu, and Ling-Xiang Mao. 2012. Risk evaluation in failure mode and effects analysis with extended VIKOR method under fuzzy environment. Expert Systems with Applications 39: 12926–34. [Google Scholar] [CrossRef]
  36. Liu, Hu-Chen, Xu-Qi Chen, Chun-Yan Duan, and Ying-Ming Wang. 2019. Failure mode and effect analysis using multi-criteria decision making methods: A systematic literature review. Computers and Industrial Engineering 135: 881–97. [Google Scholar] [CrossRef]
  37. Lo, Huai-Wei, and James J. H. Liou. 2018. A novel multiple-criteria decision-making-based FMEA model for risk assessment. Applied Soft Computing Journal 73: 684–96. [Google Scholar] [CrossRef]
  38. Lo, Huai-Wei, Chao-Che Hsu, Chun-Nen Huang, and James J. H. Liou. 2021. An ITARA-TOPSIS Based Integrated Assessment Model to Identify Potential Product and System Risks. Mathematics 9: 239. [Google Scholar] [CrossRef]
  39. Losiewicz-Dniestrzanska, Ewa. 2015. Monitoring of compliance risk in the bank. Procedia Economics and Finance 26: 800–5. [Google Scholar] [CrossRef] [Green Version]
  40. Manab, Norlida Abdul, Isahak Kassim, and Mohd R. Hussin. 2010. Enterprise-Wide Risk Management (EWRM) Practices: Between Corporate Governance Compliance and Value Creation. International Reviews of Business Research Papers 6: 239–52. [Google Scholar]
  41. McNally, J. Stephen. 2013. The 2013 COSO Framework & SOX Compliance. Available online: https://www.coso.org/documents/COSO%20McNallyTransition%20Article-Final%20COSO%20Version%20Proof_5-31-13.pdf (accessed on 23 August 2021).
  42. Murphy, Diana. E. 2002. The Federal Sentencing Guidelines for Organizations: A Decade of Promoting Compliance and Ethics. Iowa Law Review 87: 697–719. [Google Scholar]
  43. Ng, Tuan-Hock, Lee-Lee Chong, and Hishamuddin Ismail. 2013. Is the risk management committee only a procedural compliance? An insight into managing risk taking among insurance companies in Malaysia. Journal of Risk Finance 14: 71–86. [Google Scholar] [CrossRef]
  44. Nicolas, Stephanie, and Paul V. May. 2017. Building an effective compliance risk assessment programme for a financial institution. Journal of Securities Operations and Custody 9: 215–24. [Google Scholar]
  45. Nor, Fauzias M., Amir Shaharuddin, Ainulashikin Marzuki, Norhaziah Nawai, and Muhammad Zainuddin. 2017. Risk Management, Shariah Compliance Governance and Sustainable Growth of Islamic Banks in Malaysia. Advanced Science Letters 23: 5011–15. [Google Scholar] [CrossRef]
  46. OECD. 2015. G20/OECD Principles of Corporate Governance. Paris: OECD Publishing. [Google Scholar] [CrossRef]
  47. Paine, Lynn S. 1994. Managing for Organizational Integrity. Harvard Business Review 72: 106–17. [Google Scholar]
  48. Porter, Michael E., and Mark R. Kramer. 2011. Creating Shared Value, How to reinvent capitalism—And unleash a wave of innovation and growth. Harvard Business Review 89: 62–77. [Google Scholar]
  49. Pulay, Gy. 2021. A szabálykövetéstől az értékkövetésig. Public Finance Quarterly 2021: 165–69. [Google Scholar]
  50. Qazi, Abroon, Abdulrahim Shamayleh, Sameh El-Sayegh, and Steven Formaneck. 2021. Prioritizing risks in sustainable construction projects using a risk matrix-based Monte Carlo Simulation approach. Sustainable Cities and Society 65: 102576. [Google Scholar] [CrossRef]
  51. Safari, Maryam, Soheila Mirshekary, and Victoria Wise. 2015. Compliance with corporate governance principles: Australian evidence. Australasian Accounting Business and Finance Journal 9: 3–19. [Google Scholar] [CrossRef]
  52. Saramawati, Dedhi A. M., and Ahmad T. Lubis. 2014. Analysis of Sharia Compliance Disclosure in the Implementation of Good Corporate Governance in Bank Syariah Indonesia. Jurnal Akuntansi dan Keuangan Islam 2: 107–26. [Google Scholar] [CrossRef]
