Improving Tax Compliance:

In every organization, employees at all levels manage risk daily. Employees weigh available options and assess relative risks before choosing a course of action. Every action, big or small, has an element of risk. Organizations use internal rules, guidelines, and procedures to reduce risks by providing employees with guidance on how they should approach routine day-to-day tasks. Procedures also build the confidence of stakeholders (management, shareholders, and regulators) in knowing that employees will treat customers consistently and perform their roles in ways that strengthen customer relationships and add value to the organization (opportunities) while limiting exposure to potential adverse outcomes (threats). Maximizing opportunities and minimizing threats is at the core of risk management. Strategic decisions, such as choices about business direction and dealing with reputational challenges, are likely to involve more risks to the organization’s standing and, in some cases, even to its survival. Failure to recognize and respond to shifts in the environment, including customer attitudes and preferences, or poor handling of events such as server outages or a leak of sensitive information, may lead to a major erosion of the organization’s standing and credibility. Thus, organizations often invest heavily in managing these strategic risks. Organizations recognize that risk is an inherent part of doing business and cannot be entirely avoided. But processes can be implemented to systematically identify risks, minimize the chances (through preventative actions) that these risks will eventuate, and reduce the adverse impact when risks do materialize (through preparation of recovery plans).


Introduction
In every organization, employees at all levels manage risk daily. Employees weigh available options and assess relative risks before choosing a course of action. Every action, big or small, has an element of risk. Organizations use internal rules, guidelines, and procedures to reduce risks by providing employees with guidance on how they should approach routine day-to-day tasks.
Procedures also build the confidence of stakeholders (management, shareholders, and regulators) in knowing that employees will treat customers consistently and perform their roles in ways that strengthen customer relationships and add value to the organization (opportunities) while limiting exposure to potential adverse outcomes (threats). Maximizing opportunities and minimizing threats is at the core of risk management.
Strategic decisions, such as choices about business direction and dealing with reputational challenges, are likely to involve more risks to the organization's standing and, in some cases, even to its survival. Failure to recognize and respond to shifts in the environment, including customer attitudes and preferences, or poor handling of events such as server outages or a leak of sensitive information, may lead to a major erosion of the organization's standing and credibility. Thus, organizations often invest heavily in managing these strategic risks.
Organizations recognize that risk is an inherent part of doing business and cannot be entirely avoided. But processes can be implemented to systematically identify risks, minimize the chances (through preventative actions) that these risks will eventuate, and reduce the adverse impact when risks do materialize (through preparation of recovery plans). 1 Annette Chooi works as a consultant on tax administration and policy, working for ADB and other international bodies. She has also worked as a senior executive with the Australian Taxation Office. This governance brief is intended for use by revenue bodies seeking to implement or strengthen their current compliance risk management framework. It discusses an overall methodology which is widely used internationally and provides examples of various elements of the framework in operation. It also discusses ways to strengthen enabling capabilities and implement supporting organizational structures. The governance brief was sponsored by the Asian Development Bank's Domestic Resource Mobilization Trust Fund with a contribution from the Government of Japan.

Enterprise Risk Management
Good risk management can improve performance and protect organizational reputation. Neglecting risk management can lead to underperformance and potentially a breakdown of confidence in the organization-or worse, organizational failure. Risk management should be viewed as a core activity, integrated into the organization's approaches on all aspects of its operations, at both the strategic and operational levels. In fact, it is a core part of business operations, not simply a support or backroom function that can be delegated to a single area.
Revenue bodies, like other organizations, are unlikely to be resourced to such an extent that all demands can be fully satisfied and all risks faced can be fully addressed. Choices must be made about what work will be done and how it will be done. Similarly, choices are made about which risks will be mitigated and to what extent, and which risks will be tolerated. A systematic risk management approach helps revenue bodies to make wellinformed and defensible choices about how risks are managed and how resources are used. In doing so, organizations are better placed to explain their choices to various stakeholders.
Adopting a systematic and consistent risk management framework enables organizations to ensure that their processes are consistent and repeatable across all areas of their operations. Many organizations across the world take guidance about risk management approaches from the Guideline on Risk Management of the International Organization for Standardization (ISO), which provides (i) a reliable and tested framework, (ii) a common agreed terminology, and (iii) a comprehensive implementation process. 2 Figure 1 outlines the risk management process detailed in this standard.

✓ Risk is an inherent part of business.
✓ Managing enterprise risks is a core business function and a part of everyone's role.
✓ For revenue bodies, managing taxpayer compliance risks sustains delivery of core business outcomes.
2 ISO. 2018. Risk Management-Guidelines (ISO Standard No. 31000:2018. This is a generic risk management standard developed by ISO Technical Committee 262, Risk Management. The approach outlined is often referred to as Enterprise Risk Management (ERM). ERM is intended to be used top-down in considering organizational-wide issues as well as by various areas of the organization. The advantage of a common approach, as outlined in this standard, is that it provides a consistent and repeatable process for each area to follow.
Each organization must decide at a senior management level, and with regard to the nature of their operations, what level of risk can be tolerated (risk appetite) in various areas of their activities. The extent to which risks need to be mitigated is guided both by the assessed severity of the risk, based on considerations of both likelihood and consequences, and by an understanding of risk appetite.
Although they may manifest themselves differently, many enterprise risks are similar across public and private sector organizations, regardless of the nature of the business. Examples of enterprise risks include: • interruptions and/or failure of information technology systems; • data breaches; • financial mismanagement, including fraud and corruption; • human resource gaps, including insufficient or inadequately qualified staff and risks to staff wellbeing, health, and safety; • infrastructure vulnerabilities, such as power failures, fires, and data loss; and • failure to achieve core organizational business outcomes (for revenue bodies, this is known as compliance risk).
The following sections focus on approaches adopted by revenue bodies in managing risks to achieve core business outcomes.

