Compliance Risk Assessment in the Banking Sector: Application of a Novel Pairwise Comparison-Based PRISM Method

. Up-to-date compliance management uses a risk-based approach based on international standards. In addition to techniques and practices, implementing compliance measures is determined by principles and culture. Compliance risk assessment is an evolving feld in theory and practice. Compliance risk management is complex and highly dependent on the decisions of experts. Tis article presents a new compliance risk assessment method based on a commercial banking case study. In the study, the Guilford method is used to extend the Partial Risk Map (PRISM) assessment technique, and the steps of the proposed pairwise comparison-based PRISM method are described in detail. Since risk assessment is critical to the operation and development of compliance management systems, the proposed risk assessment method involves testing individual evaluations’ consistency and the results’ robustness. Te best-ftting and outlier experts can be identifed based on testing the impact of individual expert rankings on the aggregated ranking. Te main fnding is that top partial risks can be identifed by applying the proposed pairwise comparison-based PRISM technique; therefore, possible optimal risk mitigation strategies and measures can be designed.


Introduction
Compliance management is an organizational function responsible for fulflling legal, regulatory, industrial, and other obligations. Te compliance management function is usually independent and reports to top-level executives and the board [1]. Preferably, one person is formally responsible for operating the compliance management system (CMS). At the same time, the responsible department has a thorough knowledge and know-how of organizational operations, processes, and procedures. Te maturity and scope of a CMS, the budget, and the workforce allocated demonstrate leadership's commitment to a compliant and trustworthy way of running the business.
Te scope of compliance has recently expanded, and the approach of integrating operational and compliance risk, one of the critical categories of banking risks, is becoming widespread [2,3]. Compliance risk management involves understanding and quantifying risk tolerance and a system of indicators and alerts always unique for the organization. Compliance risks, including reputational risks, can increase strategic risks in the banking sector [4]. Studies showed that simplifying banking business models is necessary [5], and more consistent and cheaper compliance procedures could be made possible [3]. Compliance management is more than a bureaucratic fulflment of requirements. It has a business dimension [6] with increasing importance and complexity. Its main challenges include a lack of dedicated local compliance experts, incomplete indicators, hidden risks in thirdparty relationships, and rapidly changing regulatory requirements (for example, COVID-19 pandemic social distancing, loan moratorium, and commercial sanctions) [7].
Te compliance scope and activities are becoming highly complex in an increasingly fast-changing and globalized world. Tus, the risk assessment processes must be developed to keep up with the increasing complexity. Te most cited risk assessment methods follow the requirements of the increasing complexity of the assessment process [8]. Te two most popular ways include combining risk assessment approaches with Multi-Criteria Decision-Making (MCDM) methods and fuzzy applications to describe complex phenomena more accurately. As typical risk assessment techniques in many industries, risk matrices and the Failure Mode and Efect Analysis (FMEA) have numerous development directions in recent decades. As a novel risk assessment technique built on the factors of FMEA, the PRISM method focuses on assessing partial risks that can stay hidden and lead to severe efects [9]. Similar to the PRISM method, Ouyang et al. [10] also described a possible way to detect hidden risks. Tat method can also be a sound basis for bank compliance risk assessment.
As many references show [2,4,11,12], the assessment of bank compliance risk is a signifcantly complex process that has many diferent evaluation factors. On the other hand, the existing methodological tools are just following the continuously gaining complexity of bank compliance assessment. Although some quantitative and deterministic approaches have already been described [2,9] and PRISM method is focusing on hidden risk identifcation, many possible approaches still need to be added to the toolset, which could strengthen the methods' reliability in providing information related to the compliance risk set of a bank. In bank compliance management, hidden risks can seriously damage the organization's reputation, and spillover efects can cause a further threat to the entire sector [13].
Te purpose of the study is to develop a novel PRISM risk assessment technique that can deal with the following criteria: the method should not use a deterministic scalebased risk assessment (1); the method can be applied for testing the consistency of the assessors (2); the similarities and dissimilarities of the assessors' results can be compared to each other in detail; thus, the uncertainty of the group level decision can be reduced (3); and the new method must provide the same ability in hidden risk detection than the initial PRISM method (4). With this improved skillset, the novel PRISM method can be a more robust approach to complex risk assessment just like bank compliance risk assessment.
Te paper is organized as follows. Section 2 presents the compliance management and risk assessment background of the study. Section 3 introduces the proposed methodology in detail. Section 4 presents a case study in the banking sector and highlights the results of applying the method. Section 5 discusses the results. Finally, Section 6 summarizes the most important added values of the proposed methodology and propositions for future research.

