Effective Risk Management Process for Tax Authorities

RISK MANAGEMENT RISK MANAGEMENT PROCESS FOR TAX AUTHORITIES 3/18/2025 1

OUTLINE INTRODUCTION ESTABLISHING THE CONTEXT RISK IDENTIFICATION RISK ANALYSIS RISK EVALUATION RISK PRIORITIZATION RISK TREATMENT RISK MONITORING AND REVIEW CONCLUSION CASE STUDY 3/18/2025 2

INTRODUCTION In In an an ideal ideal law law- -abiding owe owe. . Revenue Revenue authorities their their responsibility responsibility. . That abiding society, authorities would That would society, people would only would be be excellent! people would only facilitate facilitate citizens excellent! would pay pay the citizens to to carry the taxes taxes they carry out they out No No such such society society exists exists. . Compliance Compliance with monitored monitored and with tax and enforced enforced in in any tax laws laws must must therefore therefore be any society society. . be created, created, cultivated, cultivated, The The objective objective of of risk accomplish accomplish its decisions decisions. . risk management management is is to to enable its mission mission by by helping helping management enable tax management make tax administration administration make better better 3/18/2025 3

INTRODUCTION Risk Risk management management is is a a structured steps steps: : Systematic Systematic risk risk identification Risk Risk analysis analysis Risk Risk evaluation evaluation Risk Risk prioritization prioritization Risk Risk treatment treatment Risk Risk monitoring monitoring and Risk Risk Management Management guides each each time time we we have have to to make structured process, process, consisting consisting of of well well- -defined defined identification and review review guides us us in in making make decision decision. . making the the best best possible possible choices choices 3/18/2025 4

INTRODUCTION Risk Risk management management is is a a deliberate and and against against. . deliberate choice choice with with cogent cogent arguments arguments for for Usually, Usually, this have have to to make station, station, where this can make a a choice where we we detect can be be seen seen as as a a human choice between between the detect the the shortest human instinct the different different line shortest line line. . instinct. . For For instance, instance, when line- -ups ups at at the when we the polling polling we Revenue Revenue authorities authorities have example, example, risk risk of of non weaknesses weaknesses in in the have to to deal non- -compliance compliance including the revenue revenue authority authority. . deal with including risk with large large number number of of risks risk of of tax tax fraud risks. . For risk of of For fraud or or risk 3/18/2025 5

INTRODUCTION The The term term 'risk 'risk management' all all have have one one thing thing in in common management' can common: : can have have many many different different meanings meanings but but It It helps provides provides us us with helps us us treat treat risks with a a level risks which which threaten level of of assurance assurance for threaten our for our our objectives objectives and our actions actions. . and also also Risk Risk management management helps making making process process and decisions decisions. . helps to to identify and allows allows us us make identify the make explicit the different different steps explicit and steps in in a a decision and more more educated decision- - educated 3/18/2025 6

INTRODUCTION Risk Risk management management also Achieve Achieve equal equal treatment Focus Focus the the burden burden of of audit Best Best use use of of the Increase Increase the the level Adjust Adjust available available resources Be Be aware aware that that a a compliant also helps helps us us to to: : treatment of of taxpayers audit to to non the available available resources level of of voluntary voluntary compliance resources to to the compliant taxpayer taxpayer could taxpayers; ; non- -compliant compliant taxpayers resources; ; compliance; ; the level level of of risks could become taxpayers; ; risks; ; and become noncompliant noncompliant. . and 3/18/2025 7

INTRODUCTION Establishing the Context Risk Identification Communication and consultation Monitoring and review Risk Analysis Risk Evaluation Risk Periodization Risk Treatment 3/18/2025 8

ESTABLISHING THE CONTEXT The The operating operating context context defines defines the the the internal internal and and external external influences the objectives, objectives, scope, influences on on the the organization scope, strategies strategies and organization. . and Objectives Objectives define achieve achieve. . define the the general general goals goals that that the the organization organization exists exists to to Scope Scope defines defines the geographical geographical coverage the nature nature and coverage. . and extent extent of of products products or or services services and and Strategies Strategies are achieve achieve its are course course of of actions its objectives objectives. . actions that that the the organization organization adopt adopt to to 3/18/2025 9