Compliance Risk Management
At the highest level, the core business of a revenue body is to collect revenue properly payable under the law. Most revenue bodies seek to do this in ways that are consistent with their strategic goals, which commonly include building community confidence in the tax system and promoting high levels of voluntary compliance. Risks which may undermine the achievement of these goals are often referred to as taxpayer compliance risks.
Although revenue bodies may strive to achieve 100% compliance with tax laws, this is clearly an unattainable goal. It is unlikely that citizens or governments would tolerate the level of intrusion required to achieve this outcome, and the costs of doing so would be prohibitive. Even if stakeholders were to accept the costs and level of intrusion, it would in all likelihood be an elusive goal. Imperfections in administration and policy as well as a constantly changing compliance landscape will always leave room for some revenue leakage to arise. Although taxpayer compliance risks cannot be addressed in their entirety, it is possible to manage these risks to acceptable levels in line with the organization's risk appetite and using a costbenefits approach.
Like many specialized organizations, revenue bodies recognize that managing taxpayer compliance risks is best supported by processes which are designed for this purpose. Responding to this need, the Organisation for Economic Cooperation and Development (OECD) and the European Union have published guidance notes on managing and improving taxpayer compliance, which outline systematic processes for managing compliance risks and maximizing taxpayers' voluntary compliance. 3 The OECD model detailed in Figure 2 sets out a series of steps for the identification, assessment, and prioritization of systemic compliance risks, and for the development of a range of treatments, which are informed by an understanding of the risk itself and the range of behaviors observed.
The Compliance Risk Management (CRM) framework is a systemic approach to managing taxpayer compliance, advocating that risk treatments should vary according to risk severity and nature of the underlying behaviors, and should be designed to influence both current and future behaviors. CRM is not simply about audit or audit case selection, but rather it is a comprehensive end-to-end approach to managing systemic tax compliance risks. Risk-based case selection and the application of interventions to treat case-level risks are just one (but important) element of a compliance improvement strategy.
The following sections describe each of these steps in more detail and an illustration of how the ✓ Compliance risk management (CRM) is a specialist activity requiring specialized techniques.
✓ CRM provides a comprehensive approach to managing systemic risks.
framework may be used to develop a compliance improvement strategy to address a specific risk is detailed in Appendix 1. The example used is the risk that employers do not fully meet their employment responsibilities, such as withholding Pay As You Earn and reporting obligations.

Operating Context
Operating context describes the underlying compliance environment and is influenced by internal and external factors such as technology, resources and skills, legislative framework within which the revenue body operates, organizational goals and strategies, and community attitudes toward tax compliance ( Figure 3). Understanding the context within which CRM operates supports the design and implementation of more realistic and effective approaches to improving taxpayer compliance.
Operating context is not static and continuous monitoring is required to support proactive responses to emerging issues that may impact a revenue body's CRM. Such changes may include the emergence of new, potentially disruptive business models (i.e., the trend away from bricks-and-mortar business and emergence of cryptocurrencies), new business sectors (such as peer-to-peer businesses and platforms), and changing behaviors (such as tax planning schemes and methods of profit shifting).
Ongoing monitoring of changes in operating context is a challenge which many revenue bodies address through establishing an environmental scanning and research program, often within a dedicated CRM unit. In addition to providing a research capability, the CRM unit may also be responsible for strengthening data management and analytics capabilities to support effective CRM. Effective use of data supports faster, fairer, and more defensible decisions, and the delivery of better taxpayer services. The use of emerging techniques such as predictive modeling and social network analysis also supports better policy development where noncompliance is greater. It can also help to understand the impact of the actions taken on longer-term trends in the tax gap.
When tax gap analysis is conducted at a more granular level (such as for business segments, tax types, or industry sectors), the results may provide pointers to particular areas of higher revenue leakage, and may help to identify whether leakage arises from policy or compliance factors, or both. This deeper understanding of the way in which the tax gap is composed helps revenue bodies and policy makers better target administrative and policy improvements. Publishing tax gap analysis may also help to shape community opinions and provide opportunities to influence compliance behaviors. The approach adopted in Australia to segmenting the tax gap is similar to that used in some other developed countries and is illustrated in Appendix 3.

