Compliance Risk Management (CRM) Passing Trend or Necessity for the Tax Administrations?


Currently, in almost all tax administrations (TAs) of OECD countries and Latin America, there is talk of the need to apply risk analysis or, more comprehensively, Compliance Risk Management (CRM).

In recent years there have been different trends or vogues to strengthen TAs: process reengineering, total quality techniques, making TAs autonomous, achieving ISO certifications and process standardization, the Data Warehouse, implementing an organizational model that supports processes and not functions, etc.

In this post we are going to try to analyze if CRM is a temporary fad like others that have existed throughout the last 25/30 years or is it really an adequate instrument to direct the TAs’ operations.

We anticipate that, in our opinion, CRM is a reasonable solution to address the problems and needs of TAs in a comprehensive and integrated manner.



The TAs’ function is to ensure the correct application of the tax laws approved by Parliament and this is difficult because the rules to be applied are complex and changing, with broad bases, with many special regimes and tax benefits, open economies, with very complex financial systems and with a great weight of transnational companies and the digital economy.

At the same time, in recent years, TAs have faced a sharp increase in workload (number of taxpayers and declarations to be checked, cargo volume and customs traffic and new tasks assigned) and strong demands for quality (clearance times, time for refunds and claims, attention to citizens, etc.) that coincide with a very small number of officials and often with a certain ageing of the staff.

Therefore, the TAs have been taking decisions to adapt to a complex situation due to the high workload and the scarcity of available resources.

Among these decisions, we can highlight the commitment to ICTs and to building a comprehensive information system, the generalization of withholdings and self-assessments, the stratification of taxpayers (Large Taxpayer Units), the reform of simplified procedures, the extension of post-clearance customs inspection, the strengthening of preventive control actions, the advances in social collaboration (Authorized Economic Operator or Cooperative Compliance actions), greater international collaboration and increased information exchanges, etc.

In general terms, the TAs have defined a new strategy that involves raising the levels of voluntary compliance by taxpayers, which requires a commitment to two main lines of action: providing the maximum facilities to those who want to comply and resolutely and rigorously fighting against tax fraud and non-compliance.

These two lines of action are complementary and must be applied in a balanced manner so that taxpayers can better comply with their tax obligations in a “voluntary” manner. The great goal of a modern TA is not to uncover much tax fraud, but to have less and less tax fraud.

Implementing CRM in the TAs arises from these lines of evolution. We understand that CRM is a process for TAs to choose the most appropriate tool to encourage “voluntary” compliance and prevent non-compliance, considering the taxpayer behavior and its causes and the TA’s capacities to act.

The GRC requires quality information and rigorous analysis to decide in each case how TA should act. Obviously, this is not something new, although in recent years it has been formalized and made more concrete in the comprehensive planning of TAs.

We would like to emphasize that CRM is not only about the selection of taxpayers to be audited, but it is also a tool to organize and direct all TA actions. Its main utility is that it helps TAs to make rational decisions and to decide what to do and what not to do in order to achieve the most effective results and an efficient allocation of available resources.

GRC is, in short, a methodology for orderly decision making supported by information and with an emphasis on preventive actions.

In CRM, the “risk” is any event or circumstance that may make it difficult for the organization to achieve its strategic objective, i.e., voluntary compliance. The risks may be external (operational) derived from the behavior of the taxpayers or internal (corporate) and must be assessed according to the probability of their occurrence and their impact.

The analysis of corporate risks requires the assessment of the functioning, strengths and weaknesses of all aspects that condition the functioning of TA.


  • Whether the regulatory framework facilitates the application of the system and the functioning of TA: what is the penalty regime like, the ease of access to information, the coverage of the use of new technologies etc.

  • Personnel policy and management, analyzing whether the number and qualifications of staff are adequate, whether allocation is consistent with strategic objectives, whether the level of remuneration is reasonable, etc.

  • Sufficiency and adequate allocation of budgetary resources.

  • Business and IT system continuity plan in case of possible disasters or attacks from third parties (the current coronavirus crisis is a good example).

  • Ability to set objectives, targets and incentives that are conducive to the effective functioning of the TA and consistent with the identified risks.

  • Quality and extent of the information system and technological support.

  • As regards organizational aspects, it is necessary to ensure that TA works with an integrated vision of the entire process of implementation of the tax system, and that there is a clear separation of management and operational functions, ensuring the proper relationship between Internal Taxes, Customs and Social Security, etc.

Operational risks are usually summarized in the traditional compliance gaps: registration, declaration, veracity and payment of taxes.

Therefore, it implies evaluating the quality of the Single Tax Registry so that all taxpayers who should be there and only them are there; then, that all taxpayers declare in due time and form, that the content of the returns is adjusted to the reality of the activity carried out (undoubtedly the most powerful risk and the most difficult to control) and that finally the taxpayers enter the amounts due.

For each type of taxpayer, the impact and probabilities of risks is different; for example, it will not be the same for large companies as for a street vendor.

We have already said that the GRC demands quality information and rigorous analysis to decide in each case how the TA should act so the quality of the Information System (IS) is key.

Although the capacity to capture and store data by TAs has increased exponentially in recent years, their capacity for analysis and effective exploitation has not grown in the same proportion. An effort must be made to improve the analysis of the available information, which may require the incorporation of engineers and “data scientists” into the TA, who, together with tax experts, will ensure that the information is properly exploited.