ESTABLISHING THE CONTEXT Compliance Compliance risk risk management management can operating operating context context in in which which the can only tax administration administration takes only be be discerned discerned within takes place within the place. . the the tax Establishing Establishing the compliance compliance risk the context context sets risk mitigation mitigation strategies sets the strategies can the boundaries boundaries within can occur occur. . within which which The The context context needs changes changes that that might needs to to be might consequentially consequentially affect be continually continually monitored monitored in in an affect compliance compliance risks an effort effort to to detect risks. . detect 3/18/2025 10

ESTABLISHING THE CONTEXT In In practice, practice, many many factors factors may management management. . For For example example: : Limited Limited financial financial resources resources that to to deal deal with with major major compliance compliance risks may directly directly bear bear on on compliance compliance risk risk that may risks identified identified; ; may substantially substantially affect affect capacity capacity Weaknesses Weaknesses or or shortages seriously seriously impede impede ability risks risks; ; etc etc. . shortages in in staff ability to to deal staff skills deal with with certain skills and certain major and capacities capacities that major compliance that may compliance may 3/18/2025 11

ESTABLISHING THE CONTEXT Key Key factors factors in in the the operating operating context Objectives, Objectives, strategies, strategies, policies, Cultural Cultural and and socio socio- -economic economic factors Laws Laws and and regulations regulations; ; Health Health of of the the economy economy; ; Advances Advances in in information information technology Relationships, Relationships, perceptions perceptions and Public Public opinion opinion and and perceptions perceptions; ; Organizational Organizational capabilities, capabilities, resources Political Political system, system, structure structure and context may policies, processes processes and factors; ; may include, include, (not and procedures (not exhaustive) exhaustive): : procedures; ; technology and and expectations expectations of of stakeholders and globalization globalization; ; stakeholders; ; resources and and stability stability of of institutions and technologies technologies; ; and institutions; ; etc and etc. . 3/18/2025 12

RISK IDENTIFICATION Risk Risk identification identification is is the potential potential events events and and vulnerabilities the systematic systematic recognition vulnerabilities that recognition and that pose pose threats and description description of of threats to to objectives objectives. . Risk Risk identification identification can economic economic analysis analysis or or bottom identification identification. . can be bottom- -up be a a top top- -down down techniques, techniques, such up processes processes such such as as macro case- -based based risk macro- - such as as case risk Appropriate Appropriate client thorough thorough identification identification of of risks client segmentation segmentation is is fundamental risks. . fundamental to to achieving achieving a a 3/18/2025 13

RISK IDENTIFICATION Risk Risk identification identification begins begins be difference difference between between the compliance compliance level level. . be determining determining the the potential potential compliance the compliance compliance gap compliance level level and gap the the actual actual the and the The The aim revenue revenue authority authority must minimizing minimizing the the possibility depth depth analysis analysis. . aim of of risk risk identification identification is is to to identify must confront confront as as comprehensively possibility of of oversight oversight and identify the comprehensively as as possible, and facilitating facilitating subsequent the specific specific risks risks that possible, subsequent in in- - that a a 3/18/2025 14

RISK IDENTIFICATION Risks Risks identification identification at at the carefully carefully managed managed interventions, level level can can be be dealt dealt with with as as day the strategic strategic level interventions, whilst day- -to to- -day level requires requires extensive whilst those those at at the day business business. . extensive and the operational operational and Consideration Consideration of of existing appropriate appropriate place place at at which existing tax which to to begin tax legislations legislations often begin identification identification of of strategic often represents represents the the most most risks. . strategic risks This This needs needs to to be treatment treatment strategies be supported supported by strategies and and quantification by evidence evidence- -based quantification of of revenue based policymaking, policymaking, revenue at at risk risk. . 3/18/2025 15