Literature Review
First, the bank risk and compliance risk studies are presented. Next, the ISO 37301:2021 Compliance management system standard is introduced. Ten, the compliance risk assessment literature is summarized.

Bank and Compliance Risk. Te Basel Committee on
Banking Supervision introduced the risk-based approach in the banking sector; nowadays, it has become business as usual. According to [14], out of the four main bank risks (liquidity, interest rate, capital, and credit risk), credit risk is generally viewed as critical regarding its impact on bank performance and failure. However, according to [15], the relationship between the efectiveness of risk management and bank risk is more signifcant in countries with higher institutional quality and standards. Empirical studies show that countries with better institutional systems are less likely to experience a banking crisis [16] which goes hand in hand with economic crises.
Moral hazard is a signifcant problem in liberalized fnancial systems, where there are more risk-taking opportunities [17]. Regulatory and supervisory practices (e.g., accurate disclosure of information) contribute to the performance and stability of the bank [18]. Tran et al. [19] used accounting and market-based risk measures in their study, fnding that bank risk is negatively related to credit information sharing, which reduces the adverse efects of credit shocks on bank stability.
A three-step procedure has been created by Bezrodna [4] for assessing the bank's strategic risk and supporting its relationship with the compliance risk of fnancial monitoring. One fnding is that compliance risk triggers an increase in strategic risk due to the application of fnancial sanctions against the bank. Tese may lead to reputational risks, negatively afecting the strategy's efectiveness. Furthermore, a signifcant diference between the actual and planned values of the indicators, or the inadequacy of the bank's strategic management mechanism, may lead it to focus on a formal approach to compliance with fnancial monitoring legislation [4]. Te work of Birindelli and Ferretti [20] describes the similarities between operational risk and compliance risk and identifes areas of collaboration to achieve cost synergies and improved operational efciency.
Many research studies [21][22][23][24] suggest that the committees that meet regularly during the fnancial year are linked to efective monitoring. As a result, audit committee efectiveness can reduce risks and increase banks' stability for regulatory compliance [25]. However, another study by Nguyen [24] shows that the audit committee's independence, number of meetings, and fnancial expertise negatively afect the risk-taking behavior of traditional banks.
As for Islamic banks, Masood et al. [26] showed that they develop and practice more robust techniques to manage their credit risk in addition to traditional methods, compared to non-Islamic banks. Empirical evidence [27] shows that Islamic banks below the target risk level tend to exhibit risk-seeking behavior. Also, Islamic banks with a higher loan-to-total assets ratio tend to take lower risks. A model has been developed by Ashraf and Lahsasna [28] to quantify the Shariah risk and the level of Shariah compliance taken by Islamic banks, which can supplement traditional counterparty risk rating models.
In addition, a higher frequency of Sharia committee meetings reduces the risk of Sharia noncompliance in Islamic banks [29]. Te impact of political connections on Shariah compliance of Islamic banks was examined by Syaputri and Nainggolan [30], fnding that politically connected banks can reduce the risk of Shariah noncompliance better than nonpolitically connected Islamic banks.
Compliance risk is any event with a negative legal or reputational consequence. Most businesses have a strategically defned appetite and tolerance for risk that depends on several factors. Moreover, risks have a spillover and multiplier efect and can reinforce each other. Salvioni et al. [11] proposed a responsibility-oriented approach to compliance risk management, claiming that the lack of ethics in business operations, masked by formal compliance, often results in indirect adverse efects on the relationships between stakeholders.

