We have well-established systems of risk oversight and management that align with the Commonwealth Risk Management Policy and section 16 of the PGPA Act. Our Enterprise Risk Management Framework promotes a consistent approach to the proportionate management of risk, embedded into day-to-day business practices.
Identifying, understanding and managing risk is critical to the delivery of our key activities and achieving our purpose and objectives as an organisation.
Risk appetite
We identify and manage risk in the context of our performance, in line with our overall risk appetite, to:
- make the most of opportunities
- deal with threats
- foster innovation
- build a strong risk culture across the ATO.
In doing this, we are:
- willing to accept higher levels of risk where there is a clear opportunity to realise benefits and where risks can be controlled to acceptable levels
- less willing to accept risk where it is not clear that benefits will be realised or where risks are unable to be controlled to acceptable levels.
The ATO’s Risk Committee has primary responsibility for providing oversight of the systems of risk oversight and management in operation. In conjunction with our Audit and Risk Committee, assurance is provided to the ATO Executive that risk is being effectively identified and appropriately managed throughout the organisation, with a strong focus on setting clear accountabilities and tolerances and monitoring performance to ensure it remains within acceptable levels.
Enterprise risks
The risks outlined below have been identified as the key risks for the ATO to manage in 2024–25.
Tax and Superannuation performance and service
|
Enterprise risk |
Risk description |
Risk management strategy |
|---|---|---|
|
Tax and superannuation performance in accordance with the law |
There is a risk that the performance of the tax and superannuation systems move out of tolerance due to lodgment and correct reporting issues not being identified or timely addressed, resulting in reduced community confidence, willing participation, and revenue performance. |
We are expanding and evolving our understanding of risk by developing a 3-tiered approach to understanding tax (non) performance through a behavioural lens, and by starting to set tolerances for tax non-performance. The 3-tiered approach to tax (non) performance gives us a greater understanding of our priority investments to not only treat the non-performance, but to influence client behaviour. When we bring together what we know from managing risk with our insights from the tax gap program, we get insights into the behaviours we see across the various market segments, as well as how these behaviours impact on the performance of the tax system. |
|
Payment and debt performance |
There is a risk that payment and debt performance declines to unacceptable levels, caused by volatility in economic conditions and/or ineffective ATO strategies. This may result in growth in outstanding debt, the availability of funding for government programs and the perceptions of fairness, and government and community confidence in our administration. |
We are managing this risk through our core strategies, prevention, engagement through early intervention and firmer and stronger actions. Our core strategies will be enhanced by our Lodge and Pay Reset program, using data and analytics to drive rapid progress in delivering on-time payment and addressing collectable debt. |
|
Influencing policy and law design |
There is a risk that the ATO’s ability to influence policy and law design may be affected by shifting policy settings, an inability to establish and maintain effective relationships, or build and sustain suitable capability, resulting in material compromises associated with the sustainability and administrability of the systems. |
We are managing this risk by applying expertise to shape the policy agenda, helping to achieve the policy intent and deliver well designed policy solutions while ensuring integrity in the system and making it easy for taxpayers to meet their obligations or claim their entitlements. |
|
Registration |
There is a risk that the ATO’s registers lack integrity, caused by entities that are registered when they should not be or entities that are not registered when they should be, resulting in opportunities for fraud and reduced value of registry data for government and community users. |
We are managing this risk by maturing our risk management approaches and strengthening our controls across the registry system to support correct registration outcomes for our clients, enhance the value of our registry data, and support more rapid identification of, and response to, emerging fraud events. |
|
External fraud |
There is a risk that we are not taking all reasonable measures to prevent, detect and respond to external fraud resulting in out of tolerance revenue and information loss and harm to ATO clients. |
We are managing this risk through an increased focus on developing real-time digital monitoring prevention measures designed to reduce the occurrence of sophisticated, agile and treatment-resilient external fraud; detection measures designed to uncover incidences of fraud in close to real time; and response measures which enhance the protection of revenue and information from suspected fraud. |
|
Enterprise risk |
Risk description |
Risk management strategy |
|---|---|---|
|
End-to-end client service and case management |
There is a risk that the ATO does not achieve end-to-end service and case management outcomes for the ATO and clients, caused by the complexity of our internal operating arrangements and inconsistency of decision-making across functional and structural boundaries, resulting in incorrect outcomes and/or unacceptable experiences for clients and a reduction in voluntary compliance due to loss in trust and confidence in the ATO. |
We are managing this risk by understanding the interactions an individual or small business client has with us, including the intersection points across our structures and the downstream impacts of actions and decisions. We will proactively identify and manage interactions to ensure optimal service and case management outcomes.