RISK IDENTIFICATION Most Most tax tax laws laws throughout throughout the nature nature and and tend tend to to cover the world world are all possible possible consequences consequences. . are of of a a highly highly prescriptive prescriptive cover all Unfortunately, Unfortunately, it it is is rare that that might might arise arise based rare to to be based on be able able to to conceive on the the application application of of the conceive all all possible possible situations the law law. . situations It It is is therefore therefore almost and and entirely entirely unambiguous unambiguous. . almost impossible impossible to to create create a a law law that that is is both both clear clear 3/18/2025 16

RISK IDENTIFICATION This This ambiguity ambiguity provides provides scope to to operate operate in in those those grey for non non- -compliance compliance as as taxpayers grey areas the law law. . scope for areas of of the taxpayers seek seek There There will the the gaps gaps in in the will always always be the law be taxpayers taxpayers determined law in in their their efforts efforts to to gain determined to to identify gain personal personal advantage identify and advantage. . and exploit exploit In In addition, addition, prescriptive flexibility flexibility to to keep community community. . prescriptive legislation keep pace pace with legislation tends with developments developments in in the tends not not to to allow allow sufficient sufficient the business business 3/18/2025 17

RISK IDENTIFICATION Risk Risk identification identification often untreated, untreated, could could pose sustainability sustainability of of revenue revenue collection often entails pose a a risk collection. . entails identifying identifying matters risk to to the the long matters that, long- -term term viability that, if if left viability and left and At At the individual individual cases clients clients who who collectively revenue revenue authority authority is is proposing the case case- -based based or or operational cases or or taxpayers taxpayers that collectively make proposing to to address operational level, that represent make up up the the strategic address. . level, the represent specific strategic level the aim specific examples level risks risks that aim is is to to identify examples of of identify that the the 3/18/2025 18

RISK IDENTIFICATION In In case case- -based based or or operational operational systems, taxpayer taxpayer and and account account transactions objective objective measure measure that posed posed by by that that taxpayer taxpayer relative systems, the transactions are that reflects reflects the relative to to other the characteristics characteristics of of selected are examined examined to to produce the comparative comparative level level of of risk other taxpayers taxpayers. . selected produce an risk that that is is an Some Some case estimate estimate the case- -based based systems the amount amount of of tax systems identify tax revenue identify the revenue that the type type of of risk that is is at at risk risk involved involved and risk. . and may may However, However, on determining determining a a compliance on its its own, own, the compliance risk the value value of of a a single risk is is somewhat somewhat questionable single piece questionable. . piece of of data data in in 3/18/2025 19

RISK IDENTIFICATION Most Most commonly, commonly, it it is is analyzed taxpayer taxpayer. . analyzed from from the the perspective perspective of of the the individual individual However, However, it it can grouping, grouping, or or from perspective perspective. . can also from a a socio also be be analyzed analyzed from socio- -economic from the economic or or even the perspective perspective of of an even psychological an industry industry psychological Many Many revenue revenue authorities groups groups with with similar these these segment segment levels authorities tend similar characteristics characteristics and levels. . tend to to segment segment taxpayer and identify taxpayer population population into identify compliance compliance risks into risks at at 3/18/2025 20

RISK IDENTIFICATION Individual social/psychological behavior profile including client relationship management information Intelligence gathering tolls local knowledge and business intelligence Rated using future probability of noncompliance Compliance context strategic intelligence from environmental scans and scenarios Senior executive considerations Risk impact measured using reputation, costs of compliance and revenue Behavior based on industry, social/psychological profiles Business intelligence categorization and synthesis Monitoring risk populations Feedbacks from audit programs Knowledge based on rules Moderator/analyst capability Intelligence Integrated databases centralized case selection process Taxpayers profiles of tax obligations Success criteria e.g. previous audit results, risk indicators/ratios, etc Public information e.g. utilities, law enforcement agencies Rated using weighted attributes Whole of tax population profiles including views by segments Tax issue profiles Third party information used Technology tools enabling data matching Resources allocated by risk Trend analysis Confidence ranges/reliability indicators attached to risk ratings Macro-economic information, economic time series Effective average tax rates Multiple taxes profile Corporate risk culture Knowledge Information Data Single case by case selection using tax return data Processing checks e.g. high risk refunds or credits Paper-based selection methods Industry tax profiles Technology tools enabling case selection based on tax data e.g. data warehouse Comprehensive risk coverage including register, file, report, payment, etc. Deviations from populations norms Data mining Automated exception cases Macro level statistical analysis Neural networks Transaction/Case Aggregated Strategic Focus 3/18/2025 21