Compliance Management Systems.
In 2021, the International Organization for Standardization (ISO) issued a new standard, the ISO 37301:2021 Compliance management systems-Requirements with guidance for use [31], that supersedes the ISO 19600:2014. Te main change is shifting from guidelines to requirements and the possibility of certifying the CMS against the standards. Te general elements of a CMS are shown in Figure 1.
Te organization and its legal, social, and cultural context are fundamental to the compliance management system. Understanding the context means considering several issues, including the business model, size, and the complexity and sustainability of the organization's activities and operations [31].
Besides the efect of the context, the top part, namely, objectives and principles, has a signifcant efect on how a compliance management system is designed and developed. Out of the objectives, reputation should be highlighted. A good reputation is usually the result of years of excellent expertise and cannot be created overnight [32]. Terefore, management needs to be aware of the reputation and emphasize it as a business resource. Reputational capital is the part of market value attributed to a frm's view as a responsible corporation [33].
Te principles of the CMS are integrity, good governance, proportionality, transparency, accountability, and sustainability. One goal of mature compliance management is ensuring the integrity of the entire organization and its employees through the organization's leadership and management system [34][35][36]. Integrating good governance with a risk-based compliance function can improve performance efciency and efectiveness [37]. According to [38], creating an efective internal control environment can mitigate or eliminate risks to corporate sustainability. Tough not expressed explicitly, Governance, Risk, and Compliance (GRC) is the dominant approach in the ISO 37301:2021.
Te center of Figure 1 shows the PDCA cycle, a four-step improvement planning tool. Governance, in the middle, refers to the comprehensive system of rules, practices, and standards that govern an enterprise. Leadership and culture are connected to all steps of the development cycle.
Identifying potential threats to a business is part of the Plan phase. Tis phase includes determining the scope, creating compliance policies, and clarifying roles and responsibilities. Design of operations and identifcation of compliance risks are also included here. So what are compliance risks? According to ISO 37301, compliance risk is the likelihood of occurrence and the consequences of noncompliance with the organization's (mandatory or voluntary) compliance obligations [31]. A practical and developed CMS aims to minimize the risk and consequences of noncompliance with obligations. Creating commitment at all levels is another ongoing task in the massive step of planning.
Compliance in action creates and uses processes and controls to ensure that the company and its employees conduct their business legally and ethically. Taking action to reduce or eliminate the efects of compliance risks is part of the Do phase. Tis phase also includes raising awareness, providing communication channels, training to elevate competence, and documentation.
Internal compliance audits, management reviews, monitoring, and measurement activities constitute the Check phase. Raising concerns and investigations are also included here. Te last phase is about refning the activities of the previous phases and continual improvement. Managing noncompliance, either prevention or correction, is part of this phase. Finally, ISO 37301 requires organizations to maintain documented information on compliance risk assessment, records of nonconformities, and investigations.

