ato logo
Search Suggestion:

10. Risk management

Last updated 26 July 2023

Identifying, understanding and managing risk is critical to achieving our purpose and objectives as an organisation.

Risk appetite

We identify and manage risk in the context of our performance, in line with our overall risk appetite, to make the most of opportunities, deal with threats, foster innovation and build a strong risk culture across the ATO. In doing this, we are:

willing to accept higher levels of risk where there is a clear opportunity to realise benefits and where risks can be controlled to acceptable levels

less willing to accept risk where it is not clear that benefits will be realised or where risks are unable to be controlled to acceptable levels.

The ATO’s Risk Committee has primary responsibility for maintaining a view of the systems of risk oversight and management in operation. In conjunction with our Audit and Risk Committee, assurance is provided to the ATO Executive that risk is being effectively identified and appropriately managed throughout the organisation, with a strong focus on setting clear accountabilities and tolerances, and monitoring performance to ensure it remains within acceptable levels.

Enterprise risks

The following risks have been identified as the key risks for the ATO to manage in 2023–24.

Tax and superannuation administration

Compliance and policy

Enterprise risk

Risk description

Risk management strategy

Tax and superannuation performance in accordance with the law

There is a risk that performance of the tax and superannuation systems move out of tolerance due to our inability to identify and address in a timely manner lodgment and correct reporting issues resulting in reduced community confidence and willing participation and further reduced revenue performance.

Our strategies are focused on sustained improvement in tax and superannuation compliance and, in turn, long-term system health. Strategies can be designed to improve correct participation in the system and to address non-compliance thereby improving both gross and net system performance.

Payment and debt performance

There is a risk that payment and debt performance declines to unacceptable levels, caused by volatility in economic conditions and / or ineffective ATO strategies. This may result in an intolerable growth in debt and reduction in voluntary payment compliance, impacting the availability of funding for government programs, perceptions of fairness and government and community confidence in the tax and superannuation systems.

We are managing this risk through our core strategies, prevention, enhanced engagement through early intervention and firmer and stronger actions. Our core strategies will be enhanced by our Lodge and Pay reset program, 6 initiatives focused to drive rapid progress in delivering on time payment and addressing collectable debt.

Influencing policy and law design

There is a risk that the ATO’s ability to influence policy and law design may be materially impacted by shifting policy settings, an inability to establish and maintain effective relationships, or build and sustain suitable capability, resulting in poor outcomes for the sustainability and administrability of the systems.

We are managing this risk by applying expertise to shape the new measure agenda and contribute to new measure design, helping to achieve the policy intent while ensuring integrity in the system and making it easy for taxpayers to meet their obligations or claim their entitlements.


There is a risk that our registers lack integrity, caused by entities that are registered that should not be or entities that are not registered when they should be, resulting in opportunities for fraud and reduced trust in registry data (including limited ability to use that data to support government services to the community).

We are managing this risk by bringing together a comprehensive view of all risks and controls across our registers and by implementing appropriate controls that support correct registration outcomes for our clients.

External fraud

There is a risk that we are not taking all reasonable measures to prevent, detect and deal with external fraud resulting in out of tolerance revenue and information loss and harm to ATO clients.

We are managing this risk through increased focus on the development of prevention measures designed to reduce the risk of external fraud occurring; detection measures designed to uncover incidences of fraud when they occur; and response measures including assessment, investigation, analysis, referral, prosecution, and recovery.

Client service

Enterprise risk

Risk description

Risk management strategy

End-to-end client service and case management

There is a risk that the ATO does not achieve end-to-end service and case management outcomes for the ATO and clients, caused by the complexity of our internal operating arrangements and inconsistency of decision-making across functional and structural boundaries, resulting in incorrect outcomes and/or unacceptable experiences for clients and a reduction in voluntary compliance due to loss in trust and confidence in the ATO.

We are managing this risk by understanding the series of interactions a client has with us that forms their end-to-end experience, from when they join, to when they exit the system (and all of the interactions in-between). Understanding the intersection points across our structures and the downstream impacts of actions and decisions allows us to provide actionable insights that will improve the client and staff experience.

Misuse of data and analytics

There is a risk that we (or those we share our data or analysis with) do not lawfully or appropriately use our data and/or analysis, caused by a failure in our data and analytics governance, resulting in adverse impacts on individuals, loss of revenue and/or loss of public trust and confidence and reduction in willing participation.

We are managing this risk by strengthening our data and analytics governance and embedding this as part of business as usual, investing in data and analytics architecture and infrastructure to support lawful and appropriate access and use, and uplifting data literacy of all staff.



Enterprise risk

Risk description

Risk management strategy

Sustainable workforce

There is a risk the ATO will be unable to attract, develop and retain the capability required to meet current and future demands. This is caused by demand and competition in the labour market and the extent we are able to meet expectations with our employment offer. This could result in an inability to deliver on organisational objectives.

We are changing the way we attract and recruit to ensure we have the right skills in the right place at the right time to meet current and emerging demands. We are investing in our people, their tools and overall experience, building their capability to position them for future work priorities.

Standards and ethical conduct

There is a risk that our people do not act lawfully and with integrity caused by breakdowns in processes, workplace culture, leadership and behavioural practices, and not being aligned to APS values. This can result in harm to individuals and erosion of public trust in the ATO.

We are managing this risk through a comprehensive integrity program that includes regular training, transparent reporting channels, and consequences for breaches of APS values, to promote a culture of lawful and ethical behaviour and maintain public trust in the ATO.

Change capability

There is a risk that the ATO is unable to deliver on government and ATO change priorities over the medium term (1–3 years) caused by insufficient capacity and capability to accomplish objectives, resulting in a re-prioritisation or ceasing of change related activities, redirection of resources and associated reduction of core business activities.

We are managing this risk by regularly assessing the ATO’s capacity and capabilities to deliver objectives and re-prioritising where needed.

Technology and data

Enterprise risk

Risk description

Risk management strategy

Contemporary technology

There is a risk that the ATO is unable to develop and maintain a contemporary suite of technologies for the community and staff caused by rapid changes in the broader technology environment, demand pressures, funding constraints and competition for skilled resources, resulting in degradation to the security, reliability and usability of the technology services that support the effective management of trusted tax, superannuation and business registry services.

The ATO is managing this risk by making targeted and strategic investments across our technology environment to continue to improve the client and staff experience and enhance the performance, availability and resilience of our key systems and applications.


The ATO is also driving operational improvements to enhance our ability to detect and respond to system performance incidents in an efficient and effective manner.


The availability and performance of the ATO’s external and internal-facing systems is being monitored 24/7 and detailed performance reports are produced to the ATO Executive each month.

Maximising the value of data and analytics

There is a risk that we do not effectively utilise data and analytics (D&A) capabilities, caused by inappropriate investment in or maintenance of our D&A foundations and/or capabilities, resulting in sub-optimal decision making, organisational inefficiency and uneconomic outcomes.

We are managing this risk by improving the way we collect, manage, share, and use data. We are focusing on strengthening our data foundations, transforming the data and analytics experience for our staff, evolving how we use automation and artificial intelligence, and building and sustaining our data literacy and capability to ensure we unlock our full data potential.


Enterprise risk

Risk description

Risk management strategy

Managing cyberthreats

There is a risk that the confidentiality, integrity, or availability of ATO information systems is compromised caused by an external threat actor or malicious insider, resulting in direct and indirect financial impacts, the undermining of trust in the ATO and Government and reduced participation and engagement in tax and superannuation systems.

We are managing this risk by uplifting our cybersecurity capabilities to increase our maturity against whole-of-government requirements.