Tax Administration Diagnostic Assessment Tool POA 2: EFFECTIVE RISK MANAGEMENT

Desired Outcome of POA 2 The risk to revenue and tax administration operations are identified and managed effectively. Tax administrations face numerous risks that could adversely affect revenue and tax operations. Risk management is thus essential for effective tax administration. It plays a key part in shaping how resources are used by the tax administration to maximize its goals effectively. Risks must be managed effectively in a structured approach to identifying, assessing, prioritizing and mitigating risks. These risks include: Compliance risks, where revenue may be lost if businesses and individuals fail to meet their obligations as taxpayers (registering, filing, making payments and reporting accurately). Institutional risks, where the tax administration functions may be interrupted or jeopardized due to internal or external factors.

International good practices in COMPLIANCE RISK MANAGEMENT Structured and multi-year approach to compliance risks Identification, assessment, quantification and prioritization of risks Compliance risks structured around taxpayer segments, taxpayer obligations and core taxes Intelligence gathering and research to identify compliance levels and risks - Analysis of tax audits and declarations - Analysis of environmental scanning Third party information from a variety of sources - Tax gap analysis - Studies into hidden activities - Studies of taxpayer attitude towards taxes Compliance improvement programs and risk mitigation strategies Evaluation of effectiveness of major mitigation activities as feedback for future planning

International good practices in INSTITUTIONAL RISK MANAGEMENT A risk register with a framework of problems threatening business continuity A plan for continuity of tax operations in the event of disaster Assessment of likelihood and consequences of natural disasters or man-made calamities Outline of steps in the event of disaster to maintain business continuity Staff training in disaster recovery procedures Preventive measures and internal controls to protect tax administration systems from fraud and error (POA9) Effective internal and external oversight to detect and deter undesirable events (POA 9)

Performance Indicators for Effective Risk Management High Level Indicators P2-3: Identification, assessment, ranking, and quantification of compliance risks M1 The extent of intelligence gathering and research to identify compliance risks The process used to assess, rank, and quantify compliance risks. P2-4: Mitigation of risks through compliance improvement program The degree to which risks are mitigated through a compliance improvement program. P2-5: Monitoring and evaluation of compliance risk mitigation activities. The process to monitor and evaluate the impact of compliance risk mitigation activities. P2-6: Identification, assessment, and mitigation of institutional risks. The process used to identify, assess, and mitigate institutional risks. Dimensions

Scoring P2-3-1: Identification of risks through intelligence gathering and research Intelligence gathering and research for understanding compliance level and current/emerging risks Analysis of environmental scanning as part of multi-year strategic planning Analysis of third party information from a range of external sources External studies into taxpayer behavior and attitude to compliance Research into hidden activities of businesses Tax compliance gap studies Research on topical compliance issues; e.g., transfer pricing, HWIs Analysis of audit results and tax declarations

Scoring P2-3-1: Identification of risks through intelligence gathering and research B Intelligence gathering and research for understanding compliance level and current/emerging risks Analysis of environmental scanning as part of multi-year strategic planning Analysis of third party information from a range of external sources External studies into taxpayer behavior and attitude to compliance Research into hidden activities of businesses Tax compliance gap studies Research on topical compliance issues; e.g., transfer pricing, HWIs Analysis of audit results and tax declarations

Scoring P2-3-1: Identification of risks through intelligence gathering and research Intelligence gathering and research for understanding compliance level and current/emerging risks Analysis of environmental scanning as part of multi-year strategic planning Less comprehensive analysis of third party information from a range of external sources Limited or no external studies into taxpayer behavior and attitude to compliance Research into hidden activities of businesses Tax compliance gap studies Limited or no research on topical compliance issues; e.g., transfer pricing, HWIs Analysis of audit results and tax declarations

A B C D Scoring P2-3-2: Assessing, Ranking and Quantification of Risks A structured risk assessment process based on good practice in place. Assesses and prioritizes risks for all core taxes, and taxpayer obligations. The process is part of a multi-year strategic process B A structured risk assessment process based on good practice is in place. Assesses and prioritizes risks for all core taxes taxpayer segments and taxpayer obligations The process is linked to the annual business planning BUT NOT part of a multi-year strategic plan C A LESS structured risk assessment process is in place. Assesses and prioritizes risks for all core taxes and four main taxpayer obligations. D The requirements for a ‘C’ rating or higher are not met.

Scoring P2-4: Mitigation of risks through compliance improvement programs Compliance improvement program is fully resourced and progress monitored monthly Documented compliance improvement program covers all identified high risks Compliance program covers all core taxes Compliance program covers the four main taxpayer obligations key taxpayer segments

Scoring P2-4: Mitigation of risks through compliance improvement programs B Compliance improvement program is fully resourced and progress monitored monthly Documented compliance improvement program covers all identified high risks Compliance program covers all core taxes Compliance program covers the four main taxpayer obligations large taxpayer segment

Scoring P2-4: Mitigation of risks through compliance improvement programs Compliance improvement program is fully resourced and progress monitored every three months Documented compliance improvement program covers all identified high risks Compliance program DOES NOT covers all core taxes Compliance program DOES NOT covers the all four main taxpayer obligations Compliance program DOES NOT covers all taxpayer segments

Senior management reviews the evaluation Scoring P2-5: Monitoring and evaluating impact of risk mitigation activities A Risk Management Committee at the senior management level plays an active role in approving risk mitigation strategies Risk Management Committee monitors progress with implementation of mitigation activities Evaluation of the effectiveness of ALL approved compliance risk mitigation activities are documented Senior management reviews the evaluation

Senior management reviews the evaluation Scoring P2-5: Monitoring and evaluating impact of risk mitigation activities B Risk Management Committee at the senior management level plays an active role in approving risk mitigation strategies Risk Management Committee monitors progress with implementation of mitigation activities Evaluation of the effectiveness of AT LEAST HALF of approved compliance risk mitigation activities are documented Senior management reviews the evaluation

Senior management reviews the evaluation ON AN AD HOC BASIS Scoring P2-5: Monitoring and evaluating impact of risk mitigation activities C Risk Management Committee at the senior management level approves risk management strategies on AD HOC BASIS Risk Management Committee monitors progress with implementation of mitigation activities ON AD HOC BASIS Evaluation of the effectiveness of approved compliance risk mitigation activities are documented ON AN AD HOC BASIS Senior management reviews the evaluation ON AN AD HOC BASIS

Scoring P2-6: Identification, assessment and mitigation of institutional risks Structured process is applied annually to identify, assess and mitigate institutional risks across the whole organization A documented institutional risk register is in place A business continuity plan exists to mitigate risks and this is reviewed annually Staff are trained in disaster recovery procedures

Scoring P2-6: Identification, assessment and mitigation of institutional risks B Structured process is applied every two years to identify, assess and mitigate institutional risks across the whole organization A documented institutional risk register is in place A business continuity plan exists to mitigate risks and this is reviewed every two years Staff are trained in disaster recovery procedures

Scoring P2-6: Identification, assessment and mitigation of institutional risks Structured process is in place to identify, assess and mitigate risks associated with the IT system A documented institutional risk register is in place A business continuity plan exists to mitigate risks and this is reviewed every two years Staff are trained in disaster recovery procedures

Checklist of Questions and Evidence for POA 2 of the Field Guide Table 8