EVALUATION OF RISK MANAGEMENT MATURITY OF A FINTECH FIRM IN INDONESIA

ABSTRACT


INTRODUCTION
Financial technology (fintech) has a crucial role in today's economic system. This new technology erases the boundary of financial institutions, markets, and new service providers and enhances the quality of their services (Barbu, Florea, Dabija, & Barbu, 2021;Makina, 2019;Zhang & Kim, 2020). Thus, a fintech firm can be defined as a company engaged in financial services that uses technology to accelerate and facilitate aspects of the financial services it provides. By providing various products and services with fast access, fintech firms will help the growth of the national economy (Narayan, 2020;Ozili, 2018;Saksonova & Kuzmina-Merlino, 2017).
Not all companies have a good risk management system. Some of them may have a very mature risk management program, while the others may have an unplanned risk management program (Linshan Li, 2018;Sennewald, 2011). The level of risk management maturity has a great impact on the companies' financial health (Mohammed & Knapkova, 2016;Otero González et al., 2020). In addition, the level of risk management maturity also may affect the company's performance (Ekwere, 2016;Hartono, Wijaya, & Arini, 2019).
Since the fintech firm has a critical role in the economy and no study has been conducted to specifically explore the risk management maturity level of the fintech firms in Indonesia, this study aimed to identify the risk management maturity of a fintech firm in Indonesia. This study identified the risk management maturity status and revealed the major sources of the firm's risk management maturity, issues in running quality risk management of a financial technology firm in Indonesia. Then, based on those identifications, some recommendations were proposed for enhancements.

RESEARCH METHOD
This study was conducted in an Indonesian fintech firm registered in Bank Indonesia. Since the fintech firm that was taken as the setting of the study did not allow the researchers to expose its name, the researchers named the firm Firm X in this study. The company used the ISO 31000 standard as their point-of-reference in implementing Enterprise Risk Management. The researchers selected 19 respondents to collect the data. Those respondents were selected by using the purposive sampling technique. Those 19 respondents consisted of seven respondents from the top management level, and the other twelve respondents were from the middle management level. To collect the study's data, the researchers developed a questionnaire based on the risk management maturity model developed by The Risk and Insurance Management Society (RIMS, 2006). The score from the questionnaire results was calculated based on the following steps and formula: a. Each competency driver's maturity score is obtained by calculating the average score for all readiness indicators belonging to the specific competency drivers. It is determined by applying the formula = 1 ∑ , =1. In which represents the maturity score of competency driver , , represents the average of the participants' score of readiness indicator that is associated with competency driver , and represents the total number of readiness indicators that belong to the specific competency driver. b. The firm's risk management maturity score is obtained by averaging each competency drivers' score. It is obtained by applying the = 1 ∑ =1. Where represents the firm's maturity score, represents the maturity score of competency driver , and represents the number of competency drivers within the RIMS RMM. c. The maturity score is then matched with the risk management maturity intervals as suggested by RIMS RMM. The intervals are given as follows: (1) Nonexistent: < 1, (2) ad-hoc: 1 ≤ < 2 , (3) initial: 2 ≤ < 3, (4) repeatable: 3 ≤ < 4, (5) managed: 4 ≤ < 5, and (6) leadership: = 5. In which, represents the firm's risk management maturity score. d. The questionnaire result was categorized by following the Risk and Insurance Management Society Risk Management Maturity level as shown in Table 1. Ad-hoc The level of risk management within the firm is in a primitive stage. The implementation of risk management depends on certain individuals' actions by using improvised procedures and minimum knowledge of the process. 2 Initial The risks are managed in silos, and there is little aggregation of risk or risk integration. In which the lack of discipline accompanies the processes. 3 Repeatable The framework of risk assessment is in place, and the board of directors conducts the risk overview. The implementation of risk management is established and conducted repeatedly. 4 Managed The implementation of ERM is established in the firm, and each aspect of ERM is integrated and harmonized, along with its measurement and controls. The ERM procedures and their principles are communicated and understood by the firm. 5 Leadership Within the strategic level of the firm, the risk-based discussion is already taken place. Moreover, risk tolerance and appetite are understood within executive management and the board of directors and accompanied by alerts to inform the top management if the risk threshold is exceeded. Source: RIMS (2006).
The researchers also did interviews to collect data about the major sources of the firm risk management maturity and the issues in running quality risk management. They interviewed the 19 respondents of the study, one by one. In addition, to support and confirm the data from the interviews, they also conducted observations. The researchers observed the implementation of the risk management system that the fintech firm had. The results of the interviews and observations were analyzed qualitatively.