RISK IDENTIFICATION In In order order to to ensure ensure that strategic strategic risk risk identification identification needs case case- -based based risks risks are are identified that the the most most significant significant risks needs to to occur identified. . risks are before operational operational or or are addressed, addressed, the the occur before Just Just as as environmental environmental scanning strategic strategic risks risks can can be risks risks represents represents the the context risk risk identification identification occurs scanning sets be effectively effectively identified, context within within which occurs. . sets the identified, identification identification of of strategic which operational operational or or case the context context within within which strategic case- -based which based 3/18/2025 22

RISK IDENTIFICATION Strategic Strategic risk risk identification identification done accumulation accumulation of of data intelligence intelligence and and knowledge knowledge. . done through through the that is is progressively progressively transformed the continuous continuous transformed into data that into This This data operational operational risk ensure ensure continuous continuous improvement data accumulation accumulation can risk treatments treatments. . Analysis improvement in in the can often often occur, Analysis of of anomalies the risk occur, in in part, anomalies is is a a useful risk identification identification process part, because because of of past useful way process. . past way to to 3/18/2025 23

RISK IDENTIFICATION Finally, Finally, good good channels channels of of communication and and frontline frontline compliance compliance staff and and identification identification of of risks risks. . communication between staff are are necessary necessary to to ensure between risk risk strategists strategists ensure validation validation This This two identification identification strategy two- -way way feedback feedback process strategy. . process will will enhance enhance the the overall overall risk risk 3/18/2025 24

RISK ANALYSIS Risk Risk analysis analysis is is the information information to to discover the systematic systematic examination discover patterns patterns and examination of of detailed and common common characteristics characteristics. . detailed taxpayers taxpayers The The number number and that that the the risk are are analyzed analyzed and and category category of of risks risk materializes materializes and and grouped grouped according risks and potential consequence consequence on according to to similar similar characteristics and risky risky taxpayers, taxpayers, likelihood on tax characteristics . . likelihood tax revenue revenue and potential 3/18/2025 25

RISK ANALYSIS Finding Finding out out what what is is occurring analysis analysis should should include non non- -compliant compliant behavior occurring and include the the why behavior in in the and who why question question: : what the specific specific areas who is is doing doing it it is is not what is is the areas. . not enough enough. . Risk the reason reason for Risk for This This is is important important because choice choice of of the the most because it it contributes contributes to to the most efficient efficient and and effective the assessment assessment and treatment strategies strategies. . and the the effective treatment For For example, example, if if the specific specific part part of of the be be education education. . the reason reason for the tax tax legislation, legislation, a a possible for non non- -compliance compliance is is the possible treatment the complexity complexity of of a a treatment strategy strategy can can 3/18/2025 26

RISK ANALYSIS Risk analysis is done on the bases of data gathered from different Risk analysis is done on the bases of data gathered from different sources: sources: Economic and tax data, for example, ratio's about the economic Economic and tax data, for example, ratio's about the economic growth, average wages; growth, average wages; Data supplied by taxpayers, for example, tax return(s); Data supplied by taxpayers, for example, tax return(s); Tax data acquired by administrations, for example, the date of Tax data acquired by administrations, for example, the date of last compliance activity, number of returns filed late; last compliance activity, number of returns filed late; 3/18/2025 27

