Our approach to risk management aligns with the requirements of the PGPA Act and the Commonwealth Risk Management Policy.
Our risk management policies and processes align with the ATO as the Commissioner of Taxation is the Accountable Authority for the TPB under the PGPA Act. This is enhanced by our practices ensuring TPB-specific risks are actively managed and visible to senior leaders and the Board.
Our risk management practices are overseen by both the ATO and TPB Audit and Risk Committees. Review of business performance and risk management is an ongoing leadership task, especially through weekly executive meetings, monthly board meetings, and quarterly performance reporting.
Our risk management processes help us to:
- clarify our goals and strategic objectives
- determine what must go right (our strategies)
- consider what may go wrong (potential risks)
- look to prioritise, mitigate and manage key risks.
Working collaboratively on risks
There are key risks the TPB works collaboratively on with relevant stakeholders, especially in relation to supporting the integrity of the profession and the system. Recognising the increasingly interdependent nature of risk, the accountability and responsibility for some risks require us to adopt a collaborative approach to managing risk that stretches across a portfolio or jurisdiction.
The TPB and the Commissioner of Taxation jointly administer the conduct of tax practitioners under their respective Acts. The administrative effectiveness of the TPB’s regulatory regime requires that the TPB and the Commissioner have a close and collaborative working relationship. The legal and policy framework between the TPB and Commissioner enables co-operation between the TPB and ATO to facilitate the:
- liaison, collaboration, assistance and the exchange of information between the two statutory authorities
- measures taken around data validity and protection of confidential or official information.
Enterprise risk | Risk description | Risk management strategy |
|---|---|---|
Limited collaboration with co-regulators | Co-regulator collaboration limited by differing priorities, reducing the effectiveness of our compliance outcomes and the efficiency of our service delivery. | We manage this by proactive engagement with co-regulators, improving relationships, systems, processes and policy. |
Systems enhancement delays and/or unsuitability for the TPB | System enhancements that are delayed or unsuitable for our use, adversely impacting service delivery and consumer confidence. | This is managed by ensuring that system enhancements are fit-for-purpose, paying attention to how projects are prioritised for delivery, improving staff capability to ensure the quality of builds, and ensuring adequate operations engagement and involvement. |
Inadequate resourcing including funding | Resources (including funding), capability, tools and systems are inadequate to carry out functions under the TASA or deliver TPB strategic outcomes. | Inadequate resourcing is managed having regard to prioritisation, improving services and strategies targeting highest risks and opportunities. |
Cyber or technology breach or failure | Cybersecurity/technology breach or failure resulting in systems and data being accessed by unauthorised parties and/or loss of data. | We are mitigating this risk by using industry best-practice cyber-monitoring suites, performing ongoing cyber-risk reviews, and implementing the Australian Cyber Security Centre Essential Eight mitigation strategies. |
Inadequate data management | Not delivering data analytic tools on time or tools performing poorly. | Our data strategy addresses our data needs, use, analysis, security, and capability. |
Disrupted implementation of legislative reforms | Failing to implement legislative measures efficiently and effectively. | We ensure ongoing stakeholder engagement, consultation, and collaboration to manage implementation risks. We also provide advice and input into government proposals for relevant legislative reform and this, in turn reduces our implementation risk. |
We will continue to monitor, evolve and adjust our understanding and management of these risks, while also scanning for new risks and opportunities.