Identifying, Analyzing, and Prioritizing Risks
CRM is a structured, fact-based approach and, as such, it is data-centric. Good data from a variety of internal and external sources, and a strong research, data management, and analytics capability, are the backbone of effective CRM. Identifying, assessing, and prioritizing category-level risks 5 can only be fully effective if reliable data is available, and the revenue body has the right tools and skills to use the data effectively ( Figure 4).
Revenue bodies may become discouraged because of a lack of usable data and strong data analytics capability, and this may lead to inaction. While focusing on building longer-term capability is important, often the best way to gain support and systemic approaches to prevention and early detection of noncompliance.
Modern revenue bodies rely heavily on their data analytics and research capabilities to provide better services, more effective supervision, and sound policy advice to government. Data is at the heart of effective CRM. Without a good set of core data, CRM will be less effective. But even the best data sets are of little use without the ability to utilize the data to build knowledge and actionable insights. Appendix 2 provides additional information on the key features of an effective research, data, and analytics capability, and outlines a process for developing a business improvement plan to strengthen data management.
For some revenue bodies, tax gap research is an important feature of the research program. The tax gap, sometimes referred to as the compliance gap, is the difference between the estimated amount of tax properly payable under the laws and the actual amount of tax collected. 4 Legislative design and administrative design inefficiencies influence the tax gap to varying degrees for all taxes, and both may distort taxpayer behaviors, such as exploitation of design weaknesses or because of complexity or high compliance costs.
Research to assess the extent and nature of the tax gap can help in understanding the impact of policy and administration on revenue leakage and support the framing of better and more targeted responses. Tax gap research helps to explain the nature and drivers of behavior, and to pinpoint areas where noncompliance is higher. This understanding can help to guide responses to improve compliance and to target activities in areas ✓ Responsive CRM is supported by ongoing environmental scanning and research.
✓ Effective use of data supports the processes on CRM and underpins good tax administration.
✓ Modern revenue bodies are supported by a modern research, data and analytics framework. 4 In some publications, the term tax gap is used to describe both tax policy gap and tax compliance gap. 5 The term category-or system-level risk is used to distinguish systemic risks from taxpayer level risks and to distinguish CRM from audit case selection.  can be used together to scan the landscape and identify risks requiring further analysis. Figure 5 also provides guidance on organizational structural features to support CRM. These features are discussed further later in this governance brief. Once these category-level risks are identified, they must be evaluated in order to determine which will be acted on, the extent to which they will be acted on, and those which will be tolerated. Each risk is analyzed in-depth in order to assess the magnitude of the risk if left untreated. This assessment is based on a calculation of the likelihood (or probability) of the risk eventuating, its potential consequences should it eventuate, and the adequacy of any existing treatments (if any). This will then inform choices about which risks will be treated and the extent to which those risks that are treated will be resourced.
Using the top-down and bottom-up processes, compliance issues are initially framed at a high level, describing general behaviors, which, if occurring, are likely to lead to revenue loss and/or damage to community confidence in the integrity of the tax system. These behaviors are then analyzed and described at a category level as a cluster of risks requiring treatment. Evidence about the magnitude of the risks (likelihood and consequence) is gathered and used to prioritize category-level risks and to determine resources to be assigned to risk treatment. An aim of categorylevel risk analysis and prioritization is to narrow the focus down to a smaller number of priority areas for comprehensive action. Compliance improvement strategies and operational plans are then developed based on analysis of compliance behaviors (which shapes the treatment strategies).
for policy reforms and increased funding that may be needed to build this capability is to try to make the best use of what is available to demonstrate the value of the approach. Decision makers understandably need to be convinced of the value of data and analytics if they are to approve law reforms and further funding. Getting started is the most important step toward building the required support.
In identifying, analyzing, and prioritizing risks, basic top-down analysis can be undertaken, using existing internal primary data sets, with free or low-cost IT products, For example, tools such as Microsoft Excel and Microsoft Access, and open source query tools are relatively cheap and may be deployed to assist in the analysis of the existing data sets. A small number of staff may require training in the use of these tools, and free or low-cost online tutorials are often available.
Field staff observations and experience can also be used to enrich the picture. This bottom-up analysis may involve frontline teams and regional offices through, for example, the use of structured analysis of field activities, including requests for assistance; commonly observed errors; sectors or business segments where registration and filing compliance is low; audit results and reasons for adjustments; and use other field observations to identify areas for closer attention. Other stakeholders, such as industry and business associations and accounting bodies, may also add a valuable risk perspective.
The aim of compliance risk identification is to comprehensively identify, to the extent possible, the full range of systemic (category-level) compliance risks that a revenue body faces. As depicted in Figure 5, both top-down and bottom-up processes ✓ The best way to improve CRM is to get started.