Compliance Risk Assessment.
Every company that implements a compliance risk management program develops a self-developed process-based solution adapted to the needs and characteristics of the organization, refecting regulatory and internal needs [2]. A compliance risk assessment program can be a helpful management tool because companies can reduce the number and severity of compliance incidents and improve their business operations by better identifying compliance risks and managing behaviors [39].
Standardized risk prevention requires identifying and quantifying risk based on risk assessment methodologies. Risk identifcation usually describes the following characteristics of a risk, its nature, source, and impact, for example, incident, business line, and regulatory outcome [40]. Te risk matrix is a widely used risk assessment method in the banking sector that uses two rating factors, usually to estimate the "occurrence" and "severity" dimensions of risk incidents [2]. Kim et al. [41] analysed risk assessment standards and proposed a new method for identifying and evaluating fnancial information security risks through correlation analysis between various security standards and requirements. Naheem's [12] study concluded that risk assessment strategies remain largely reactive, leaving banks exposed to not realizing the risk by failing to conduct an assessment. Te practical implications call for a more holistic, future-oriented approach from the bank's perspective [12].
Te so-called "compliance dilemma" is a collective term for conficts over the exercise of compliance activities within a company. For example, a compliance dilemma is when a manager perceives a contradiction between a legitimate decision-making alternative and an alternative that fts the organization's (e.g., fnancial) goals [42]. A study examining the minutes of the board meetings of Indian banks found that bank boards generally underinvest in risk and overinvest in regulation and compliance [43].
Organizations that aim for competitive advantage, organizational sustainability, and business success shall create a culture of compliance, a set of values, beliefs, and behaviors that create the norms that promote compliance. Compliance culture enhances such norms, attitudes, and work styles (i.e., accountability) that make compliant behavior possible and preferred and is the general basis for decision-making. Te incentive structure and the consistency of formal risk management with actual behavior may support creating and developing a compliance culture [44].
Risk control and mitigation aim at reducing the likelihood of failure causes and their negative impact. Te implementation of risk mitigation measures is prioritized and scheduled due to the availability of professional and fnancial resources. Banks use various control mechanisms (like internal procedures, the "four eyes" principle, Chinese walls, and access rights) to decrease risks [2].
In practice, compliance risk management is heavily based on consultations with expert groups, while the reliability of these consultations is rarely validated. Failure Mode and Efect Analysis is a widely used risk management methodology in most industries, including the banking sector. Instead of a standard risk matrix [2], FMEA applies three rating factors (severity, occurrence, and detectability) for risk assessment. Te FMEA aims to assess failure modes related to a process or product and then reduce the risks via risk mitigation action plans [45]. Te Partial Risk Map (PRISM) methodology is a novel risk assessment technique that closely resembles the risk assessment process of the FMEA. Te basics of the PRISM method are described [9], and potential development areas are also addressed related to the methodology and application felds [46,47]. Since compliance risk assessment is a complex evaluation and ranking process, MCDM methods are relevant methodological solutions for modeling complexity in the decisionmaking process. Te possible classifcation of MCDM universe is presented by Cinelli et al. [48], and there are other signifcant works comparing diferent MCDM methods. In the work of Valipour et al. [49], seven diferent MCDM methods are applied for PPP project assessment, including pairwise comparison techniques and outranking methods in some cases combined with fuzzy logic. Analytic Hierarchy Process (AHP) is combined with Multi-Choice Goal Programming (MCGP) to project selection and resource allocation in risk-based internal audit planning [50]. For Risk Priority Number (RPN) calculation, Djenadic et al. [51] combined AHP with TOPSIS in a fuzzy environment in order to model uncertainty among expert choices.
Since pairwise comparison techniques are applied in the literature for factor weight calculation, the primary identifed development direction of the PRISM method is based on pairwise comparison methods. Tus, the risk assessment process can be opened for subjective weightings. Another advantage of the combination with pairwise comparison methods is that the consistency of the experts can be tested [50][51][52], while this option is not applicable in the original PRISM method. Tis shortcoming of the PRISM method can be vital in bank compliance risk assessment; thus, combining the method with pairwise comparison techniques is highly suggested.
Applying pairwise comparison methods is a traditional basis for assessing and evaluating complex systems [38,53]. Typical solutions of pairwise comparisons are the Guilford method [54], where only the preferences between the elements of pairs are determined, and the methodology of the AHP, where the strength of the preferences is also set [55]. Best Worst Method (BWM) is a preferred pairwise comparison technique if a large number of items should be compared while also setting the strength of preferences [56]. All methods give feedback on the consistency level of the experts [52,[56][57][58]. Te Guilford method can be advised as a primary pairwise comparison technique of compliance risk assessment. Since the compliance risk assessment used to be a signifcantly subjective process due to the complex nature 4 Complexity of bank compliance, preference determination is also subjective. Setting preferences' strengths can cause an uncontrolled level of subjectivity in the assessment. Total elimination of the risk of noncompliance is impossible; however, residual risks must be controlled and monitored. Te risk-based approach to verifying compliance with a sound compliance culture can deliver signifcant cost savings while leading to better business management and greater fexibility in response to changes in the business context [59]. Naheem's [60] study supports the argument for integrating social corporate responsibility and anti-money laundering compliance, in contrast to the current practice of proft and business being seen as separate rather than integral to regulation and control. Authorities increasingly rely on risk assessment techniques to increase their regulatory efectiveness, for example, by increasing supervision of companies with high-risk profles, assuming high levels of disclosure [61].
Compliance risk assessment has complex methodological options, and it is unique to each organization. Terefore, the consistency check of the experts is an advantage of a risk assessment technique, especially when the assessment is complex, just like in the case of bank compliance. Te proposed pairwise comparison-based Partial Risk Map method is described in the following section.