RESULT AND DISCUSSION
Based on the purposes of the study, there were three major findings in this study. The first finding is about the fintech firm's risk management maturity level. The second one is about the major sources of the firm risk management maturity. The third finding is about the issues in running quality risk management. The followings are the detailed findings of the study.

The fintech firm risk management maturity level
The questionnaire results show that the risk management maturity level of firm X was at the ad-hoc level. This can be seen from the score of the questionnaire that was 1.765. Based on the risk management maturity level criteria shown in Table 1, if the score is below 2, it is categorized as ad-hoc level. It means that the implementation of risk management of firm X is dependent on the actions of particular individuals with the minimum knowledge of risk management. Table 2 shows the detailed result of the questionnaire. Based on the interpretation of the risk management maturity level in Table 1. In general, the result of the questionnaire indicates that Firm X implemented its risk management depending on the actions of certain individuals by using improvised procedures and minimum knowledge of the process. Thus, in general, Firm X is obliged to fix its views on the importance of risk management. From the results found, it can be seen that Firm X has not given optimal attention to the planning and implementation of risk management within the company. This is something that can endanger the existence of the company. Weak risk management of a company has been empirically proven to harm various vital things in the company. Implementing good risk management will positively impact the financial health of a company (Ebenezer & Omar, 2016;Hasan, Rahmadini, Indonesia, & Indonesia, 2021;Sinurat & Siregar, 2019). The financial factor is very vital in the company's performance. Therefore, poor implementation of risk management is proven to weaken the company's performance and vice versa (Alsaadi, 2020;Setiawaty, 2016). In other words, it can be said that weak risk management will affect a company's performance (El Shal & Kadery, 2021;Sedana & Dewi, 2017). Therefore, it can be assumed that Firm X also tends to experience problems in its performance if they do not immediately improve the quality of their risk management in terms of planning and implementation.

The major sources of the firm risk management maturity level
Based on the interviews and observations, this study found three main sources that caused Company X's level of risk management to be at the Ad-Hoc level. First, the attitude and perspective of employees who are apathetic towards the implementation of ERM. The success of the implementation of risk management is strongly influenced by the attitude of all employees towards policies regarding risk management that apply in the company. If all employees understand and comply with the policies regarding risk management that apply in the company, the policies are likely to be implemented well and achieve success (Braumann, 2018;Jianguo & Qamruzzaman, 2017). However, if all employees do not comply with the applicable risk management policy, it will be difficult for the policy to achieve success as expected (Eniowo, Onafadejiadeniyi, & Ogundejititobiloluwa, 2018;Pratono, 2018).
Second, company X shows no interest in implementing and developing ERM to its full potential because its executives have experienced a series of successes from its inception to early 2019. Leadership has a crucial role in the operations of a company. The attitude of the company's leaders will affect the attitude of the employees as a whole (Farahnak, Ehrhart, Torres, & Aarons, 2019;Inayah & Balqiah, 2017;Khuwaja, Ahmed, Abid, & Adeel, 2020). Therefore, if the company's leaders do not consider risk management important, other employees will most likely not care about risk management (Gantz & Philpott, 2013). So, if we look at the case that occurred in Firm X, the unsuccessful implementation of risk management is most likely due to the leader's attitude who does not care about the risk management policies that apply in the company.
Third, the company's scope and attitude to risk (for example, risk appetite, tolerance, and capacity) are not in the internal control mechanisms and detailed procedures. The concept of ERM is not embedded in the company's business activities and decision-making of its executives. The implementation of risk management must be an integral part of the company's activities, especially decision-making (Zhu, Haugen, & Liu, 2021). This is because one of the objectives of risk management is to assist the leadership in determining policies so that these policies do not endanger the company's position (Karunathilake et al., 2020;Merkelbachm & Daudin, 2011). However, from the findings of this study, it can be said that Company X ignores risk management in its activities and decision making, which of course, has the potential to harm the success of the company itself.