RISK ANALYSIS Data Data supplied supplied by Information Information from Information Information available by a a third third party, from law law enforcement enforcement agencies available on on the the Internet party, for for example, example, a a bank agencies; ; and Internet. . bank statement statement; ; and During During the essential essential components components and the analysis, analysis, the the risks and features features. . risks are are examined examined in in order order to to discover discover Risk Risk analysis analysis is is performed data, data, human human knowledge knowledge and performed by by logically logically manipulating manipulating and and intelligence intelligence. . and matching matching 3/18/2025 28

RISK ANALYSIS Data Data put put together together results Knowledge Knowledge is is a a deeper results in in information information that deeper understanding understanding of of this that gives information. . gives meaning meaning. . this information It It is is like together together with understanding understanding of of the like a a big big jigsaw jigsaw puzzle with the the picture, the meaning meaning of of the puzzle. . The picture, information information arises the picture, picture, knowledge The data data are are the the pieces pieces. . When arises. . With knowledge is is born When put With the born. . put the Data Data on compared compared or or related matching matching. . on their their own own have related with have no no value value . . They with others, others, often They get often referred get their their value referred to to as as data value by by being being data 3/18/2025 29

RISK ANALYSIS In In risk risk analysis, analysis, specific techniques techniques such such as as data knowledge knowledge on on EDP specific knowledge knowledge is is necessary data mining mining and EDP. . necessary and and data data warehousing warehousing acquire and the the use acquire use of of Development Development in in automation wide wide open open. . automation means means that that possibilities possibilities in in this this area area is is 3/18/2025 30

RISK ANALYSIS Risk Risk can can also also be where where frontline frontline personnel a a taxpayer taxpayer. . be analyzed analyzed at at the personnel examine the operational, operational, case examine detailed detailed documents case by by case case level and data data of of level documents and Traditionally, Traditionally, when authorities authorities has is is identified identified and when looking looking at at registration has been been to to ensure ensure that and registered registered at at the registration risk, that anyone anyone making the appropriate appropriate time risk, the making taxable time. . the aim taxable supplies aim of of revenue revenue supplies 3/18/2025 31

RISK ANALYSIS It It is is imperative imperative that has has a a lawful lawful reason reason to to become that checks checks are become registered are made made to to ensure registered. . ensure that that the the applicant applicant As As part part of of the compare compare a a new Other registrations at the same postal code; Other registrations at the same postal code; Known addresses; Known addresses; Mobile phone; Mobile phone; the registration registration process, new applicant applicant with process, a a revenue with such such items revenue authority authority may items as as: : may wish wish to to 3/18/2025 32

RISK ANALYSIS Bank accounts; Bank accounts; Suspect databases; Suspect databases; Credit reference agencies; Credit reference agencies; Other government department data, etc. Other government department data, etc. Early Early contact contact with considered considered in in an with a a taxpayer taxpayer to to establish an attempt attempt to to thwart thwart fraud establish that fraud. . that he he exists exists can can be be 3/18/2025 33

RISK ANALYSIS Notwithstanding Notwithstanding this, even even before before a a taxpayer this, there there are taxpayer becomes are strategies strategies for becomes registered registered. . for treating treating potential potential risks risks These These will education education. . A A prevention will include include the prevention rather the provision provision of of clear rather than clear and cure approach approach. . and helpful helpful advice advice and and than cure Except Except for declaration declaration risks, possibility possibility of of a a risk for advice advice and risks, intervention intervention can risk materializes materializes and and education education regarding regarding filing, can only only take and that that is is after filing, payment payment and take place place when after registration registration. . and the when the 3/18/2025 34

RISK ANALYSIS There There are are several several opportunities a a taxpayer taxpayer are are received, received, it it is is possible based based checks checks: : opportunities for for risk possible to to carry risk analysis analysis. . When carry out When returns returns from out a a number number of of rule from rule The The inter checked checked to to test declared declared; ; inter- -relationship relationship of of different test both both accuracy different figures accuracy and figures on and the the credibility credibility of of the on the the return return can can be the tax be tax The The return submitted submitted by return received received can by that that taxpayer be compared compared with taxpayer to to highlight highlight apparent can be with previous previous returns apparent inconsistencies inconsistencies; ; returns 3/18/2025 35