Methods
Te process fow of the proposed extended PRISM method is introduced in detail in Figure 2. Te detailed formal description of the prosed method follows the visual process fow.
Te frst step is forming a set of comparable elements, while the focus group of the experts can also be established. Te second step is creating the pairwise comparison sheets based on Ross's optimal order [62,63] separately to the occurrence, severity, and detection rating factors.
Let n indicate the number of incidents. Tus, p number of pairs can be formed based on equation Te third step is setting the experts' priorities and checking the experts' consistency. Te level of consistency can be calculated based on equation In equations (2)-(4), d max represents the highest possible number of inconsistent triads in a pattern. In the case of odd n: In the case of even n, the equation of d max is the following: In equations (2) and (5), d represents the number of inconsistent triads in a certain paired comparison pattern, and it is calculated using the following formula: where a i indicates how often a specifc i element was preferred to the other elements. Based on a chi-square distribution signifcance test, whether a certain d number of inconsistent triads indicates a random or systematic inconsistency in a pairwise comparison pattern can be identifed. For calculating the degree of freedom (DF) for the chi-square distribution, equation (6) can be used: Equation (7) is applied to calculate the chi-square value: In the case of systematic inconsistency, the individual assessment results cannot be used for further calculations.
As for the fourth step, a similarity check of the ranks of the incidents related to each consistent pattern should be executed. Based on testing the similarity, it can be decided whether the patterns can be aggregated-forming a group assessment result-or not. In the case of two ranks, rank correlation analysis can be applied to check the level of similarity. In the case of more than two ranks, aggregation can be executed or rejected based on the result of rank concordance analysis. Tis paper's similarity analysis is based on the calculation of Spearman's rho [64] in the case of two rankings and the calculation of Kendall's W [65] in the case of more than two rankings.
Te value of Spearman's rank correlation coefcient is between −1 and 1. If the ranks are the same, Spearman's rho will be 1. If the ranks are opposite, Spearman's rho will be −1. If the ranks are independent, Spearman's rho will be 0. Te value of Kendall's W coefcient is between 0 and 1. In the case of the same ranks, the value of W is 1. If the ranks are opposite, the coefcient will be equal to 0. A 5% signifcance level is ofered to test rank similarity in the case of both coefcients.
If the ranks are similar, the results of the individual assessments can be aggregated in the ffth step of the process. After the aggregation, it can be calculated how often a specifc i element was preferred to the other elements in the aggregated pattern. Let c i indicate the number of preferences in the aggregate matrix. Ten, the p c values can be calculated based on equation (8), where k is the number of consistent experts.

Complexity
Since the Guilford method ranks the comparable elements, it is necessary to introduce two theoretical variables representing the possible highest (C 1 ) and lowest (C 2 ) values of c i . Based on equations (9) and (10), the value of C 1 and C 2 can be calculated.
Te results of the Guilford method are projected to an interval scale by applying C 1 and C 2 values. Let u indicate the inverse normalized value of p c . Linear transformation can transform u values to a selected scale [54,58].
Since the values of occurrence, severity, and detection factors can be calculated related to each incident, as for the sixth step, the PRISM patterns of the incidents can also be set (see Figure 3). Since the PRISM methodology calculates the aggregate values of the paired rating factor values of an incident, denote p(m) � p(o, s, d): � (o⊗s, o⊗d, d⊗s) as the PRISM pattern of incident m.
In the seventh step, the PRISM number of a particular incident can be calculated by selecting the maximal value of the three aggregates of p (m). To test the validity of the Each incident has more PRISM numbers according to the applied PRISM functions.
Based on similarity tests the opinion of the experts can be characterized.
Priorities are set based on the ranking of the incidents.
Step 7 Step 8 Step 9 Identifng the PRISM number of each incident

Risk mitigation action planning and execution
Aggregation and scaling of individual assessments

Calculating the PRISM pattern
Based on correlation coefcients that ft to the problem characteristics.

Similarity analysis of the individual results
Step 1 Step 2 Step 3

Setting individual preferences and consistency analysis
Inviting the committee members, setting the aims, forming incident set.
Sheets are created for assessing occurrence, severity, and detectability assessment separately.
Preferences are set individually according to the Guilford method and consistency analysis is performed.
Step 4 Step 5 Step 6 6 Complexity results, multi-assessment is performed, applying diferent threshold lines (linear, convex, and concave) in the submatrices of the PRISM. Equations (11)-(13) are applied in this study based on [66].
where A (m) function results in linear, M (m) results in convex, and S (m) results in concave threshold lines from the perspective of the center of the PRISM [66].
In the eighth step, the individual and aggregated prioritization of the incidents can be executed based on the PRISM numbers. Applying A (m), M (m), and S (m) functions, the similarity of the same expert rankings can be tested, providing feedback on the validity of the assessment. In addition, outlier experts can be identifed by testing the similarity of the aggregated ranking and the individual rankings. Both tests strengthen the proposed method's reliability, which is necessary for the subjective assessment of complex phenomena.
Based on the result of the prioritization, further risk reduction actions can be planned and launched in the ninth step.