|
|
Misuse of data and analytics |
There is a risk that we (or those we share our data or analysis with) do not lawfully or appropriately use our data and/or analysis, caused by a failure in our data and analytics governance, resulting in adverse impacts on individuals, loss of revenue and/or loss of public trust and confidence and reduction in willing participation. |
We are managing this risk by strengthening our data and analytics governance and embedding this as part of business-as-usual, investing in data and analytics architecture and infrastructure to support lawful and appropriate access and use, and uplifting data literacy of all staff. |
Organisational
|
Enterprise risk |
Risk description |
Risk management strategy |
|---|---|---|
|
Sustainable workforce |
There is a risk that the ATO will be unable to attract, develop and retain a diverse workforce with the capability required to meet current and future organisational demands. This is caused by workforce demand and supply, inability to meet expectations with our employment offer or address staff wellbeing. This could result in a systemic failure to deliver on our priorities. |
We design and deliver innovative enterprise-wide policies, strategies, programs, and solutions that align with the needs of the ATO, the APS, and the communities we serve. We are investing in our people, their tools, wellbeing, and overall experience, to position them with the right skills to meet both current and emerging requirements. |
|
Standards and ethical conduct |
There is a risk that our people do not act lawfully and with integrity caused by breakdowns in processes, workplace culture, leadership, and behavioural practices, and not being aligned to APS values. This can result in harm to individuals and erosion of public trust in the ATO. |
We are managing this risk through a comprehensive integrity program that includes regular training, transparent reporting channels, and consequences for breaches of APS values, to promote a culture of lawful and ethical behaviour and maintain public trust in the ATO. |
|
Change capacity and capability |
There is a risk that the ATO is unable to deliver on government and ATO change priorities over the medium term (1–3 years) caused by insufficient capacity and capability to accomplish objectives, resulting in a re-prioritisation or ceasing of change related activities, redirection of resources and associated reduction of core business activities. |
We are managing this risk by regularly assessing the ATO’s capacity and capabilities to deliver objectives and re-prioritising where needed. We review our risk controls to assure or strengthen their effectiveness. These controls provide coverage over setting change commitments, delivering change and evaluating the intended outcomes. |
|
Enterprise risk |
Risk description |
Risk management strategy |
|---|---|---|
|
Contemporary technology |
There is a risk that the ATO is unable to develop and maintain a contemporary suite of technologies for the community and staff caused by rapid changes in the broader technology environment, demand pressures, funding constraints and competition for skilled resources, resulting in degradation to the security, reliability and usability of the technology services that support the effective management of our services. |
The ATO is managing this risk by making targeted and strategic investments across our technology environment to continue to improve the client and staff experience and enhance the performance, availability and resilience of our key systems and applications. The ATO is also driving operational improvements to enhance our ability to detect and respond to system performance incidents in an efficient and effective manner. The availability and performance of the ATO’s external and internal-facing systems is being monitored 24/7 and detailed performance reports are provided to the ATO Executive each month. |
|
Maximising the value of data and analytics |
There is a risk that we do not effectively utilise data and analytics (D&A) capabilities, caused by inappropriate investment in or maintenance of our D&A foundations and/or capabilities, resulting in sub-optimal decision making, organisational inefficiency and uneconomic outcomes. |
We are managing this risk by improving the way we collect, manage, share, and use data. We are focusing on strengthening our data foundations, transforming the data and analytics experience for our staff, evolving how we use automation and artificial intelligence (AI), and building and sustaining our data literacy and capability to ensure we unlock our full data potential. |
|
Enterprise risk |
Risk description |
Risk management strategy |
|---|---|---|
|
Managing cyberthreats |
There is a risk that the confidentiality, integrity, or availability of ATO information systems is compromised caused by an external threat actor or malicious insider, resulting in direct and indirect financial impacts, and the undermining of trust in the ATO and government. |
We are managing this risk by uplifting our cybersecurity capabilities to increase our maturity against whole-of-government requirements. |