RISK ANALYSIS Comparisons Comparisons can similar similar profile profile (size, Comparisons Comparisons with can be (size, type with industry, industry, norms be made made with type of of trade, with other trade, mark mark up, norms and and standards other taxpayers taxpayers who up, etc etc. .) ); ; and, standards. . who have and, have a a These These checks being being claimed claimed. . checks are are particularly particularly useful useful when when a a tax tax refund refund or or credit credit is is The The results results of of any of of action action needed any check check will needed to to address will inform inform the address the the perceived the decision decision process perceived risk risk. . process on on the the type type 3/18/2025 36

RISK ANALYSIS Sometimes Sometimes the the sources the the analysis analysis has has to to be are are obtained obtained. . sources for be carried carried out for analysis analysis are out as as soon are not soon as as possible not structured structured. . In In that possible after that case, case, after the the data data In In the the end, from from the The The characteristics characteristics of of the The The reasons reasons for The The likelihood likelihood or or frequency end, risk the following following areas risk analysis analysis results areas: : results in in the the knowledge knowledge about about one one or or more more the taxpayers taxpayers involved for taxpayer taxpayer behavior behavior; ; frequency of of the involved; ; the risk risk; ; 3/18/2025 37

RISK ANALYSIS The The indicators/ indicators/ selection The The consequences consequences; ; The The trend, trend, i i. .e e. . is is the Possible Possible treatment treatment strategies Cost Cost of of treatment treatment. . selection rules rules and and parameters parameters; ; the risk strategies; ; and risk becoming becoming more and more or or less less severe severe; ; 3/18/2025 38

RISK EVALUATION Risk Risk evaluation evaluation is is a a process consequences consequences and and severity process of of carefully severity of of risks risks identified carefully assessing identified and assessing the and analyzed analyzed. . the likelihood, likelihood, The The central central goal evidence evidence- -based available available resources resources. . goal of of risk based decisions decisions about risk evaluation evaluation is is to to facilitate about risk risk treatment facilitate informed treatment strategies informed and strategies and and and 3/18/2025 39

RISK EVALUATION Likelihood Measure Illustrative definitions to help determine the likelihood rating Risk Rating Likelihood measures Subjective definitions May occur only in exceptional circumstances Could occur at some time Objective definitions Likely to occur once in 25-50 years 1 Rare Likely to occur once in 10-24 years 2 Unlikely Moderately likely Might occur at some time Likely to occur once in the next 3 years Likely to occur more than once in the risk three years Likely to occur this year or at frequent intervals 3 Will probably occur in most circumstances Is expected to occur in most circumstances 4 Likely 5 Almost Certain 3/18/2025 40

RISK EVALUATION Consequent Measure Consequence Rating Risk criteria 1 2 3 4 5 Low Medium High Very high Extreme Variation of.. Between $50m and $250m Between $250m and $500m Between $501m and $1b More than $1b Less than $50m Revenue risks 3/18/2025 41

RISK PRIORITIZATION Risk Risk prioritization prioritization is is the consequences consequences and and prioritizing resources resources. . the ranking ranking of of risks prioritizing risks risks in in terms risks to to be be treated terms of of likelihood likelihood and treated subject subject to to available and available In In practice, practice, the likelihood likelihood assessments assessments to to be determine determine a a relative relative rating the prioritization prioritization requires be brought rating of of the requires the brought together the risks risks. . the consequences consequences and together in in an an attempt and attempt to to 3/18/2025 42

RISK PRIORITIZATION MATRIX Extreme High High Severe Severe Severe Consequence Very High High High High Severe Severe High Significant High High Severe Severe Medium Moderate Significant High High Severe Low Low Moderate Significant High High Rare Unlikely Possible Likelihood Likely Almost certain 3/18/2025 43