✓ Make the best use of what is available now, while building the capability for the future.  -Industry -Size of taxpayer (large, medium, small) -Type of tax At its simplest level, the factors influencing voluntary compliance can be summarized under two broad categories: (i) those designed to promote perceptions of trust and fairness in the tax administration and the tax system; and (ii) those designed to increase the perception of the probability and costs of detection, including the severity of sanctions. There is a considerable body of research and much empirical evidence to support the links between trust and perceptions of fairness and voluntary compliance levels. Although some studies report correlations between improvements in voluntary compliance and perceptions of probability of detection, the evidence for a link between the severity of penalties and improved voluntary compliance is not as well-documented in the research. 6 Much of the historical research in this field has focused largely on identifying factors that may help to bring about broad behavioral shifts across the whole taxpayer community or within major segments of taxpayers. The main focus has been on understanding and finding ways to influence attitudes toward compliance and the associated behavioral factors (as outlined in Figure 7). Although these approaches remain relevant, and continued research at this level is important, increasingly, revenue bodies are also seeking out new approaches. On their own or in partnership with academic institutions, revenue bodies are conducting detailed research to help identify more specific and affordable approaches designed to generate positive shifts in compliance at the small group and even the individual taxpayer levels. This Compliance risks and taxpayer behaviors are varied, and risks manifest differently across various taxpayer subpopulations. Some risks will be unique to a particular business segment, industry sector, or revenue type, while others will cut across segments, sectors, or revenue types. For these reasons different approaches to risk management will be indicated depending on the nature of the taxpayers and the behaviors involved.
It is widely recognized that to achieve high levels of compliance with tax laws, revenue bodies must focus on adopting approaches designed to improve taxpayers' voluntary compliance ( Figure 6). To be successful in achieving this goal, revenue bodies need to understand the links between the way in which they administer the tax system and the way that taxpayers approach their compliance obligations. In determining treatment strategies, the goal is not just to correct incidences of noncompliance. The strategy must also contribute to longer-term behavioral shifts desired.
Typically, a revenue body would seek to reserve the most intensive compliance treatments (such as investigation, prosecution, and comprehensive audit) for use in the most serious cases (based on the seriousness of the behavior and the amount of revenue at risk). Treatments should be proportionate in order to build community confidence in the fairness of the tax system and trust in the tax administration. Many revenue bodies use a compliance model, an example of which is shown in Figure 7, in conjunction with a risk differentiation approach, to guide decisions about the appropriate treatments to be applied. The effectiveness of different interventions depends heavily on the context and setting in which they occur. What works for one revenue body may not work for another. Local customs, institutional preference, and even the timing of the interventions may negatively or positively affect findings. As a result, it is recommended that any intervention under consideration by a revenue body be carefully tested within the jurisdiction, against control groups, for efficacy before being deployed more broadly.
Maintaining and improving voluntary compliance is the main goal, although the detailed approaches may vary. At a high level, this requires a mix of education and facilitation together with a comprehensive and credible enforcement program, including sophisticated means of preventing and detecting noncompliance, and a range of graduated approach to voluntary and enforced correction. Figure 8 demonstrates this concept, illustrating that if the processes are managed well, the combined effects may produce synergies across the whole system. Figure 8 is intended to illustrate that prevention is the preferred approach as it is likely to be more effective and involve lower costs for both revenue bodies and taxpayers. Prevention is not just about education and facilitation, systems designed to prevent noncompliance are equally important. Correction is required where detection systems field of study is known as behavioral insights.
Behavioral insights is an emerging field exploring ways to improve the effectiveness and efficiency of customer interactions. It aims to combine insights from behavioral economics, psychology, cognitive science, and social science with empirically tested results to discover how people make choices and what factors influence those choices. Behavioral insights has been used to encourage better lifestyle choices, promote safer driving practices, and to improve regulatory compliance behavior. 7 By understanding better how peoples' behavior can be influenced by different approaches, revenue bodies can design more effective interventions to promote compliance. Many interventions currently emerging from the study of behavioral insights in the field of tax are relatively simple and cheap to implement, often with surprising results. Some are new, and others can be introduced alongside the more traditional methods, to broaden the suite of treatments available and to improve the influence of existing interventions. For example, redrafting letters and notices to improve the prominence of key information (such as placing this information in a box or presenting it in a different color) and varying the tone or language are just two examples of simple interventions which have been found to improve the success of the interaction in influencing taxpayer compliance behavior. 7 R. Thaler  usually include a mix of cross-functional approaches, taxpayer education and facilitation, law and administrative reforms, and graduated enforcement actions. Conducting CRM at a national level supports consistent approaches to taxpayers in similar situations, and allows revenue bodies to coordinate activities to support national priorities. If organizational units are able to independently determine priority compliance risks and decide how they will be treated, then they are likely to target different risks and adopt different approaches to mitigate those risks. Without national coordination, there is a high likelihood that different approaches will be adopted within and across tax types, sectors and segments, and geographic regions. A coordinated national cross-functional approach delivered consistently has a better chance of delivering the voluntary compliance synergies discussed earlier.
Key requirements for a national approach include a national tax return database, access to external data sets, and well-developed analytics capability. Important conditions supporting this include high levels of electronic filing or "e-filing" of all types of returns, full data entry of paper-filled returns, central databases (or regular consolidation of regional databases), and access to bulk electronic data from other government and private sector agencies in prescribed and defined electronic formats. Legislation must allow the revenue body indicate that prevention has failed, and in such cases the preferred treatment is differentiated based on the seriousness of the behavior and the revenue at risk.
There is increasing recognition that expensive one-to-one corrections such as field audits must be used carefully, and that compliance risk management must include a broader set of interventions to correct taxpayer errors. Revenue bodies are adopting other approaches to correction, such as automated monitoring and matching systems, and promoting self-correction as an alternative to audit. Voluntary disclosure programs are also routinely offered, usually involving reduced penalties as an incentive.
Detection activities, if designed well, support prevention and correction. If taxpayers believe that there is a high risk of detection, then this may act as both a deterrent to noncompliance as well as a means to effectively identify higher risk cases requiring correction. Good detection also builds credibility.