Case Study
In 2021, a risk assessment workshop was launched in the compliance management directorate of one of the largest Central and Eastern European banks. After collecting bank branch-related compliance incidents, a focus group of the three top compliance experts was established. Te focus group members had more than ten years of experience in the compliance management feld in the commercial bank sector. Tis study presents the pairwise comparisons of six randomly selected incidents.
Te experts assessed the cases (see Table 1) based on Guilford's pairwise comparison method. Te assessment was executed three times since the cases had to be assessed based on the occurrence, severity, and detection factor. Te results are given in Appendix A. Based on the Chi-Square statistic, if there are more than two inconsistent triads in a pattern (d > 2), the decision maker is inconsistent at a 0.05 significance level. Hence, the result of the consistency evaluation of the experts showed that Expert 1 and Expert 2 were consistent in the occurrence, severity, and detection-based comparisons. In contrast, Expert 3 was consistent only in the severity-based comparison. Te results of the consistency tests are given in Table 2.
Te similarity test of the ranks can be executed after the consistency test. In the case of the severity factor, all the experts were consistent (Kendall's W is calculated). In contrast, two experts can be involved in the case of the occurrence and the detection factors (Spearman's rho is calculated). Kendall's W is 0.947 at a 0.014 signifcance level in the case of the severity factor (all experts were consistent).
In the case of the occurrence factor, Spearman's rho is 0.829 at 0.042 signifcance level (only Expert 1 and Expert 2 were consistent). In the case of the detection factor, Spearman's rho is 0.883 at a 0.02 signifcance level (Expert 1 and Expert 2 were consistent).
Since the patterns are signifcantly similar, the aggregation by factors can be executed. Te results of the aggregation are given in Appendix B.
Based on the scale values of the occurrence, severity, and detection factors, the PRISM patterns of the incidents can be visualized (see Figure 4). Te PRISM numbers are also visible in Figure 4 based on the maximal values of each case (see Table 3). Te PRISM numbers are indicated with a dashed outline and darker color (see Figure 4) and bold numbers (see Table 3).
In this case study, A (m), M (m), and S (m) functions give the same rankings related to the aggregated results, although the rankings could difer by function. In the case of Expert 1, diferent functions result in diferent rankings, while in the case of Expert 2, the rankings by diferent functions are the same. Expert 3 has no consistent occurrence and detectionrelated pairwise comparison results. Tus, for Expert 3, the PRISM cannot be constructed because of two missing factors.
Testing the impact of each expert's rankings on the aggregated ranking is optional, but it can highlight significant results of the entire analysis. Te test can also help identify the best-ftting and outlier experts. Based on the data in Appendix A, the PRISM rankings of Expert 1 and Expert 2 can be calculated. After that, rank correlation analysis can be performed to describe the correlations between each expert's ranking and the aggregated ranking. Te higher the correlation coefcient value, the better the ft to the aggregated rankings. If the signifcance level of the correlation coefcient is lower than 0.05, the expert will be marked as an outlier expert. Spearman's rho is applied for the calculation.
Te rankings of each expert related to the A (m), M (m), and S (m) functions are visible (see Table 4), as well as the aggregated rankings. Since the aggregated rankings and Expert 2's rankings have no diferences by the PRISM functions, these rankings are placed in the table only once.
Since A (m), M (m), and S (m) functions resulted in diferent rankings in the case of Expert 1, it is necessary to test the similarity of the rankings of Expert 1. For testing the similarity, Spearman's rho is calculated (see Table 5).
Te correlation coefcients are high in all the comparisons, and the signifcance level was higher than 0.05. Tus, there is no outlier expert in the analysis, and the rankings of Expert 1 are similar. Without applying further nonparametric tests (Kendall's W), it can be identifed that S (m) function gives the most similar expert rankings.
Based on the results, C6 has the highest relative partial risk in the analysis. Tus, it is the riskiest incident. Since this top partial risk can be identifed in the occurrence vs. detection submatrix, the possible optimal development or risk mitigation strategy is to decrease the occurrence level or increase the detectability level of the incident.
As all the consistent experts agreed, C5 is the least risky incident. Tere are slight changes in the ranks of C1, C2, C3, Complexity  8 Complexity and C4 applying diferent functions, but as the analyses showed, these changes are moderate.
Since only signifcantly consistent experts were involved in the aggregated assessment and the individual assessments were similar, it can be concluded that the assessment is based on adequate knowledge, and the results are reliable.