In the TA, it is said that information is essential and its main asset. However, it is not enough to just say it, the data must be processed to ensure its quality, to convert it into information and to exploit it properly. Managing data is a thankless task that only pays off in the medium term, but it is essential to move forward by avoiding “copying the last trend” without solid foundations. However, in many cases TAs do not pay adequate attention to the quality of information and basic data.

To apply CRM there are different theoretical models that are very similar in their definition, such as that of the OECD, the revised Kyoto model, ISO 31000 or the one of the European Union, the graph of which is presented below:

Source: Compliance Risk Management Guide for Tax Administrations. European Commission.

Within the EU Risk Management Model, the first step is the analysis of the context, i.e. the environment in which TA operates and the set of facts and circumstances surrounding it; secondly, the central objective for TA is to collect the right amount of taxes, with the least inconvenience for citizens and the least cost for the Administration, and then define the strategy to achieve those objectives.  We have already said that, for most countries, it is to encourage a higher level of “voluntary” compliance.

Then the traditional sequence of risk analysis begins. Identifying risks, analyzing them, prioritizing them, deciding how to deal with them, and then evaluation and permanent learning, feeding back into the whole process.

With regard to the identification of risks, as already mentioned, among the operational risks are those of registration, declaration, that the content of the declarations is in line with the reality of the activity carried out and the effective payment of the taxes due.

As for the risks in the Registry we can mention registered taxpayers that have already ceased their activity, false registrations that can be used as screens in fraud schemes, unregistered activities (informal economy), incorrect or outdated information with impact to analyze risks.

As for the risks in the returns, they are very much conditioned by the quality of the taxpayers’ registry. In principle, it seems easy to detect the omissions by means of crosses, but it is difficult to solve if the number is very high. Self-correcting and indirect locking systems can be a significant step forward in managing many omissions.

The third risk to be assessed is that of the veracity of the returns, which is the most complex to analyze and affects all types of taxpayers. Basic errors can be resolved with prior validation and mass checks, but there are very complex cases: under-declaration of revenue, over-declaration of expenditure, inadequate qualification of operations and contracts, incorrect declaration of origin, value or classification of goods, etc. which require a rigorous risk analysis to detect the most serious cases.

It is necessary to combine mass control and in-depth audits that require highly qualified personnel and individual actions with the taxpayers.

The fourth risk is the effective income from taxes. The tax process takes a long time due to the appeals before different instances and the TA is not always competent to carry out the collection. It is essential to act immediately, yet the outstanding charges often accumulates with old and untreated debts and the information is often scarce, making it extremely difficult to make good decisions.

Once the risks have been identified, they must be analyzed, which means looking at the frequency, probability and consequences of each one of them and identifying their causes (complex rules, insufficient control, inadequate sanctions, etc.).

The next step is to prioritize the risks. TAs usually identify many risks that exceed their capacity to act. Prioritizing risks means deciding which actions to take (and which not) considering the foreseeable impact on voluntary compliance and the resources available. The permanent search for induced effect to improve voluntary compliance is key.

Then, it is necessary to decide on the treatment for the different risks and apply the most appropriate one at each moment. For this purpose, all the tools available to TA should be used, i.e. assistance and information, mass control, audits, meetings with sectors, payment facilities, denunciations of tax crimes, pre-filled tax returns, tax education and any other tool considered convenient.

The essence of risk management is to properly allocate resources and use all options to reinforce voluntary compliance, both corrective and preventive.

The final stage of the EU Risk Management Model is assessment and learning. CRM is an ongoing process and evaluation must be permanent in order to improve the decision-making and enhance the real impact of the TA’s activity on tax compliance.

Finally, we would like to highlight some lessons already learned in the application of CRM:

  • CRM should not be something isolated but part of the normal working process of a TA.

  • CRM must use “all the tools” available to the TA (not only control actions).

  • The organization must work in a coordinated way and end the watertight compartments mindsets; it is essential to work as a team.

  • There must be adequate communication at the different levels of officials, alignment of teams and commitment at the highest levels of the TA.

  • Try to make it simple and adjust to the characteristics and needs of each case, avoiding excessive sophistication and heavy structures. There is no single path to implementing CRM; each country must decide its most appropriate steps.

  • ICT tools are important, but the real added value comes from the analysts and the experience of the organization.

  • CRM helps to move from a focus on activities to one that is results-oriented and emphasizes preventive actions.


In our opinion, CRM is a reasonable solution to globally address the problems and needs of TAs and is not a just a fashionable trend but a technique that can be very useful for orderly decision making, supported by information and focused on preventive actions to improve the levels of “voluntary” compliance by taxpayers.

But, as we have said before, we do not want this contribution to the blog to be a monologue; we would appreciate your opinions, criticisms or suggestions.

We believe that issues related to the TA are always open to opinion and debate. Let’s start to give our opinion and discuss, for all to improve.


5,012 total views, 2 views today

Disclaimer. Readers are informed that the views, thoughts, and opinions expressed in the text belong solely to the author, and not necessarily to the author's employer, organization, committee or other group the author might be associated with, nor to the Executive Secretariat of CIAT. The author is also responsible for the precision and accuracy of data and sources.


  1. Tripathi Associates Reply

    Nice site good work grate… keep it up …

  2. Fernando Díaz Yubero Reply

    Thank you.
    Best regards.

Leave a Reply

Your email address will not be published.

CIAT Subscriptions

Browse through the site without restrictions. Consult and download the contents.

Subscribe to our electronic newsletters:

  • Blog
  • Academic offer (Only in spanish)
  • Newsletter
  • Publications
  • News alert

Activate subscription

CIAT Members

Representatives, Correspondent and Authorized staff (TA)