Planning and Implementing Strategies
Compliance improvement strategies describe the treatments that will be deployed to mitigate strategic compliance risks. Typically, a strategy is developed at a national level and then deployed across all regions. Plans may then be developed in each region to deliver the national strategy ( Figure 9). Compliance improvement strategies ✓ National compliance improvement strategies support consistency.
✓ Compliance improvement strategies should include a mix of cross-functional approaches to support voluntary compliance.

Improved Voluntary Compliance
Prevention activities focus on taxpayer education, facilitation and simplification as well as designing systems to lock in compliance. The objective is to make it easier to comply by delivering effective support and service as well making it difficult not to comply through system design to promote compliance (such as reporting and withholding systems, pre-filing of returns, and effective data matching).
Correction activities must be credible and should treat the underlying causes. Credibility means that taxpayers believe the revenue body has the data and skills to effectively detect and quantify the full extent of noncompliance. Treating underlying causes means that the revenue body will not just correct the noncompliance but will also take actions, such as monitoring, to lock in future compliance.
Source: Compiled by the author. and build an analytics capability, both human capital and infrastructure (storage, hardware, and software) is required.
to have access to bulk data and to be empowered to specify the formats and frequency of provision of this data, via bulk exchange. To strengthen data

Monitoring and Evaluation
Ongoing monitoring of the delivery and immediate impact of treatments tracks shortterm performance and impacts, and enables timely improvements to be instigated throughout implementation ( Figure 10). Evaluation involves deeper analysis of longer-term impacts on the behaviors of the taxpayers touched by the treatments as well as the underlying levels of voluntary compliance across the population. 8 Treatment strategies should also be designed to deliver sustained compliance improvement in the target population and the broader population over the longer term. Ongoing checking of those involved in the targeted behavior to ensure future compliance, as well as publicity to deter others from becoming involved in the noncompliant behaviors, help to deliver these sustained improvements and should be a part of any strategy to treat compliance risks. Figure 11 illustrates this desired ripple effect concept.
The center of the ripple represents the immediate impact of the compliance actions on the behavior of the taxpayers touched by those actions. These short-term impacts include the immediate revenue raised from those taxpayers directly impacted, and increases in the levels of voluntary disclosures and requests for advice (compared with control groups).
At the next layer of the ripple, impacts may be detected through changes in tax collections and   in voluntary compliance levels across the broader population. These may be tracked at a whole-ofsystem level and across various subgroups, such as taxpayer segments (micro, small, medium, and large businesses, and individuals) and important industry sectors. Long-term changes in global levels of voluntary compliance may be linked to changes in taxpayer perceptions about the performance of the revenue body and fairness of the taxation system. Many revenue bodies conduct surveys to track trends in areas such as satisfaction with service levels and the performance of the revenue body (including professionalism of tax officers), and perception about fairness of the tax administration and the tax system. Shifts in these parameters can provide insights about the success of the revenue body's CRM activities at the system and subsystem levels.
Box 1 provides examples of the types of measures and indicators which many revenue bodies find useful in tracking the impact of compliance interventions at a national level.
other behaviors of those touched by the treatments (compared with control groups) in subsequent years, and trends in revenue such as the numbers of voluntary disclosures received from taxpayers in the target population, and changes in numbers of requests for advice or rulings on the topic, from taxpayers touched and others involved in the targeted behavior.
Evaluation of the impact of the treatments against the core compliance obligations within the target population compared with control groups provides an assessment of the longer-term and ongoing voluntary compliance impact within the directly touched population and the broader population.
Shifts in voluntary compliance generally take much longer to be observed and may not be attributed to any single compliance improvement activity. Sustained shifts in compliance against the core compliance obligations provide an indication of whether the collective impacts of the various activities may be making a difference  voluntary compliance in the broader community. Raising awareness of the work that the revenue body undertakes to support and supervise tax compliance, if done well, is likely to give taxpayers greater confidence that they will be treated according to their circumstances, provided with the help they need to understand their obligations, and that noncompliance will be addressed effectively. All these factors together promote the perception of a fairer tax administration, which has been shown to support higher levels of voluntary compliance.

Organizational Arrangements to Support Compliance Risk Management
Effective compliance improvement requires cross-functional collaboration at all stages of the Compliance Risk Management (CRM) process. 10 Understanding compliance risks, developing treatment approaches, and implementing those approaches, are all likely to be more effective when considered holistically. Considering compliance risks through a single functional lens may result in a simplistic or even erroneous diagnostic, as each functional area may tend to rely on the tools available, and see the problem through that lens. Inevitably, auditors will see audit as the solution, service providers will see education as the answer. Selection and delivery of the most appropriate suite of treatments or combination of treatments is best supported through collaborative engagement of all functional areas in the strategy development process.
Creating an environment to support cross-functional collaboration and holistic approaches in CRM requires new organizational arrangements, both structural and procedural ( Figure 12). Revenue bodies may create a CRM unit (perhaps within the planning department) to develop the research, data, and analytics capability, and to provide organization-wide processes and procedures and training on CRM. This unit may also be responsible for coordination of the annual CRM processes, including the development of the annual compliance program and preparation of performance reports for the Appendix 4 provides an example of how a revenue body might compile a report to monitor the impact of the compliance program on voluntary compliance over time. Reports such as this are critical in ensuring that strategies adopted are delivering the outcomes expected in terms of voluntary compliance improvements over time. Although revenue bodies may not be able to report on all elements illustrated, it is important to track what can be measured, and invest in building the suite of measures and indicators over time.