Discussion.
A risk-based approach in compliance management is best practice internationally [37,59], and reducing risks requires company-wide collaboration. However, breaking down principles and theories into methods and techniques is challenging and highly dependent on industry, size, and strategy. Terefore, compliance risk management is always unique for the organization. Understanding the legal and business context is critical in planning and operating a compliance management system [31,36].
Efective compliance programs identify and control risks that could lead to fnancial and reputational loss or legal consequences [67]. Many indicators used to monitor compliance risks are also used to monitor operational risks. Terefore, an integrated operational and noncompliance risk framework can lead to practical solutions and reduced costs [68]. Appropriate techniques for the risk-based approach are listed in Annex B of IEC 31010:2019, which contains 31 risk assessment techniques, including Failure Mode and Efect Analysis (FMEA) [69]. In reality, methods and techniques are often determined by the practices and preferences of stakeholders and parent companies [70]. Risk assessment is helpful in the design phase of new products, services, or processes and for actual business processes. In practice, compliance risk management is heavily based on     Complexity consultations with expert groups, while the reliability of these consultations is rarely validated.
Te risk matrix is a widely used risk assessment method in the banking sector, which has several weak points. First, the risk matrix is created along only two dimensions. Te "probability" dimension is essentially the same as the "occurrence" factor of the FMEA. In contrast, "impact" is essentially the "severity" of the consequences of a failure mode in the FMEA. Te issue of detectability is typically left out of the traditional risk matrix. In some cases, users interpret it as part of the probability, i.e., it is confused with the simple frequency of occurrence in the probability dimension. In addition to the advantages of the detectability dimension, with the help of the proposed pairwise comparison-based PRISM method, experts can check the consistency of individual decisions and identify outliers.
Tis study focuses on the assessment of partial or hidden risks. According to [71], knowledge discovery based on MCDM methods is a widely emerging feld of the risk management of fnancial institutions. Combining the PRISM method with Guilford's pairwise comparison is an alternative to the original PRISM method, which uses deterministic scales for assessing the FMEA factors. When assessors compare the alternatives in pairs to judge which is preferred in light of a rating factor (like severity), the method allows testing the decisions' inconsistency. Te consistency testing of expert evaluations is an advantage in highly complex matters. On the one hand, the main result of the risk assessment is the aggregated ranking of risks. On the other hand, outlier experts can be identifed based on testing the impact of individual expert rankings on the aggregated ranking.
Based on the prioritization of the incidents by PRISM numbers, possible risk mitigation or reduction actions can be planned and launched. However, organizations should reassess risks periodically. In addition, reassessment is needed when new activities are launched and signifcant external changes (like a pandemic or war situation) or changes in the organizational structure (like mergers and acquisitions) happen.
On the one hand, risk management aims to control and reduce the likelihood of errors in compliance and the scope of their negative consequences [2]. On the other hand, actions may aim at improving the detectability of issues by designing controls within the processes. A common pitfall of compliance risk assessment is when management has already decided, without understanding the underlying causes, which risk they want to address in the next period. In the case of forced solutions, risk mitigation is artifcially prioritized.