The barriers and challenges of implementing effective ERM
Based on the results of Firm X's risk management maturity and the participants' information on the company's internal ERM status, it is found that the main obstacles to the implementation of the company's internal risk management are highly concentrated on the company's attitude and perception of understanding and embracing. The concept of ERM affects the quality of the integration of ERM with company activities and decisionmaking. The company's primary task of implementing a risk management mechanism is to comply with Indonesian financial technology regulations rather than creating and protecting its value through ERM.
Therefore, X Company's indifference to the implementation of risk management has brought a series of challenges in realizing the overall and integrated ERM process within the company. They are: (1) the implementation of internal ERM within the company is entirely based on the experience and intuition of employees integrating risk management mechanisms into departmental activities, (2) the lack of integration and cooperation between corporate departments when implementing the ERM process, (3) the lack of risk management within the company experts to help the company adjust the department's views and standard operating procedures from the perspective of risk management, (4) lack of knowledge and familiarity with ERM tools to use risk management, (5) insufficient risk reporting and recording in most departments, and (6) The company has incomplete information on the nature of risks (for example, the scale, impact, and triggers of the risk) because the flow of risk-oriented information in all company management is below average.
In other words, the problems that occur in Firm X are mostly at the implementation level, and these kinds of problems are common in a company (Fraser & Simkins, 2016). For this reason, Firm X is obliged to improve the quality of its risk management implementation by increasing the awareness of all employees of the importance of risk management for the existence and development of the company. This should start from company leaders who can provide examples of the correct implementation of risk management. They must also provide examples of how to implement risk management correctly and prove that it is important to do this. When leaders give good examples, the other employees normally will follow those good examples (al- Baradie, 2014;Gächter & Renner, 2018;Hetland, Hetland, Bakker, & Demerouti, 2018). With the ability of leaders to set an example for other employees, it is hoped that the implementation of risk management will become a culture within the company.

Recommendation
Considering the findings of this study, the researcher recommends several things that can later be used as alternative efforts to increase the risk management maturity of Firm X. First, Firm X must build awareness and ownership of risk management for all employees. In detail, this includes: (1) building awareness and understanding of the proper implementation of risk management at the top and middle management levels by way of continuous executive direction, (2) building the board's commitment to leadership and ownership risk-taking so that risk management is carried out effectively, a systematic approach based on integrated risk management principles, frameworks and processes, and (3) awareness building on risk management for all employees by conducting training, focus group discussions, and risk management competency certification for personnel, and at a later stage, in establishing risk ownership at all levels of company management, it is advisable to link their performance indicators with risk management.
Second, it is necessary to reorganize the company's priorities and objectives in implementing risk management. Given that the implementation of ERM is carried out according to the ISO 31000 standard, what needs to be done is (1) to establish risk management policies and standard operating procedures from the level of the strategic decision-making process to the level of operational business processes, (2) to ensure that all elements of risk management are linked to indicators key performance of employees, and (3) realizing the consistent and continuous implementation of the three pillars of the ISO 31000 standard, namely principles, frameworks, and risk management processes.
Third, it is necessary to integrate the implementation of the ISO 31000 standard into all aspects of company X, which include: (1) alignment of the company's ERM program with its objectives, with the aim that all employees understand the importance and relevance of risk management to company sustainability, (2) implementation of management processes risk explicitly into the company's strategy in achieving its objectives so that employees understand the criticality and importance of risk management in the company's strategy and build strong risk ownership, (3) certainty of the availability of resources in implementing risk management to the company, (4) implementation of periodic evaluations of company performance based on the identified risks and their impacts, (5) regular communication of company policies and their position and focus on managing and overcoming the identified risks, and (6) periodic evaluation of the progress of risk management implementation within the company.

CONCLUSION
The ERM maturity assessment results show that X company's ERM maturity is at a temporary level. This means that Company X is in a state of incompetence and incompetence, unable to use ERM methods to protect and create company value. Especially in terms of regulatory compliance, the company has fulfilled all regulations and requirements imposed by regulatory agencies on enterprise risk management. However, in terms of performance, the quality and effectiveness of the company's ERM process are below the standard. Although Company X has adopted the ISO 31000 standard as a guide for the implementation and integration of ERM processes in its activities, its risk management department's role is only to deal with legal risks, while its IT department manages the company's general risks. Therefore, the company's limited scope and awareness of the necessity of applying risk management hindered the quality and effectiveness of its ERM process in the overall identification and management of risks.
The fundamental reason for company X's low ERM maturity is its indifferent attitude towards the concept and role of its internal risk management. Since regulatory requirements and regulations drive the implementation of ERM, the definition and interpretation of risks and ERM are not clearly stated and presented in the company's internal control mechanisms and procedures. Therefore, the company's risk-related information flow is limited because it is only passed to two departments (ie, risk and IT departments) Since this research is a case study method, the specific conditions of Firm X are different from other fintech companies in Indonesia or any other part of the world. Therefore, the results and recommendations are valid for the fintech companies of particular interest in this research. Therefore, further research involving more companies is needed to reveal the average level of ERM maturity in Indonesia's fintech industry and the obstacles and challenges that hinder fintech companies from improving their ERM maturity. It intends to increase the generalizability of future research results when assessing the ERM maturity level of fintech companies and their industries. In addition, for every financial technology company that uses the ISO 31000 standard as a guide, it is recommended to consider applying an ERM maturity model that is clearly designed according to the requirements and specifications of the ISO 31000 standard to evaluate and improve its ERM effectiveness and maturity level.