Annual Compliance Program
The foregoing discussions have focused largely on how CRM can be used to help revenues bodies to better understand their operating environment, and the risk landscape within which they operate. Using CRM supports decisions about which compliance risks will be treated and to what extent, and which risks will be tolerated. The CRM framework may be applied at different levels. Once the strategic risks requiring treatment are agreed, then the CRM process is repeated for each risk. At the end of that process, a cross-functional compliance improvement strategy is developed for each priority category-level risk. These compliance improvement strategies, when brought together, represent the revenue body's high-level annual compliance program.
Some revenue bodies publish their annual compliance program, together with an annual performance report detailing the work that has been done in delivering the previous year's program as well as providing information about longer-term trends in voluntary compliance. 9 In some cases, this may include publishing the results of tax gap analysis. Appendix 4 provides an example of the type of reporting which may be published about voluntary compliance trends. This type of reporting may form part of an annual performance report, and would typically be accompanied by a range of reports on operational activities conducted across various organizational units.
Publishing the compliance program and the results achieved may help to build community confidence in tax administration and support In summary, the effective implementation of a compliance management framework requires the establishment of a compliance management organization. The compliance management organization is intended to support the development and implementation of the revenue body's compliance risk management strategies.
The roles and responsibilities of each of the suggested organizational components are described further in Box 2.
To put the compliance improvement strategies into action, they must be incorporated into the revenue body's annual operational and action plans. It may be necessary to adjust the structure of the existing plans in order to include separate cross-cutting activities, and compliance indicators and workflow targets. These may be at the tax level as well as for key taxpayer segments and industries, in addition to existing functional or other targets. The revenue body may also need to adjust the monitoring and evaluation framework to support measurement and reporting of compliance results and workflow outturns for each tax, taxpayer segment, and key industry sector. Appendix 1 provides a detailed example of the processes to generate a compliance improvement strategy and includes examples of possible crosscutting activities and measures. senior executive. An important role of the CRM often includes the responsibility for tracking trends in voluntary compliance.
The CRM unit is often supported by risk owners assigned to oversee the preparation of crossfunctional compliance improvement strategies for each of the category-level risks. Risk owners are subject matter experts. Their role is to coordinate functional areas to work together in developing, implementing, and monitoring the cross-functional risk mitigation activities outlined in the compliance improvement strategy.
Accountability for delivery remains with relevant functional areas and the activities that each area is required to deliver are typically embedded into the responsible areas' operational plan. Some revenue bodies also establish a CRM committee to oversee the compliance program's deliverables and to provide regular evaluation and reporting to the senior executive.
The CRM unit, the risk owners, and the CRM committee all operate together to strengthen the CRM processes across the organization. Although each of these elements may be implemented flexibly, and in a staged way, depending upon the size of the organization and the existing arrangements, it is suggested that each element is present in some form in a mature model.

Box 2: Key Components of Compliance Management Organization
Three key components are critical to adopt this institutional arrangement: 1. An executive-level Compliance Management Committee: ✓ Responsible for the overall management of the compliance management framework. ✓ Responsibilities include endorsing all risks that require active management, approving compliance management strategies prepared by the risk owners, and monitoring the delivery and evaluating the impacts of the strategies. ✓ Membership would include the directors of headquarters bureaus and the heads of selected regional offices. Set out below and in Box 3 is a compliance improvement strategy for the category-level risk that employers do not fully meet their tax responsibilities, such as tax withholding Pay As You Earn at source and wage and other reporting. The strategy is presented at a high level and would typically be supported by detailed analysis of the nature and size of the risk and further details regarding expected treatments. This strategy is intended to both inform stakeholders about actions to be taken and to provide guidance to regional offices in development of detailed plans which would include expected workflows to be delivered.

Steps 1 and 2 -Operating Context and Risk Description
The operating context helps to frame the risk, providing information about the behaviors evident across the community of employers and employees. Reference may be made to academic research on the nature of employment, material published by labor unions and regulators of breaches of labor laws, statistics from other government agencies (such as the bureau of statistics and the social security agency), and census data on the expected size of the workforce and number of employers.

Steps 3, 4, and 5 -Analyzing the Risk and the Underlying Behaviors
Once the risk is framed, more analysis will be conducted to further establish the details of the nature and magnitude of the problem. Attempts will be made to identify key industry sectors or business segments where the risk is more likely or more severe. This more detailed analysis will also be used to develop case selection methodologies and to attempt to differentiate risk levels across segments and sectors, employers, and employees, and to develop a risk differentiation framework to guide treatment strategies.
Step 6 -Treatment Strategy Understanding behaviors informs the development and targeting of appropriate treatments (based on the behaviors observed). This risk differentiation allows the development of approaches to protect the vulnerable employees, educate the susceptible employers and employees, and punish abusive practices.
Step 7 -Monitoring Implementation Target will be set for each regional office on the number of actions to be taken within each category, and for some activities, revenue target may also be specified. Case lists will be provided, and these will identify the type of treatments to be applied in each case (or group of cases). Follow-up actions and ongoing monitoring of taxpayers affected by the interventions will be required. Short-term impacts to be measured may include the number of cases acted on, the immediate revenue raised from those employers and employees directly impacted by treatment activity, the number of voluntary disclosures received from employers and employees in the target population, and changes in the number of requests for advice or rulings and improvements in compliance in future years.
Headquarters will be responsible for implementing some treatments, such as publicity campaigns and infrastructure improvements. These activities will probably be established as projects and targets will be set and monitored within the project environment to ensure timely delivery of these enablers.
Step 8 -Evaluating Compliance Outcomes Most compliance outcomes are monitored at a national level, tracking movements in the numbers of registered employers and employees and withholding tax (WHT) reported across the population, and within industries and segments. Revenue reported, number of complaints about employers, and perceptions of the size of the shadow economy will also be monitored. Tax gap analysis, if available, will also be used to monitor the longer-term impact of administrative actions taken.