Managerial Implications in Light of the Proposed Methodological Process and the Shortcomings of the Bank's Practice.
Te compliance risk assessment process is qualitative and based on historical data if data are available. Te group assessment is based on discussion; no individual assessments are performed. Te bank uses the risk matrix technique for risk assessment practices related to noncompliance events.
Since many banks have the same main compliance management processes, practical observations can be made based on comparing the bank's compliance risk assessment process and the proposed process. Te risk matrix determines the degree of risk based on predefned scales to assess the probability of occurrence and severity of impact. Figure 5 shows the structure of the matrix.
Determining the likelihood of the issue occurring describes the possibility in the foreseeable future. Te probability of noncompliance events or their causes can fall into four categories: unlikely (happens once in more than fve years), possible (happens every 3-5 years), likely (happens every 1-3 years), and very likely (occurs within 12 months). Often, historical data analysis is included in the estimation of incident occurrence.
Te severity of noncompliance events is classifed as follows: low (no or little fnancial loss, no reputational impact), medium (small fnancial loss, slight negative regional-level reputational impact), signifcant (signifcant fnancial loss or regional reputational impact, legal consequences), and severe (severe fnancial or legal consequences or global reputational impact).
Te overall compliance risk rating can be aggregated into four categories: minor, moderate, signifcant, and critical. Te risk rating is represented in four colors (green, yellow, orange, and red), where the yellow and orange categories are warnings and encourage corrective measures. Some corrective action is required for risks at any level over the minor. Based on the risk matrix, experts can visualize the accumulated risk of certain operations or departments.
Te frst problem of the risk matrix technique is that the risk matrix does not involve the ease of detection of failures and causes of noncompliance. Obviously, if a failure is harder to detect, it will pose more risk on the operations. PRISM and any FMEA-based methods dealing with severity, occurrence, and detection rating factors provide a basic solution for this practice.
Te second major problem with the practice of bank is that applying predefned scales for the assessment does not allow for testing the consistency of the experts. Te combination of the PRISM method with pairwise comparison techniques solves this problem. Since in the practice of the bank only group assessment is performed, the control possibilities of any individual expert results are unfeasible. Tus, important information related to similarity measure testing cannot be provided, for example, outlier experts cannot be identifed. Te proposed risk assessment process is based on the aggregation of individual results, so the previously mentioned problem of the bank's process can be solved. In the bank practice, there are only four outputs as for the result of the risk assessment (minor, moderate, signifcant, and critical), so in case of many assessable issues, many items will have the same output value. Tus, in the case of scarce resources, there is no support information on which issue having the same output value should be mitigated frst. Applying the proposed PRISM method, the fnal ranking will be more detailed than that in the bank practice.
Although only a few problems were mentioned, hopefully, these can create motivation for the compliance experts of the bank (and in other banks where the characteristics of the risk assessment processes are quite similar) to conceive developments in the compliance management system.

Conclusions
Tis article presented a new compliance risk assessment method based on a commercial banking case study. Compliance management refers to the processes and controls that ensure that a company and its employees conduct their business legally and ethically. ISO 37301:2021 is the contextual background where the risk approach to compliance management is the foundation. In practice, the most popular risk assessment methods are combined with Multi-Criteria Decision-Making methods to describe complex phenomena more accurately. Te PRISM method based on pairwise comparisons aligns with this trend.
Te new method highlights that pairwise comparisons can provide an opportunity to compare the risk rankings of compliance experts and their consistency with aggregate rankings. In addition, this method allows organizations to identify inconsistent and outlier experts. Signifcantly different assessments may include valuable insights into a particular phenomenon or difering interpretations of complex issues.
As a limitation, this case study was presented with only a small incident sample, but the results of statistical methodologies are valid. Te agreement between the three organizational experts is signifcant. Furthermore, the case study did not examine whether the professional experience or the time spent at the particular bank was related to the rankings resulting from the evaluation.
A methodological limitation of this work is that the uncertainty related to the experts' opinions on the pairwise comparison process cannot be modeled well, since the proposed method applies binary output indicating the preferences. Instead of AHP and BMW methods which can be fuzzifed well, in the case of the proposed method, fuzzyfcation seems to be cumbersome. Te Guilford method has almost the same limitation as the AHP, that is, the number of comparable items is quite low, according to human brain capacity. In the case of many comparable elements, the PRISM method should be integrated with BMW instead of binary techniques or AHP.
Future research could focus on decision-making and how group assessment techniques, such as the traditional FMEA, can be combined with individual assessment techniques. Another possible research direction is a methodological extension, namely, the combination of AHP or BWM and PRISM when the relationship between two risks (incidents) and the strength of the preferences are also included in the evaluations. Furthermore, since fuzzyfcation is a developing research feld besides the MCDM methods [72] in the description of complex systems, the fuzzy-based hybrid development of the PRISM method can also be a possible future development direction. Fuzzy logic is effcient for handling uncertain and imprecise knowledge, which is sometimes the case in the bank compliance area. Similarly, since risk factor estimations are based on previous observations and experience, the consideration of the uncertainty associated with these observations [73] and the risk of decision errors [74] is another route to extend the proposed method. Finally, future research could investigate the human element in compliance risk management, from individual characteristics that afect compliance dilemmas at work to compliance culture.

Data Availability
Te data used to support the fndings of this study are included within the article.

Conflicts of Interest
Te authors declare that there are no conficts of interest regarding the publication of this paper.