We have well established systems of risk oversight and management that align with the Commonwealth Risk Management Policy and section 16 of the PGPA Act.
Our Risk Management Framework promotes a consistent approach to the proportionate management of risk, embedded into day-to-day business practices and decision-making. Identifying, understanding and managing risk is a critical enabler to the delivery of our key activities and ultimately, in achieving our purpose and vision.
Risk appetite
We identify and manage risk in the context of our performance, in line with our overall risk appetite, to make risk-based decisions that:
- foster innovation and make the most of opportunities
- deal with threats.
In doing this, we are:
- willing to accept higher levels of risk where there is a clear opportunity to realise benefits and where risks can be controlled to acceptable levels
- less willing to accept risk where it is not clear that benefits will be realised or where risks are unable to be controlled to acceptable levels.
Our risk appetite statement helps us to decide what and how much risk we are willing to take in different situations, guiding measured risk decisions to achieve our objectives.
The ATO Risk Committee is responsible for oversight and assurance of our risk profile and advising on the management of key risks. In conjunction with our independent Audit and Risk Committee, the ATO Risk Committee provides assurance to the Commissioner in his role as Accountable Authority that risk is being effectively identified and appropriately managed throughout the organisation, with a strong focus on setting clear accountabilities and tolerances and monitoring performance to ensure it remains within acceptable levels.
Tax and superannuation performance and service
|
Enterprise risk |
Risk description |
Management strategy |
|---|---|---|
|
Tax and superannuation performance in accordance with the law |
There is a risk that the performance of the tax and superannuation systems declines to unacceptable levels due to systemic non-compliance not being sufficiently remediated, resulting in reduced revenue collection and detrimental impacts to government and community confidence. |
We are managing this risk through a 3-tiered approach that monitors tax and superannuation system performance against tolerance and supports identification of non-compliance across lodgment and correct reporting behaviours and risk events. The approach integrates behavioural insight, intelligence and assurance to understand shifts in risk across populations, obligations and environmental factors, and to prioritise the investment, controls and interventions that prevent the escalation of systemic non-compliance and ensure the maintenance of acceptable performance. |
|
Payment and debt performance |
There is a risk that payment declines and debt increases to unacceptable levels, caused by volatility in economic conditions or ineffective ATO strategies, resulting in an inability to collect revenue for government, impacting trust and confidence in the ATO and perceptions of fairness in our administration. |
We are managing this risk through a payment and debt strategy that responds to economic volatility by prioritising prevention, early intervention and active management. Through the continued implementation of our strategy, payment on time is strengthened through education, nudges, and firmer action signalling. Debt is actively managed through tailored engagement support for taxpayers, hardship pathways, enhanced analytics and proportionate escalation. |
|
Influencing policy and law design |
There is a risk that the ATO’s ability to influence policy and law design may be affected by an inability to establish and maintain effective relationships, or build and sustain suitable capability, resulting in material compromises associated with the sustainability and administrability of the systems. |
We are managing this risk by working closely with Treasury, other government agencies, and ATO stakeholders to ensure coordinated and timely engagement on policy and law design. We build staff capability through targeted secondments and specialised training to strengthen technical expertise and readiness to respond to policy priorities. Clear governance arrangements and staff instructions support this approach. |
|
Registration
|
There is a risk that the ATO’s registers lack integrity, caused by entities that are registered when they should not be or entities that are not registered when they should be, resulting in opportunities for fraud and reducing the value of registry data for government and community users. |
We are managing this risk by strengthening identity and eligibility controls for those interacting with the registry system and improving detection of those who fail to register when required. This approach will support correct engagement with the registry system while maintaining accessibility for those doing the right thing, improve our ability to respond to fraud and shadow economy behaviours, and enhance the value of our registry data. |
|
External fraud
|
There is a risk of serious external fraud caused by the exploitation of tax, superannuation and registry systems, resulting in loss of information, revenue, taxpayer entitlements and trust and confidence in the ATO. |
We are managing this risk of sophisticated, agile and treatment-resilient external fraud through targeted initiatives including developing a digital real-time monitoring platform to uncover incidences of fraud in close to real time and enhancements to the ATO app to enable taxpayers to protect themselves. We continue to strengthen our counter fraud measures to protect revenue and information from suspected fraud and ensure consequences for those who commit fraud. |
|
Enterprise risk |
Risk description |
Management strategy |
|---|---|---|
|
End-to-end service and case management |
There is a risk that the ATO does not achieve acceptable end-to-end service and case management outcomes for the ATO and taxpayers, caused by the complexity of our internal operating arrangements and inconsistency of decision-making across functional and structural boundaries. This may result in incorrect outcomes or unacceptable experiences for taxpayers and ultimately a reduction in voluntary compliance due to loss of trust and confidence in the ATO. |
We are managing this risk by maintaining service and case management outcomes, improving our systems, processes and procedures to support early, proportionate intervention and effective escalation. We apply a range of monitoring techniques, supported by tailored engagement and defined escalation pathways for taxpayers, including those experiencing vulnerability, to enable early and targeted remediation.