Appendix 1: Case Study Example of Compliance Risk Management in Action 1. Operating Context
Employers play an important role in the revenue, social welfare, and retirement savings systems. The financial well-being of workers now and in the future is dependent upon high levels of compliance by employers. For these reasons, the revenue body has an ongoing compliance program designed to both support and supervise employers in an effort to maximize voluntary compliance, and to ensure early detection and correction of noncompliance if it does occur.

Risk Description
Some employers will fail to withhold, remit, and report the correct amount of tax and other payments from employees' salary and wages.

Risk Analysis
Underperforming Revenue: • Only X% of total revenue comes from employee deductions but employment statistics suggest it should be over Y%. Environmental Scanning: • Employment tax burden is considered to be high and compliance complicated.
• Unions report exploitation of workers (especially new immigrants).

Tax Gap Analysis:
• Informal work is a feature of the shadow economy, mainly for small-business employers. Both tax revenue and retirement savings are impacted. Social welfare expenditure is also likely to be impacted. • Policy deficiencies, including difficulty distinguishing employment and contracting, and administrative deficiencies such as overly complicated registration and reporting requirements, particularly for small employers, drive noncompliance.
4. What drives the behavior? • Employers do not fully understand the status of workers (employees or contractors) or their obligations. • Compliance requirements are seen as complex. • Tax burden and on costs are considered too high. • Employers undercomply for financial gain.
• Employees are vulnerable to exploitation and do not know their rights, or are not prepared to enforce them. • Employees collaborate with employers for financial gain, including receiving social welfare payment that they are not entitled to receive.
5. Business Segment Analysis • Small employers incur higher per employee costs and often cannot afford payroll service.
Skills are variable and there is a higher risk of misunderstanding leading to noncompliance due to complexity. Some small employers operate partially or entirely outside of the system (shadow economy), employing informal workers who also operate outside of the system in order to avoid the perceived high on costs of employment (e.g., workers compensation insurance and payroll taxes). • Large employers usually engage professional payroll providers (either in-house or outsourced) to manage compliance systems. Automated systems reduce the risk of noncompliance but there are still risks, such as misclassification of workers, systems errors, and fraud (such as by staff or service providers).

Treatment Strategy
Education: • Develop and disseminate awareness material and online calculators. • Educate employees about their rights and obligations to register and file and provide help, if sought. Facilitation: • Hotlines to help employers get it right.
• Hotlines for employees to report problems.
• E-filing system designed to better support employers.
• Mandate e-filing and e-payment.
• Targeted information about sanctions (such as denial of deductions and penalties) for noncompliance. • Offer voluntary disclosure incentives (reduced penalty).

Simplification (Reduce compliance cost):
• Develop and promote simple e-filing and e-payment options. • Provide free payroll software for small employers.

Detection:
• Centralize employee data into a national data base. • Identify employers from third-party data such as published financial statements, government registers, registrar of companies and business register, and companies accessing government incentives. Enforcement: • Advisory visits to smaller businesses to facilitate correction. • Cooperative governance checks for large businesses to test systems. • A small number of audits on businesses with potentially higher nondisclosure levels. • Targeted prosecution of serious offenders (employers and employees). • Publicizing of the results of enforcement (at an aggregate level) and providing information on how to correct mistakes.
Many revenue bodies face challenges in improving data and analytics capabilities to better support environmental scanning and the systemic risk identification and analysis required to support Compliance Risk Management (CRM).
Often the main sources of information available to revenue bodies are tax returns and other mandatory reporting (such as by withholding agents), but this data is not always available electronically and may not be stored in a central database that is accessible for automated analysis. In addition, third-party data sources may be limited to other government agencies and are frequently not supplied in a suitable format, particularly if other agencies are not using electronic platforms. Nongovernment data sources may be limited, particularly where there are limited legal powers to require provision of bulk data, or to specify required formats. Even where data sets are relatively comprehensive, analytics may be frustrated by inflexible storage options and limited access to the software and skills required to effectively manage the data available.

Plan for Improving Research and Data Management Capability
In meeting the challenges in improving infrastructure to support CRM, these shortcomings need to be systematically addressed. In doing so, it may be beneficial to develop a business improvement plan. Developing an improvement plan typically starts with a stocktake of the current situation, identifying and prioritizing gaps and impediments, which may frustrate efforts. Within the business improvement plan, sub-plans would be developed for each of the key areas where deficiencies have been identified. As illustrated in Figure A2.1, this would typically include plans to improve (i) data and data management; information technology infrastructure to support data management, analytics, and profiling; (ii) staff capacity and capability; (iii) the legislative framework (where required); and (iv) to create a robust governance framework to provide high-level oversight.

Data and Data Management
Establishing a data improvement plan enables an organization to prioritize data sourcing, and to standardize required formats and fields to facilitate data handling. The data acquisition plan should clearly detail the timing; format of the data (definitions, structure, report layout, format, and quality); and the filing (take-on) channels and validation steps required to be met. Some of the validation/assurance may be undertaken by the third-party organizations through the specification and publishing of data and reporting standards. Negotiating these arrangements with the thirdparty providers can help minimize their costs, build good relationships, and improve the quality of the data received. Inevitably, some assurance processes will also need to be undertaken by the revenue authority, but the objective should be to minimize this through negotiations with third-party providers.
Specifying data requirements upfront can help minimize the costs and maximize the usefulness of the data, particularly in making comparisons across the organization. In the early stages of a data improvement regime, it will be critically important to ensure that all levels of the organization (both horizontally and vertically) are working against a consistent backbone of protocols, so these need to be developed and tested centrally to ensure consistency and utility of the data.