  53. Sarbanes-Oxley Act. 2002. Public Law 107–204—July 30, 2002. Available online: https://www.govinfo.gov/content/pkg/PLAW-107publ204/pdf/PLAW-107publ204.pdf (accessed on 23 August 2021).
  54. Seyed-Hosseini, Seyed M., Nima Safaei, and Asgharpour Mohammad J. 2006. Reprioritization of failures in a system failure mode and effects analysis by decision making trial and evaluation laboratory technique. Reliability Engineering and System Safety 91: 872–81. [Google Scholar] [CrossRef]
  55. Sheedy, Elizabeth A., Barbara Griffin, and Jennifer P. Barbour. 2017. A Framework and Measure for Examining Risk Climate in Financial Institutions. Journal of Business and Psychology 32: 101–16. [Google Scholar] [CrossRef]
  56. Sheedy, Elizabeth, Le Zhang, and Kenny C. H. Tam. 2019. Incentives and culture in risk compliance. Journal of Banking and Finance 107: 105611. [Google Scholar] [CrossRef]
  57. Silverman, Michael. 2008. Compliance Management for Public, Private, and Nonprofit Organizations. New York: McGraw Hill. [Google Scholar]
  58. Sutton, Steve G., and Vicky Arnold. 2013. Focus group methods: Using interactive and nominal groups to explore emerging technology-driven phenomena in accounting and information systems. International Journal of Accounting Information Systems 14: 81–88. [Google Scholar] [CrossRef]
  59. The Turner Review. 2009. A Regulatory Response to the Global Banking Crises; London: Financial Services Authority, pp. 79–80.
  60. Trevino, Linda K., Gary R. Weaver, David G. Gibson, and Barbara L. Toffler. 1999. Managing Ethics and Legal Compliance, what works and what hurts. California Management Review 41: 131–51. [Google Scholar] [CrossRef] [Green Version]
  61. Velez, Sophia, Michael Neubert, and Daphne Halkias. 2020. Banking Finance Experts Consensus on Compliance in US Bank Holding Companies: An e-Delphi Study. Journal of Risk and Financial Management 13: 28. [Google Scholar] [CrossRef] [Green Version]
  62. Wong, Catherine M. L., and Olivia Jensen. 2020. The paradox of trust: Perceived risk and public compliance during the COVID-19 pandemic in Singapore. Journal of Risk Research 23: 1021–30. [Google Scholar] [CrossRef]
  63. Zainuddin, Nurbaini, Rasimah C. M. Yusuff, and Ganthan N. Samy. 2020. Risk Evaluation Using Nominal Group Technique for Cloud Computing Risk Assessment in Healthcare. International Journal on Advanced Science Engineering and Information Technology 10: 106–11. [Google Scholar] [CrossRef]
  64. Zhang, Hengjie, Jing Xiao, and Yucheng Dong. 2019. Integrating a consensus-reaching mechanism with bounded confidences into failure mode and effect analysis under incomplete context. Knowledge-Based Systems 183: 104873. [Google Scholar] [CrossRef]
  65. Zulfikar, Rudi, Niki Lukviarman, Djoko Suhardjanto, Tubagus Ismail, Kurniasih Dwi Astuti, and Meutia Meutia. 2020. Corporate Governance Compliance in Banking Industry: The Role of the Board. Journal of Open Innovation: Technology, Market, and Complexity 6: 137. [Google Scholar] [CrossRef]
Figure 1. Risk-based approach in ISO 19600:2014 (ISO 2014).
Figure 1. Risk-based approach in ISO 19600:2014 (ISO 2014).
Risks 09 00164 g001
Figure 2. The process of the empirical research.
Figure 2. The process of the empirical research.
Risks 09 00164 g002
Table 1. Six bank branch cases subject to risk assessment.
Table 1. Six bank branch cases subject to risk assessment.
CaseA Risky Event at the Bank BranchInterpretation of the Risk
AAn elderly lady is accompanied by a young woman to the bank branch who claims to be the client’s granddaughter. The attendant wants to withdraw a large amount of cash from the customer’s account. It seems that the client agrees with everything, cooperates, does not object to anything, signs the necessary documents. The clerk will serve them in the ordinary course of business.For many elderly clients, self-administration is a challenge. The risk is whether the attendant is entitled to represent the client’s interests. It reduces the risk if the agent actively involves the client and makes sure that they intend to execute the transaction and are not under an external influence.