|
Organisational
|
Enterprise risk |
Risk description |
Management strategy |
|---|---|---|
|
Sustainable workforce |
There is a risk that the ATO will be unable to attract, develop and retain a high-performing, skilled and diverse workforce with the capability required to meet current and future organisational demands. This is caused by an imbalance in workforce demand and supply, an inability to meet expectations with our employment offer, or in addressing staff wellbeing resulting in a failure to deliver on our key activities. |
We are managing this risk through the design and delivery of innovative enterprise-wide policies, strategies, programs and solutions that align with the current and future needs of the ATO, the APS and the communities we serve. We are investing in our people, their tools, wellbeing and employee experience, so they have the right capabilities to meet both current and emerging requirements.
|
|
Standards and ethical conduct |
There is a risk that our people act unlawfully or unethically caused by ineffective or inappropriate processes, workplace culture and leadership, resulting in the erosion of our reputation and public trust in the ATO, which impacts our ability to effectively fulfil our core purpose. |
We are managing this risk through a robust integrity framework with controls designed to prevent, detect and respond to unethical or unlawful conduct. We regularly review, test and rationalise these controls to ensure they remain effective and fit for purpose. Supported by training, transparent reporting channels, and clear consequences, this approach promotes a lawful and ethical behaviour to maintain public trust in the ATO. |
|
Change capacity and capability |
There is a risk that the ATO is unable to deliver on government and ATO priorities caused by insufficient change capacity and capability, resulting in a significant inability to deliver on organisational objectives and realise benefits for the community. |
We are managing this risk by regularly assessing the ATO’s capacity and capability to deliver on our activities and commitments. We closely monitor enterprise change demand and actively build or source the skills required to deliver. We are strengthening our enterprise strategy and working with stakeholders to influence externally-driven change that requires ATO support. By uplifting our enterprise change management capability and integrating forward planning with capacity, risk and evaluation insights, we will improve enterprise-wide visibility, enable informed prioritisation, and focus effort on the most critical outcomes. This will support the ATO to better manage the scale and pace of change. |
|
Enterprise risk |
Risk description |
Management strategy |
|---|---|---|
|
Fit-for-purpose technology
|
There is a risk that the ATO will be unable to deliver and sustain fit-for-purpose technology for our staff and the community, caused by rapid change in the broader technology environment, funding constraints, and evolving digital service expectations, resulting in reduced compliance and community engagement, and/or a decline in overall staff productivity and effectiveness. |
We are managing this risk by making targeted and strategic investments across our technology environment, to continue to improve the client and staff experience, including programs to address existing systems coming to end of life and modernisation of key applications.
|
|
Technology availability
|
There is a risk that the ATO’s technology environment becomes unavailable, unsupportable, or unsustainable caused by rapid technological change, increasing demand for capability uplift, constrained funding, competition for skilled resources, and the complexity of adapting to shifting global commercial models, resulting in reduced system reliability, and diminished usability of core technology services.
|
We are managing this risk by making targeted and strategic investments across our technology environment, to enhance the performance, availability and resilience of our key systems and applications. We are also driving operational improvements to enhance our ability to detect and respond to system performance incidents in an efficient and effective manner. |
|
Data, analytics and AI |
There is a risk that the ATO (or those we share our data or analytics insights with) use AI, data or analytics to create outputs that are inappropriate or incorrect, caused by failures in data quality, system design, governance, behaviours or capability, resulting in significant loss of trust and confidence in the ATO, revenue or legal impacts and citizen harm. |
We are managing this risk by strengthening our approach to the responsible use of data, analytics and AI. This includes embedding improved system design and appropriately rigorous governance aligned with legislative and organisational obligations. We continue to uplift workforce capability to improve data and AI literacy for all staff. |
|
Enterprise risk |
Risk description |
Management strategy |
|---|---|---|
|
Managing cyberthreats |
There is a risk that the confidentiality, integrity or availability of ATO information systems or services is compromised by cyber threats, either by external threat actors or insider threats resulting in data breach, financial loss, disruption to critical services, regulatory or legal impacts and erosion of trust and confidence in the ATO. |
We are managing this risk by strengthening the resilience, security and reliability of our digital environment. This includes uplifting cybersecurity maturity in line with whole of government requirements, implementing risk and threat prioritised controls, improving detection and response capabilities, updating and measuring staff training and awareness, and embedding shared accountability for cybersecurity across the organisation. |