RISK PRIORITIZATION It It might might be be tempting tempting to to think according according to to a a carefully carefully constructed the the risk risk management management process think that constructed risk process. . that classification classification of of identified risk rating rating matrix identified risks matrix is is the the end risks end of of However, However, such cannot cannot be be reduced such confidence confidence would reduced to to an an objective, would be objective, mathematical mathematical science be premature premature: : risk risk prioritization prioritization science. . The The initial consideration consideration of of other initial rating rating must other relevant, must be relevant, perhaps be revisited revisited and perhaps contextual and confirmed confirmed following contextual issues issues. . following 3/18/2025 44

RISK PRIORITIZATION In In addition, addition, compliance compliance risk any any one one step step in in the the process risk management management is is an process is is influenced influenced by an iterative iterative process by other other steps steps. . process and and The The context context of of the changes changes in in risks the organization organization continually risks. . Some Some risks risks will continually changes will reduce reduce and and new changes. . This new risks risks will This will will emerge emerge. . will lead lead to to 3/18/2025 45

RISK TREATMENT Risk Risk treatment treatment refers organization organization to to mitigate of of risks risks. . refers to to actions mitigate the the potential actions and potential likelihood and strategies strategies taken likelihood and taken by and consequences consequences by the the There There are Risk avoidance (mitigation) strategy means that the organization Risk avoidance (mitigation) strategy means that the organization does not undertake the activity or make the decision which poses does not undertake the activity or make the decision which poses the risk; the risk; are generally generally four four risk risk treatment treatment strategies strategies: : 3/18/2025 46

RISK TREATMENT Risk Risk transfer transfer (sharing) risks risks is is transferred transferred to to a a third (sharing) strategy strategy means third party party; ; means that that the the activity activity that that poses poses Risk Risk acceptance acceptance (retention) undertakes undertakes the the activity and and Risk Risk covering covering (reduction) takes takes steps steps to to reduce risk risk. . (retention) strategy activity which which poses strategy means poses risk means that risk by by informed informed decisions that the the organization organization decisions; ; (reduction) strategy reduce the the likelihood strategy means likelihood or or consequences consequences of of specific means that that the the organization organization specific 3/18/2025 47

RISK TREATMENT Decisions Decisions about about which potentially potentially be be determined Internal Internal capability capability; ; Is Is there there an an effective effective treatment Is Is there there an an effective effective capability Risk Risk rating rating and and risk The The rate rate of of risk risk infection which risks determined by risks to to treat by: : treat and and which which to to monitor monitor will will treatment; ; capability to to implement risk level level; ; infection or or risk risk rating implement the the treatment treatment; ; rating deterioration deterioration; ; 3/18/2025 48

RISK TREATMENT The current return of treatment (recover revenue this year); The current return of treatment (recover revenue this year); The ongoing return of treatment (recover revenue in every year The ongoing return of treatment (recover revenue in every year into the future); into the future); Public perceptions of administration around the risk; Public perceptions of administration around the risk; The cost and benefits of proposed treatments; and The cost and benefits of proposed treatments; and The wider context of the risks as a group. The wider context of the risks as a group. 3/18/2025 49

RISK TREATMENT Some good principles of proactive risk treatment strategies: Some good principles of proactive risk treatment strategies: Build confidence; Build confidence; Act with fairness and integrity; Act with fairness and integrity; Deal with taxpayers and issues directly, respectfully and Deal with taxpayers and issues directly, respectfully and failry Pursue a flexible and customized approach; Pursue a flexible and customized approach; Make taxpayers obligations clear; Make taxpayers obligations clear; Make it easy to comply; Make it easy to comply; Exercise sanctions when appropriate; Exercise sanctions when appropriate; Make power, authority, responsibility and activity visible; Make power, authority, responsibility and activity visible; Provide incentives; Provide incentives; failry; ; 3/18/2025 50