BAn acquaintance calls the bank clerk on the phone to check his account because he thinks the bank has charged the wrong fee. The clerk asks for a callback on the corporate mobile and then looks at the bill.The risk is an irregular account view. Therefore, the clerk should direct informative inquiries to official channels. The proper procedure, in this case, is for the customer to report his complaint in person at a bank branch or through telephoning customer service.
CIn addition to many data and contact details, the client was asked to send a bank statement and provide an application connected to an online job interview. In response to his concerns, the bank administrator reassures the customer, as the information on the bank statement is insufficient to obtain the account’s disposition.The risk is the misuse of data and possible unauthorized access to the client’s assets. Therefore, it is necessary to disable Internet banking access and the bank card and inform the bank security.
DActing as the legal representative of a minor client, her mother wants to withdraw the total amount from the account and, at the same time, initiate the termination of the account. The parent acted as the minor’s legal representative when opening the account. The administrator will comply with the representative’s requests.The risk is also whether the parent is entitled to represent the interests of the minor client, so it is necessary to present the minor’s identity document and address card. The court may have revoked the right of a legal representative since the account was opened.
EThe spouse of the bank clerk wants to open an account with the bank. The administrator performs the account opening.The risk is a conflict of interest. Administration for family members is a conflict of interest. In this case, another administrator is required to perform the procedure.
FThe customer takes out travel insurance at the bank branch. However, the administrator does not inform the client about the possibility of reporting the use of the bank card abroad.Proactive action can contribute to the smooth use of the bank card. The main risk is credit card misuse, which can be reduced with prior notice. At the same time, this can avoid the mere use of a card abroad raising suspicion in transaction monitoring. Therefore, it is easy to improve the security of credit card use and avoid false restrictions in this situation.
Table 2. Scale of occurrence.
Table 2. Scale of occurrence.
Probability of OccurrenceFrequency of OccurrenceValue
HighWeekly4
ModerateMonthly3
LowAnnually2
Very lowLess often than annually1
Table 3. Scale of severity.
Table 3. Scale of severity.
The Extent of the ImpactThe Severity of the ConsequenceValue
CriticalSerious financial, reputational and legal consequences.4
SignificantSignificant financial, reputational and legal consequences.3
ModerateMinor financial, reputational and legal consequences.2
LowNo or negligible financial and legal consequences or damage to reputation.1
Table 4. Scale of detection.
Table 4. Scale of detection.
Degree of DetectabilityProbability of Detection by InspectionValue
Not detectedThe inspection does not detect the failure or the cause of the failure, or there is no inspection.4
Hard to detectInternal audit notices the failure or the cause of the failure.3
Easy to detectThe second line of defense detects the failure or the cause of the failure.2
Almost certainly noticeableAccount-level verification detects the failure or the cause of the failure.1
Table 5. Summary of individual evaluations.
Table 5. Summary of individual evaluations.
