ato logo
Search Suggestion:

07. Risk management

Last updated 16 August 2022

We have well-established systems of risk oversight and management that align with the Commonwealth Risk Management Policy and section 16 of the Public Governance, Performance and Accountability Act 2013. Our Enterprise Risk Management Framework promotes a consistent approach to the management of risk, embedded into day-to-day business practices.

Understanding and managing risk is inherent to achieving our purpose and objectives as an organisation.

Risk appetite

We identify and manage risk in the context of our performance, in line with our overall risk appetite, to make the most of opportunities, deal with threats, foster innovation and build a strong risk culture across the ATO. In doing this, we are:

  • willing to accept higher levels of risk where there is a clear opportunity to realise benefits and where risks can be controlled to acceptable levels
  • less willing to accept risk where it is not clear that benefits will be realised or where risks are unable to be controlled to acceptable levels.

The Enterprise Risk Management Committee has primary responsibility for maintaining a view of the system of risk oversight and management in operation. In conjunction with our Audit and Risk Committee, assurance is provided to the ATO Executive that risk is being effectively identified and appropriately managed throughout the organisation, with a strong focus on setting clear accountabilities and tolerances, and monitoring performance to ensure it remains within acceptable levels.

Priority risks

The following risks have been identified as priorities for the ATO to manage. They align to our key objectives and guide decision-making across the organisation.

Tax and superannuation administration

Priority risk

Risk description

Management strategy

Tax and superannuation performance in accordance with the law

Maintaining overall tax and superannuation performance in accordance with the law may be impacted by our ability to ensure the performance of client segments remains within acceptable tolerances. We do this by fostering willing participation and dealing with those who do the wrong thing.

We are managing this risk by ensuring that we are providing information and tools that make it easy for taxpayers to comply. Our compliance efforts focus on addressing breaches and, more importantly, on changing future behaviour.

Payment and debt performance

Maintaining overall payment and debt performance may be impacted by volatility in economic conditions and government and community expectations, requiring ongoing calibration of client engagement and enforcement strategies, along with related performance targets.

We are managing this risk through the resumption of firmer and stronger actions, including awareness and warning campaigns. Through greater use of data analytics, we are able to align treatments with particular client populations and their circumstances. Where clients have outstanding obligations, they can expect timely and transparent engagements with full disclosure of their obligations, the actions we require of them, support and assistance available, and the next steps we will take if they fail to comply.

Influencing policy and law design

The quality and administrability of the system may be impacted by shifting policy settings and our ability to influence policy and law design.

We are managing this risk by applying expertise to shape the new measure agenda and contribute to new measure design, helping to achieve the policy intent while ensuring integrity in the system and making it easy for taxpayers to meet their obligations or claim their entitlements.

Managing a complex superannuation ecosystem

Superannuation outcomes and future revenue may be at risk if we are unable to sustain effective regulation, administration and stewardship, given cumulative changes to an already complex system, increased stakeholder expectations and competing organisational priorities.

We are managing this risk through our ongoing administration and regulation roles in the superannuation system and continuous investment to strengthen this capability. Building strong relationships with key participants enables us to identify and address issues proactively, improving our ability to meet core responsibilities, deliver change and influence improvements over time. We continue to improve our ability to leverage data to support and inform services and compliance outcomes.

End-to-end client service and case management

Our ability to achieve end-to-end service and case management outcomes for the ATO and clients may be impacted by the complexity of our internal operating arrangements and consistency of decision-making across functional and structural boundaries.

We are managing this risk by understanding the series of interactions a client has with us that forms their end-to-end experience, from when they join, to when they exit the system (and all of the interactions in-between). Understanding the downstream impacts of the activities we do, allows us to provide actionable insights that will improve the client and staff experience.


Priority risk

Risk description

Management strategy

Managing cyberthreats

Our ability to protect our organisation, clients and other partners from cyberthreats may be impacted by our ability to keep pace with the rapidly evolving digital ecosystem.

We are managing this risk by uplifting our cybersecurity capabilities that will lead to the increase of compliance against whole-of-government requirements.

Contemporary technology

Our ability to keep pace with expectations may be impacted by the rapid changes in the IT environment, inherent capacity constraints and the need to continually balance future needs with short-term priorities and investment.

We are managing this risk by making targeted and strategic investments across our technology environment to continue to improve the client and staff experience and enhance the performance and resilience of our key systems.


This work focuses on implementing the underpinning technology transformations needed to support our 2024 vision.

Maximising the value of data

Maximising the value of data may be impacted by our ability to uplift data and analytics maturity, capability and associated infrastructure across the ATO.

We are managing this risk by improving the way we collect, manage, share and use data. We are focusing on strengthening our data foundations, transforming the data and analytics experience for our staff, evolving how we use automation and artificial intelligence, and building and sustaining our data literacy and capability to ensure we unlock our full data potential.

Agile and sustainable resourcing

Delivering agile and sustainable resourcing may be impacted by our ability to build and retain skills and capability, existing business processes and constraints in moving to a more flexible work environment.

We are managing this risk by applying expertise to capitalise on resource opportunities, underpinned by a positive culture and responsiveness to the changing environment.

Standards and ethical conduct

Our ability to maintain organisational integrity may be impacted if our conduct, actions or decision-making do not conform with the law or align with staff or community expectations.

We are managing this risk through a program of work to educate staff and prevent, detect and respond to actions of our officers which do not reflect expected community standards. We treat these behaviours seriously and have zero tolerance for fraudulent and corrupt behaviour.

Capacity and prioritisation

Our ability to meet our government and organisational commitments and achieve our aspirations may be impacted by challenges in prioritisation and corresponding pressures on capacity, core capability and budget.

We are managing this risk by regularly revisiting our priorities, performance and capacity, and reallocating resources to focus on the right areas to meet our commitments.