Managing our risks

The Strategic and Investment Board oversees risk management and other governance bodies monitor specific areas of risk and performance. The Risk and Assurance Committee provides independent, impartial advice and insight to the Commissioner on risk oversight and management as well as our system of internal controls.

Our Enterprise Risk Management Framework is based on international standards for identifying and managing risks.

All enterprise risks are monitored by our Executive Leadership Team who meet regularly to review them and consider if any changes are required. Our current enterprise risks are:

Enterprise risk

Some of our controls

Risk 1

Failure to deliver for customers or government priorities

Our executive governance framework.
Regular meetings with Ministers and external stakeholders.
Our enterprise planning process.
Our initiative management lifecycle, which sets out how we manage change.
Our enterprise performance, including the Performance Measurement Framework.

Risk 2

Compliance is reduced to the point of having a material impact on revenue collection for the Crown

Our executive governance framework.
Our compliance operating model which guides our approach to compliance activity.
Our enterprise planning process.
Our approach to making design decisions.

Risk 3

Unable to ensure continuity of business services

Our incident management process.
Our business continuity plans.
Our management of vendors and suppliers.
Our cybersecurity and monitoring.

Risk 4

Insufficient people capability and capacity to deliver outcomes

Our workforce planning capability.
Our talent management, learning and development, and performance management approaches.

Risk 5

Data, analytics, information and knowledge management is insufficient and impacts the quality, efficiency and integrity of our decision-making, outcomes and reputation.

Our data and information governance policy and framework.
Our information knowledge management technologies.
Our information classification and handling policy and processes.
Our system access controls.

Risk 6

Change is not delivered to agreed outcomes or stakeholder expectations cannot be met.

The government’s tax and social policy work programme.
Our initiative management lifecycle, which sets out how we manage change.
Regular engagement with stakeholders, including giving them information about and help with adopting changes.

Risk 7

Failure to provide appropriate stewardship of the tax and social policy system.

Allocation of time and resources to stewardship work.
Engagement with other agencies, stakeholders and customers.
Our tax technical and policy capabilities.
Our executive governance framework.

Risk 8

IR does not adequately consider the accountabilities we have over data in Artificial Intelligence tools, or does not sufficiently manage the implications of Artificial Intelligence on the tax and social policy system.

Our cybersecurity and monitoring.
Our security policies and processes, standards, and practices.
Our policies and processes to ensure we comply with our legal and privacy obligations.
Our management of vendors and suppliers.