Information Technology Infrastructure
Information technology requirements will typically fall into two categories: (i) uptake, processing, and storage capacity; and (ii) software tools to support analytics. Increasingly, tax authorities are embracing big data tools to enable the scaling of analytics to handle massive data volumes originating from multiple sources. Data is a key input into the analytic process. To get the most out of advanced analytics, data must be actively managed to ensure it is suitable for analytic purposes-"big data" may not be "useful data." If this data is inaccurate or incomplete, or subject to selection bias, then the value of any resulting model will be severely limited, regardless of the volume of data available.
Additionally, big data storage presents many challenges; however, they can be overcome with sufficient investment in big data management tools. Beyond the processing and storage challenges, administrations must also face complex decisions relating to analytics software and programming including which advance analytics tools to utilize given the wide range available-commercial and open-source.
Appendix 2: Improving Research, Data, and Analytics to Support Compliance Risk Management profiles; and to perform detailed quality assurance, analysis and evaluation of the risk processes.

Legislation and Regulations
Constructing a nationally consistent core data set is important in building reliable risk processes and supporting comprehensive compliance risk management. With increasing nationalization and internationalization of business, it is essential in supporting both services and supervision, that revenue bodies are able to conduct analytics and build profiles of businesses that are comprehensive, and not hindered by lack of data or lack of usability of data.
Breaking down barriers to consolidate data and better understand the business environment and risks may require more powers (regulations or legislation) to enable more standardized policies and requirements about taxpayer filing and reporting, and third-party bulk data capture as well as data formats and take on channels.

Centralized Governance
Integrating the business, information technology (IT), and analytics perspectives, and managing the uncertainty inherent in advanced analytics projects require a robust senior-level governance structure. Many tax administrations have established integrated governance bodies to prioritize, resource, and oversee analytics projects. A senior management group led by a senior official and consisting of representatives from the compliance, analytics, and IT functions is highly recommended to: • prioritize and oversee all advanced analytics initiatives across the organization, • align analytics projects to organizational priorities, • ensure that the analytics function works within the appropriate infrastructure, and • coordinate activities.

Mature Research Data and Analytics Capability
In developing a business improvement plan, it is important to have the end game in sight. Revenue bodies should be clear about what they are seeking to achieve from the research, data, and analytics capability, and to be realistic about how long it will take to achieve the improvements sought. Box A2.1 outlines the key features of an effective research, data, and analytics capability as a platform to strengthen CRM.

Analytics and Profiling
The analytics capability supports the use of statistical tools and technologies to: • Find patterns in data for further analysis.
• Find outliers from the huge data points (such as for case selection and fraud detection). • Identify relationships within the key data variables for prediction, e.g., likely compliance behaviors to identify points of intervention and best methods to influence behaviors.

Staff Capacity and Capability
Specialist skills and traits are needed such as mathematics, statistics, quantitative and qualitative analysis, data interpretation, and using techniques to visually depict data. For these reasons, most organizations hire specialized staff. The type and number of staffing required will depend on the overall size of the organization, the scope of the system, and the expectations of internal and external stakeholders. At a minimum, staff will be needed to develop and operate the system; to design and implement the specific risk parameters; to produce environmental scans, reports, and risk ✓ Consolidation, management, and security of primary (taxpayer) data: • A central national database supports effective analysis of primary data.
• Primary data may be supplemented by systematic capture of staff insights.
• Taxpayer confidence is supported by strong data protection protocols. ✓ Acquisition, management, and security of all secondary (third-party) data: • Bulk data must be provided in a prescribed form to enable effective analysis.
• Security over data protects reputation and government support for ongoing collection and expanded powers (if required). • Refreshing and expanding data sources support contemporary and responsive Compliance Risk Management (CRM). • Legislative changes may be required to ensure the revenue body's data strategy is able to keep up with changing business environment (domestic and global). ✓ Environmental scanning and research of demographic and economic trends and their expected impact on CRM: • In-house research, including conducting taxpayer and stakeholder surveys.
• Collaborating with other government agencies and academic institutions. ✓ A comprehensive legal framework to support the revenue body in collecting required data: • The ability to specify the frequency and format in which bulk data must be provided.
• The ability to regulate new data sources as new business models emerge. ✓ An environmental scanning capability to support: • Detection of changes in the environment which may impact taxpayer compliance.
• Help to identify strengths, weaknesses, opportunities, and threats to support decisions about future strategies. ✓ Advanced analytics techniques to support: • Predictive analytics, which aims to anticipate likely behavior patterns.
• Prescriptive analytics, which aims to understand the impacts of the actions taken to select actions more likely to produce the outcomes sought. • Social network analysis, which aims to bring together the big picture of the interactions and relationships between players within and outside of risky groups. ✓ Advanced analytics techniques may include: • Data and text mining.
• Artificial intelligence and machine learning.
• Pattern matching and visualization tools.
• Network and cluster analysis.   Note: Percentages represent the proportion of income (for PIT, CIT, or VAT) subject to some form of independent oversight or validation, such as third-party reporting or withholding, third-party data matching, and revenue body automated and manual checking.    Confronting someone who was cheating tax system 5% 7% 6% 8% Note: Participants who were asked about their VCB are then asked for the reason why they they did or did not engage in the listed behaviors.