This chapter discusses a range of approaches adopted by revenue bodies in managing taxpayer compliance: (i) enterprise risk management (ERM); (ii) compliance risk management (CRM); (iii) steps in the CRM process; (iv) innovative and emerging technologies; and (v) taxpayer segmentation. The ADB governance brief on Improving Tax Compliance (https://www.adb.org/publications/improving-tax-compliance) provides further detailed information.

An enterprise-wide risk management framework provides a systematic approach, which, if followed, will enable organizations to (i) make a comprehensive evaluation of all risks that could keep them from achieving their goals and objectives and thus hinder their success, including risks to key assets; (ii) gauge the severity of those risks, the likelihood of their occurrence, and the anticipated consequences; and (iii) develop and implement well-designed mitigation strategies commensurate with the levels of risk presented, and consistent with the nature of the operations and the risk appetite of the organization. A standardized approach, such as that outlined in the International Organization for Standardization (ISO) Risk Management Guidelines (2018),³⁸ provides: a reliable and tested framework, a common agreed terminology, and a comprehensive implementation process. Figure 5.1 outlines this standard process of developing and implementing a risk management approach across an organization.

This enterprise risk management (ERM) approach, outlined in ISO 31000:2018, is designed to lead the organization through a systematic, repeatable process to comprehensively identify and quantify all the risks that could keep the organization from achieving its goals and objectives. The organization must then decide, at a senior level, and having regard to the nature of its operations, what level of risk can be tolerated (risk appetite) in various areas of its activities. The extent to which risks need to be mitigated is guided both by the assessed severity of the risk, and by this risk appetite analysis.

Examples of enterprise risks are

The case study laid out in this section and the next may help explain both ERM and how it relates to compliance risk management (CRM). It describes the approach taken by the Australian Taxation Office (ATO), in two parts: Part 1 outlines how the ATO aligns enterprise risk analysis with the organization’s high-level goals, while Part 2 deals with the application of CRM.

The CRM process sets out a series of steps for identifying, assessing, and prioritizing systemic compliance risks, so that treatments informed by an understanding of the risk itself and the drivers of the observed behaviors can be developed. Ongoing monitoring of the impact of treatments enables improvements to be made throughout implementation. Evaluation of the impact on voluntary compliance, against the core compliance obligations (correct registration, on-time filing, correct reporting, and on-time payment), provides an assessment of the effectiveness of those treatments. Figure 5.2 summarizes the recommended process, which may be applied similarly across the tax system or to revenue types, business segments, industry sectors, or specific risk categories.

This approach to CRM is designed to operate at the system, segment, sector, and risk category level, and is generally not focused at the case level. Although case selection and risk treatment at the individual taxpayer level are important parts of compliance risk mitigation, they represent only one element of the broad range of activities required in a comprehensive CRM approach. CRM is not about case selection or the application of case-level interventions.

It is widely recognized that revenue bodies must focus on improving taxpayers’ voluntary compliance, as this is the only affordable and sustainable approach available. It is also generally agreed that voluntary compliance is best supported through an approach designed to deal with the underlying causes of noncompliance, as well as with the incidents of noncompliance identified. Therefore, the ultimate goal of any compliance intervention is to strengthen voluntary compliance. In a self-assessment system, this means understanding and treating system vulnerabilities and developing a range of approaches to influence taxpayer compliance behavior more effectively. System vulnerabilities, sometimes referred to as risk categories, may include (i) aggressive tax planning; (ii) operations outside the tax system (underground or shadow economy); (iii) base erosion/profit shifting; (iv) e-commerce; and (v) preferential tax regimes.

Part 2 of the ATO case study outlines the principal features of the process adopted by the ATO when developing strategies and plans for addressing the various compliance risk categories it has identified.

The ATO approach then follows a series of steps designed to determine the priority risks to be treated and the extent of treatment required to reduce the risk to an acceptable level. The result of these steps is the development of a compliance improvement program, to be implemented in order to manage all the priority compliance risk categories. These steps are summarized in Box 5.2.