ATO Risk management

We have well‑established systems of risk oversight and management that align with the Commonwealth Risk Management Policy and section 16 of the PGPA Act.

Our Enterprise Risk Management Framework promotes a consistent approach to the proportionate management of risk, embedded into day‑to‑day business practices. Identifying, understanding and managing risk is critical to the delivery of our key activities and achieving our purpose.

Risk appetite

We identify and manage risk in the context of our performance, in line with our overall risk appetite, to:

foster innovation and make the most of opportunities
deal with threats.

In doing this, we are:

willing to accept higher levels of risk where there is a clear opportunity to realise benefits and where risks can be controlled to acceptable levels
less willing to accept risk where it is not clear that benefits will be realised or where risks are unable to be controlled to acceptable levels.

Our risk appetite statement helps us to decide how much risk we are willing to take in different situations, guiding measured risk decisions to achieve our objectives.

The Risk Committee is responsible for oversight and assurance of our risk profile and advising on the management of key risks. In conjunction with our Audit and Risk Committee, assurance is provided to the Accountable Authority that risk is being effectively identified and appropriately managed throughout the organisation, with a strong focus on setting clear accountabilities and tolerances and monitoring performance to ensure it remains within acceptable levels.

Tax and superannuation performance and service

Compliance and policy
Enterprise risk	Risk description	Management strategy
Tax and superannuation performance in accordance with the law	There is a risk that the performance of the tax and superannuation systems declines to unacceptable levels due to systemic non-compliance not being sufficiently remediated, resulting in reduced revenue collection and detrimental impacts to government and community confidence.	We continue to mature our use of a 3-tiered approach to understand non-performance through a taxpayer behavioural lens, across lodgment and correct reporting. This approach provides us with a greater understanding of our priority investments to influence taxpayer behaviour to meet their compliance obligations and gain high levels of assurance by making it easy to comply and access tailored help, as well as dealing with non-compliance.
Payment and debt performance	There is a risk that payment declines and debt increases to unacceptable levels, caused by volatility in economic conditions or ineffective ATO strategies. This may result in an inability to collect revenue for government and ultimately impact government and community confidence and perceptions of fairness in our administration.	We are managing this risk through implementation of the Payment Strategy, which focuses on prevention and engagement through early intervention and firmer and faster actions. Our core strategies will be enhanced, using data and analytics to drive rapid progress in delivering improved payment on time and addressing debt.
Influencing policy and law design	There is a risk that the ATO’s ability to influence policy and law design may be affected by shifting policy settings, an inability to establish and maintain effective relationships, or build and sustain suitable capability, resulting in material compromises associated with the sustainability and administrability of the systems.	We are managing this risk by applying expertise to shape the policy agenda, helping to achieve the policy intent and deliver well-designed policy solutions while ensuring integrity in the system and making it easy for taxpayers to meet their obligations or claim their entitlements.
Registration	There is a risk that the ATO’s registers lack integrity, caused by entities that are registered when they should not be or entities that are not registered when they should be, resulting in opportunities for fraud and reducing the value of registry data for government and community users.	We are managing this risk by strengthening our controls across the registry system, to support correct registration outcomes for our taxpayers, enhance the value of our registry data, and support more rapid identification of, and response to, emerging fraud events.
External fraud	There is a risk that we are not taking all reasonable measures to prevent, detect and respond to external fraud, resulting in out-of-tolerance revenue and information loss and harm to taxpayers.	We are managing this risk through: an increased focus on developing real-time digital monitoring prevention measures designed to reduce the occurrence of sophisticated agile and treatment-resilient external fraud; detection measures designed to uncover incidences of fraud in close to real time improvements to the ATO app to enable taxpayers to protect themselves response measures which enhance the protection of revenue and information from suspected fraud.

Service outcomes
Enterprise risk	Risk description	Management strategy
End‑to‑end service and case management	There is a risk that the ATO does not achieve acceptable end-to-end service and case management outcomes for the ATO and taxpayers, caused by the complexity of our internal operating arrangements and inconsistency of decision-making across functional and structural boundaries. This may result in incorrect outcomes or unacceptable experiences for taxpayers and ultimately a reduction in voluntary compliance due to loss of trust and confidence in the ATO.	Central to this risk is an understanding of the breadth of interactions that taxpayers (particularly individuals and small businesses) have with us, including the intersection points across our structures and the downstream impacts of our actions and decisions. We will proactively identify interactions that may lead to unintended outcomes and improve controls to ensure optimal service and case management outcomes.

Organisational

Workforce and governance
Enterprise risk	Risk description	Management strategy
Sustainable workforce	There is a risk that the ATO will be unable to attract, develop and retain a high-performing, skilled and diverse workforce with the capability required to meet current and future organisational demands. This is caused by an imbalance in workforce demand and supply, an inability to meet expectations with our employment offer, or in addressing staff wellbeing resulting in a failure to deliver on our key activities.	We design and deliver innovative enterprise-wide policies, strategies, programs and solutions that align with the current and future needs of the ATO, the APS and the communities we serve. We are investing in our people, their tools, wellbeing and employee experience, so they have the right skills to meet both current and emerging requirements.
Standards and ethical conduct	There is a risk that our people act unlawfully or unethically caused by ineffective or inappropriate processes, workplace culture and leadership, resulting in the erosion of our reputation and public trust in the ATO, which impacts our ability to effectively fulfil our core purpose.	We are managing this risk through a comprehensive integrity program that includes regular training, transparent reporting channels, and consequences for breaches of APS values, to promote a culture of lawful and ethical behaviour and maintain public trust in the ATO.
Change capacity and capability	There is a risk that the ATO is unable to deliver on government and ATO priorities caused by insufficient change capacity and capability, resulting in a significant inability to deliver on organisational objectives and realise benefits for the community.	We are managing this risk by regularly assessing the ATO’s capacity and capabilities to deliver on our activities and commitments. We are enhancing our forward planning, including strengthening our enterprise strategy and working with stakeholders to influence externally-driven change that will require the ATO’s support. We have robust monitoring of our change capacity, and we actively seek to build or engage the skills required to deliver. Where required we re-prioritise or reschedule work to ensure delivery of the most critical outcomes.

Technology and data
Enterprise risk	Risk description	Management strategy
Contemporary technology	There is a risk that the ATO is unable to develop and maintain a contemporary suite of technologies for the community and staff caused by rapid changes in the broader technology environment, demand pressures and competition for skilled resources, resulting in degradation of the security, reliability and usability of the technology services that support the effective management of our services.	The ATO is managing this risk by making targeted and strategic investments across our technology environment, to continue to improve the client and staff experience and enhance the performance, availability and resilience of our key systems and applications. The ATO is also driving operational improvements to enhance our ability to detect and respond to system performance incidents in an efficient and effective manner.
Misuse of data and analytics	There is a risk that we (or those we share our data or analytics insights with) do not lawfully or appropriately use our data or analytical insights (including the use of AI), caused by a failure in our data and analytics governance, resulting in adverse impacts on individuals, loss of revenue or loss of public trust and confidence.	We are managing this risk by strengthening our data and analytics governance and embedding this as part of business-as-usual, investing in data and analytics architecture and infrastructure to support lawful and appropriate access and use, establishing explicit AI controls and uplifting data literacy of all staff.

Security
Enterprise risk	Risk description	Management strategy
Managing cyberthreats	There is a risk that the confidentiality, integrity or availability of ATO information systems is compromised by an external threat actor or malicious insider, resulting in direct and indirect financial impacts, and the undermining of trust in the ATO and government.	We are managing this risk by uplifting our cybersecurity capabilities to increase our maturity in line with whole-of-government requirements.