Compliance Expert 1Compliance Expert 2
CASESODRPNSODRPN
A3242433436
B142824216
C3343634336
D3141232424
E12121326
F23161326
Compliance Expert 3External Expert
CASESODRPNSODRPN
A3343622416
B1431224432
C234242228
D313932318
E12241236
F13261313
Table 6. Aggregated evaluation tables.
Table 6. Aggregated evaluation tables.
Aggregate Evaluations
(Involving All Experts)
Aggregate Evaluations
(Involving the Compliance Experts of the Bank)
CASESODRPNSODRPN
A2.752.542832.67432
B1.542.75171.3342.3312
C2.533.25242.673.333.6733
D31.53.51631.333.6715
E12.2524.512.331.673.9
F1.2531.55.61.3331.676.7
Table 7. Summary table of rankings based on individual evaluations of the experts.
Table 7. Summary table of rankings based on individual evaluations of the experts.
Compliance Expert 1Compliance Expert 2
CASESODRPNSODRPN
A13121211
B31342133
C12111121
D14131312
E33463234
F22453234
Compliance Expert 3External Expert
CASESODRPNSODRPN
A12112313
B31232111
C22122334
D14241322
E33363325
F32353246
Table 8. Tables of aggregate rankings.
Table 8. Tables of aggregate rankings.
Aggregate Rankings
(Involving All Experts)
Aggregate Rankings
(Involving the Compliance Experts of the Bank)
CASESODRPNSODRPN
A23111412
B41433134
C32322221
D15241623
E64564546
F52653345
Table 9. Rank correlations for examining evaluations by organizational experts.
Table 9. Rank correlations for examining evaluations by organizational experts.
Expert vs. ExpertSODRPN
Spearman RhoSignificance LevelSpearman RhoSignificance LevelSpearman RhoSignificance LevelSpearman RhoSignificance Level
Compliance expert 1 vs. 2 0.8500.0320.8740.0230.9000.0150.9710.001
Compliance expert 1 vs. 3 0.9000.0150.9070.0130.9040.0130.8860.019
Compliance expert 2 vs. 3 0.9000.0150.8200.0460.7100.1140.9120.011
Table 10. Kendall W values for organizational expert rankings.
Table 10. Kendall W values for organizational expert rankings.
FMEA FactorKendall WSignificance Level
S0.9220.017s
O0.9110.018
D0.8910.020
RPN0.9480.014
Table 11. Rank correlations for examining evaluations by external and organizational experts.
Table 11. Rank correlations for examining evaluations by external and organizational experts.
Expert vs. ExpertSODRPN
Spearman rhoSignificance LevelSpearman rhoSignificance LevelSpearman rhoSignificance LevelSpearman rhoSignificance Level
Compliance expert 1 vs. External expert 0.6170.1920.7830.0650.3020.5610.3710.468
Compliance expert 2 vs. External expert 0.8670.0250.4200.4070.2540.6270.4410.381
Compliance expert 3 vs. External expert 0.7670.0750.7180.1080.3690.4710.4860.329
Table 12. Kendall W values for external and organizational expert rankings.
Table 12. Kendall W values for external and organizational expert rankings.
EvaluationKendall WSignificance Level
S0.8630.004
O0.8190.006
D0.6760.019
RPN0.7570.010
Table 13. Cases ranked by degree of risk.
Table 13. Cases ranked by degree of risk.
Aggregate EvaluationsAggregate Rankings
CASESODRPNSODRPN
C2.673.333.67332221
A32.674321412
D31.333.67151623
B1.3342.33123134
F1.3331.676.73345
E12.331.673.94546
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Share and Cite

MDPI and ACS Style

Bognár, F.; Benedek, P. Case Study on a Potential Application of Failure Mode and Effects Analysis in Assessing Compliance Risks. Risks 2021, 9, 164. https://0-doi-org.brum.beds.ac.uk/10.3390/risks9090164

AMA Style

Bognár F, Benedek P. Case Study on a Potential Application of Failure Mode and Effects Analysis in Assessing Compliance Risks. Risks. 2021; 9(9):164. https://0-doi-org.brum.beds.ac.uk/10.3390/risks9090164

Chicago/Turabian Style

Bognár, Ferenc, and Petra Benedek. 2021. "Case Study on a Potential Application of Failure Mode and Effects Analysis in Assessing Compliance Risks" Risks 9, no. 9: 164. https://0-doi-org.brum.beds.ac.uk/10.3390/risks9090164

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop