Risk Management in Grantmaking: A Practical Guide for Funders
How funders can identify, assess and mitigate grant risks proportionately — from due diligence and staged payments to monitoring and learning from issues.
Risk management in grantmaking is not about avoiding risk altogether. It is about understanding which risks matter, responding proportionately, and making sure that good projects can proceed with appropriate assurance rather than being blocked by excessive caution. The Charity Commission's guidance on risk management (CC26) makes this explicit: trustees should "identify the major risks that apply to their charity and make decisions about how to respond to the risks they face" — not eliminate all uncertainty.
Yet many funders still default to one of two extremes. Some apply heavyweight due diligence uniformly, requiring the same documentation from a community group seeking a £2,000 micro-grant as from an organisation seeking £200,000. Others treat risk management as a box-ticking exercise, collecting documents without genuinely assessing what they reveal. Neither approach serves the funder or the grantee well. The BDO Charity Fraud Report 2024 found that 42% of charities reported fraud or attempted fraud, with only 44% having a formal fraud response plan — meaning more than half of charities lack one, a figure that underlines why proportionate, embedded risk management matters more than compliance theatre.
This guide sets out a practical framework for funders who want to manage grant risk effectively without creating disproportionate burden. It covers how to build a risk framework, calibrate controls to grant size and context, use technology to support (not replace) human judgement, and learn from issues when they arise.
What Does Risk Management Mean in Grantmaking?
Risk management in grantmaking is the systematic process of identifying, assessing, mitigating and monitoring risks throughout the grant lifecycle — from initial application through to close-out. It applies to risks that could affect both the funder (reputational damage, financial loss, regulatory non-compliance) and the grantee (delivery failure, safeguarding incidents, financial mismanagement).
The Charity Commission's CC26 guidance describes risk as "the potential for any outcome to differ from expectation" and recommends a standard approach: identify risks, assess their likelihood and impact, decide how to respond, and review regularly. For grantmakers, this translates into practical decisions at every stage of the programme cycle. During application design, it means deciding what due diligence to require. During assessment, it means evaluating organisational capacity alongside project merit. During delivery, it means choosing monitoring frequency and depth. During close-out, it means verifying that funds were used appropriately.
The UK Government's Grants Functional Standard reinforces this, stating that "risk management shall be a core component of every stage of the grant management process, from design and development to final evaluation." For government grants above £100,000, the standard recommends using staff with specialist skills for due diligence; for smaller grants, lighter checks by the grant team are considered sufficient.
What distinguishes good risk management from bureaucratic over-caution is proportionality. The Association of Charitable Foundations (ACF) and IVAR have both argued that due diligence requirements should be proportional to the size of the grant and the perceived level of risk, not applied uniformly. As IVAR's Open and Trusting Grant-making programme puts it, funders should be "realistic about how much assurance applicants can reasonably give."
Why Should Funders Care About Getting Risk Management Right?
Getting risk management wrong has real consequences in both directions. Insufficient controls expose funders to fraud, reputational damage and regulatory censure. Excessive controls waste resources, exclude smaller organisations, and damage funder-grantee relationships.
The financial case is clear. According to the BDO Charity Fraud Report 2025, 34% of charities reported experiencing fraud in the previous twelve months — the lowest figure in the five years since the report began, suggesting that improved controls are working. However, 73% of those who experienced fraud suffered a financial loss (BDO, 2025). For grantmakers, this means that the risk of funds being misused is real and ongoing.
The regulatory case is equally pressing. The Charity Commission assessed 3,132 serious incident reports in 2024-25, a figure that has remained broadly stable year on year (Charity Commission Annual Report 2024-25). Funders who distribute charitable funds have a fiduciary duty to ensure those funds are used for their intended purpose. Inadequate risk management can lead to regulatory scrutiny not just of the grantee, but of the funder itself.
But the cost of over-engineering controls is also substantial. Research by IVAR's Open and Trusting community, which now represents over 150 funders distributing more than £1 billion annually, has consistently found that disproportionate requirements exclude smaller, grassroots organisations — often the very groups that funders say they want to reach. When a £5,000 grant requires three years of audited accounts, a safeguarding policy review, and a governance document assessment, many community groups simply do not apply.
How Do You Build a Practical Risk Framework?
A practical risk framework for grantmaking does not need to be complex. The most effective frameworks fit on a single page and focus on four core risk categories: financial, governance, delivery and reputational.
Financial risk covers the possibility that funds will be lost, misused or not accounted for. This includes fraud, poor financial management, over-reliance on a single income source, and inadequate reserves.
Governance risk relates to the capacity and integrity of the grantee's leadership and structures. This includes weak trustee oversight, conflicts of interest, lack of appropriate policies, and non-compliance with legal requirements.
Delivery risk concerns whether the project will achieve its intended outcomes. This includes unrealistic timelines, insufficient staff capacity, poor project planning, and failure to engage beneficiaries.
Reputational risk encompasses anything that could damage the funder's standing. This includes association with organisations involved in scandals, poor safeguarding practice, or projects that cause unintended harm.
For each risk category, set clear thresholds using a simple likelihood-impact matrix:
| Risk level | Likelihood | Impact | Example | Typical response |
|---|---|---|---|---|
| Low | Unlikely | Minor | Minor budget variance on a small grant | Standard monitoring; no additional conditions |
| Medium | Possible | Moderate | New organisation with limited track record | Enhanced due diligence; staged payments; mid-point review |
| High | Likely | Significant | Grantee flagged with governance concerns | Intensive monitoring; conditions on grant; board-level sign-off |
| Critical | Almost certain | Severe | Evidence of fraud or safeguarding failure | Suspend payments; escalate to senior staff or board; consider reporting to Charity Commission |
The framework should also specify escalation routes. Define who can approve grants at each risk level — programme officers for low-risk, senior managers for medium, and board or committee for high and critical. The Charity Commission's CC26 guidance recommends that "the board should set the charity's risk appetite and ensure that major risks are identified and managed."
How Should You Apply Proportionate Due Diligence?
Proportionate due diligence means adjusting your checks to the size of the grant, the nature of the activity, and the risk profile of the grantee — not applying the same process regardless of context. The UK Government's Grants Functional Standard explicitly distinguishes between grants under £100,000 (where standard team-level checks suffice) and larger or more complex grants (where specialist assessment is recommended).
For a practical approach, tier your due diligence by grant size and risk:
Micro-grants (under £5,000). Confirm the organisation exists (Charity Commission or Companies House register check), verify a named contact, and review a recent bank statement. This can be completed in under an hour and should not require the grantee to produce bespoke documentation.
Small grants (£5,000 to £25,000). Add a review of the most recent annual accounts, a governance document check, and a safeguarding policy review (if the project involves vulnerable people). Request a project budget and basic delivery plan.
Medium grants (£25,000 to £100,000). Add a more detailed financial assessment, an equality and diversity policy review, insurance verification, and a structured assessment of organisational capacity. Consider a site visit or video call with the project lead.
Large grants (over £100,000). Full due diligence including independent examination of accounts, board composition review, detailed risk assessment of the project plan, and potentially a reputation check on key individuals. Consider external assessment.
Tools like Plinth can automate significant portions of this process. Plinth's AI-powered due diligence features automatically review uploaded governance documents, safeguarding policies, equality and diversity policies, accounts, bank statements, insurance certificates and inspection reports, flagging issues by severity so that programme officers can focus their attention where it matters most rather than reading every document line by line. The platform also runs automated checks against the Charity Commission and Companies House registers, pulling in up-to-date regulatory data.
What Role Do Staged Payments and Conditions Play?
Staged payments are one of the most effective risk management tools available to grantmakers. Instead of releasing the full grant amount upfront, funds are disbursed in tranches linked to milestones, reporting deadlines, or satisfactory progress.
The logic is straightforward: if a grantee encounters difficulties — financial, operational, or governance-related — staged payments limit the funder's exposure. They also create natural checkpoints for the funder to assess progress and offer support. The UK Government's Grants Functional Standard recommends that "payment schedules should be aligned to milestones and evidence."
A typical staged payment structure for a 12-month grant might look like this:
| Payment | Timing | Amount | Condition |
|---|---|---|---|
| Instalment 1 | On signing grant agreement | 40% | Grant agreement signed; bank details verified; KPIs agreed |
| Instalment 2 | Month 6 | 30% | Six-month monitoring report submitted and accepted |
| Instalment 3 | Month 12 | 30% | Final report submitted; outcomes data provided |
For higher-risk grants, funders can add conditions — for example, requiring the grantee to recruit a qualified project manager before the second instalment, or to demonstrate that specific safeguarding training has been completed. Conditions should be specific, measurable and time-bound; vague requirements like "improve governance arrangements" are difficult to verify and create friction.
Plinth's grant management system supports configurable payment schedules (monthly, quarterly, annually, or custom), with automated reminders sent to grantees ahead of monitoring deadlines. The platform tracks which monitoring submissions have been received, accepted or rejected, and links payment release to monitoring status — so funds are not released until the relevant report has been submitted and reviewed.
Grant agreements can be set up and signed digitally within the platform, with both funder and grantee able to negotiate KPIs and workplans before signing. This creates a clear, documented baseline against which progress can be measured.
How Should You Monitor Active Grants?
Monitoring is where risk management moves from theory to practice. Effective monitoring is not about collecting data for its own sake — it is about maintaining enough visibility to spot problems early and provide support before small issues become serious ones.
The frequency and depth of monitoring should reflect the risk level assigned at the due diligence stage. Low-risk grants might require only an end-of-grant report. Medium-risk grants might need a mid-point check-in and an end-of-grant report. High-risk grants might need quarterly reporting with structured progress updates.
Regardless of the reporting frequency, good monitoring focuses on a few key questions: Is the project on track against its milestones? Is the budget being spent as planned? Have any significant risks materialised? Has anything changed — new staff, new beneficiary group, new delivery approach — that the funder should know about?
The Charity Commission's Sector Risk Assessment 2025 highlighted financial resilience as a growing concern, noting that "the difference between sector income and expenditure reduced by almost three-quarters over the last two years." For grantmakers, this means that financial monitoring — particularly of organisations that may be under pressure from multiple directions — is more important than ever.
One of the most common monitoring failures is collecting reports but not actually reviewing them in a timely way. If a grantee submits a six-month report flagging cash flow problems and the funder does not read it for three months, the opportunity for early intervention has been lost.
Technology can help here. Plinth sends automated reminders to grantees before monitoring deadlines, and alerts funders when reports are overdue or when AI analysis of submitted reports identifies potential concerns. The platform's monitoring timeline gives both funders and grantees a clear view of upcoming deadlines, submitted reports, and outstanding actions — reducing the risk of reports sitting unread in an email inbox.
How Do You Handle Issues When They Arise?
Even with good due diligence and monitoring, issues will arise. A grantee may encounter unexpected financial difficulties. A key staff member may leave. A safeguarding concern may surface. How the funder responds to these situations matters as much as the preventive controls.
The first principle is timeliness. When an issue is identified — whether through monitoring reports, media coverage, regulatory alerts, or direct communication from the grantee — the funder should acknowledge it promptly and assess its severity. Delays allow small problems to escalate.
The second principle is proportionality. Not every issue requires a heavy-handed response. A minor budget variance on an otherwise well-performing grant might need nothing more than a conversation. A safeguarding allegation requires immediate, structured action. The risk framework described earlier should guide the response: low-severity issues are handled by the programme officer; medium-severity issues are escalated to a manager; high-severity issues go to the board or a designated committee.
The third principle is documentation. Every issue, every action taken, and every decision made should be recorded. This protects both the funder and the grantee, and creates a trail that can be reviewed if the situation escalates or if the funder faces regulatory scrutiny. The Charity Commission's guidance on serious incident reporting sets out when incidents must be reported to the regulator — and funders should be aware that they may need to encourage grantees to report, or report directly if the grantee does not.
Plinth maintains a full audit trail of all grant-related activity — from application submission through due diligence, assessment, agreement, monitoring and payments. Every document review, score, status change and communication is logged, creating the kind of documented decision trail that the Charity Commission expects.
What Can Funders Learn From Fraud Data?
Understanding fraud patterns helps funders design controls that address real, not hypothetical, risks. The BDO Charity Fraud Report has tracked fraud across the UK charity sector since 2020, providing the most comprehensive longitudinal dataset available.
The 2024 report found that the most common type of fraud was misappropriation of cash or assets by staff and volunteers, reported by 40% of affected charities. Payment diversion fraud (also known as authorised push payment fraud) was the second most common, affecting 33%. Notably, 50% of detected frauds were perpetrated by people inside the organisation — not external actors.
The 2025 report showed improvement in some areas: overall fraud incidence dropped to 34%, and 73% of affected charities experienced financial loss. The BDO series shows that as organisations improve controls in some areas, new fraud types continue to emerge.
For grantmakers, the practical implications are clear:
- Verify banking details independently. Payment diversion fraud exploits trust in email communications. Always confirm bank details through a separate channel before making payments.
- Review financial controls, not just financial statements. An organisation can have clean accounts and still have weak internal controls. Ask about separation of duties, authorisation limits, and reconciliation processes.
- Do not assume that small organisations are lower risk. The BDO data shows that internal fraud affects organisations of all sizes. Smaller organisations may actually have weaker controls because they have fewer staff to separate financial duties.
- Check for governance red flags. Multiple trustees from the same family, a single person holding multiple roles, or a board that has not changed in years can all indicate concentration of power that increases fraud risk.
Plinth's AI-powered document analysis can flag many of these issues automatically. When governance documents are uploaded, the system checks for trustee relationships, board size, conflict of interest policies, and dissolution clauses. When accounts are uploaded, it identifies income concentration, reserve levels, and year-on-year trends. When bank statements are reviewed, it checks for unusual transactions and verifies that the account matches the organisation.
How Does Trust-Based Philanthropy Fit With Risk Management?
A common misconception is that trust-based philanthropy and risk management are in tension — that you must choose between trusting grantees and managing risk. In practice, the best funders do both.
IVAR's Open and Trusting Grant-making programme, which now includes over 150 funders making grants worth more than £1 billion annually, explicitly addresses risk. The programme's commitments include that funders should "continue to share their insights on risks with applicants and grantees to help support their risk identification, mitigation and management" and "invest in strengthening relationships to support transparent conversations related to risk."
The key insight is that trust-based approaches change where risk management happens, not whether it happens. Instead of front-loading all assurance into a heavyweight application process, trust-based funders invest more in relationship management, ongoing dialogue, and responsive support during delivery. They accept that some risk is inherent in funding innovation and community-led work, and they focus their controls on the risks that genuinely matter rather than creating a sense of false assurance through documentation.
This does not mean abandoning due diligence. It means calibrating it — using lighter checks for lower-risk, smaller grants, and investing the time saved in more meaningful engagement with higher-risk or more complex programmes. It also means recognising that the grantee often understands their own risks better than the funder does, and that a conversation about risk can be more revealing than a policy document.
For funders adopting trust-based approaches, Plinth's free tier provides a practical starting point — offering structured application forms, basic due diligence checks, and monitoring tools without requiring grantees to navigate complex or costly systems.
What Does a Good Risk Management Process Look Like End to End?
Bringing everything together, effective risk management in grantmaking follows a cycle that mirrors the grant lifecycle itself:
1. Design (before applications open). Define your risk appetite. Build a risk framework with clear categories, thresholds and escalation routes. Decide what due diligence you will require at each grant size tier. Publish your approach so applicants know what to expect.
2. Application and assessment. Collect proportionate information. Use structured application forms rather than open-ended narratives. Run automated due diligence checks against regulatory registers. Review uploaded documents using consistent criteria. Score organisational capacity alongside project merit.
3. Award and agreement. Set conditions where appropriate. Agree KPIs and workplans with the grantee. Establish a payment schedule that reflects the risk level. Verify banking details independently. Sign a clear grant agreement that sets out expectations on both sides.
4. Delivery and monitoring. Monitor at a frequency that matches the risk level. Review reports promptly. Follow up on concerns. Provide support as well as scrutiny. Track spending against budget. Update the risk assessment if circumstances change.
5. Close-out and learning. Verify that funds were spent as intended. Collect final outcomes data. Review what went well and what did not. Update your risk framework based on what you learned. Share lessons — anonymised if necessary — across your portfolio.
This is not a one-off exercise. The Charity Commission's Sector Risk Assessment 2025 encourages trustees to review sector-wide risks as they update their own risk registers. For grantmakers, this means periodically reviewing whether your framework reflects current threats — from cyber fraud to cost-of-living pressures on grantees — rather than the risks you identified when the framework was first written.
Frequently Asked Questions
Should funders avoid higher-risk projects entirely?
No. Higher-risk projects often address the most pressing needs and serve the most underserved communities. The goal is to manage risk through proportionate controls — staged payments, enhanced monitoring, specific conditions — rather than avoiding it. Funders with a low risk appetite may miss opportunities for transformative impact.
How detailed should a risk scoring system be?
Simple, consistent scales work best. A three-level (low, medium, high) or four-level (low, medium, high, critical) framework is easier for staff to apply consistently than a complex numerical scoring system. The key is that everyone uses the same definitions and thresholds, so that a "medium risk" rating means the same thing regardless of who assessed it.
Who should sign off on risk escalations?
Define clear authority levels in your risk framework. Programme officers typically handle low-risk decisions. Medium-risk decisions should require sign-off from a senior manager or head of grants. High-risk and critical decisions should go to the board, a grants committee, or the chief executive. The important thing is that the escalation route is documented and known before an issue arises.
How often should we review our risk framework?
At minimum, annually — and whenever there is a significant change in the external environment, your grant portfolio, or your organisation's risk appetite. The Charity Commission recommends that trustees review risk registers regularly, and the same principle applies to grantmaking risk frameworks.
Can AI replace human judgement in risk assessment?
AI can significantly accelerate the mechanical parts of due diligence — checking register data, reviewing policy documents against standard criteria, flagging anomalies in accounts. But risk assessment ultimately requires human judgement about context, relationships and intent. The most effective approach uses AI to handle volume and consistency, freeing staff to focus on the cases that genuinely need human attention.
What is the difference between due diligence and risk management?
Due diligence is one component of risk management — specifically, the checks you carry out before making a grant to assess the grantee's suitability and capacity. Risk management is broader: it covers the entire lifecycle from programme design through monitoring, issue management and learning. Good risk management includes due diligence but extends well beyond it.
How do we balance transparency with confidentiality when sharing risk information?
Funders should be transparent about their risk management approach — publishing criteria, explaining what checks they carry out, and providing feedback to applicants. However, specific risk assessments of individual grantees should be treated as confidential. If risk information needs to be shared with other funders (for example, through the 360Giving data standard), it should be anonymised and aggregated.
What should we do if we suspect fraud in an active grant?
Act promptly. Suspend further payments pending investigation. Document all evidence. Consult your fraud response plan (or create one if you do not have one). Consider whether the matter needs to be reported to the Charity Commission as a serious incident, and whether it requires reporting to law enforcement. The ACF's guide on tackling grant fraud provides detailed step-by-step guidance.
Recommended Next Pages
- How to Automate Due Diligence in Grantmaking — Practical approaches to streamlining pre-grant checks without sacrificing rigour
- Grant Compliance in the UK: What Every Funder Must Know — Regulatory requirements and practical controls for UK-based funders
- What Is a Grant Agreement? — How to structure agreements that protect both funder and grantee
- Fraud Prevention in Digital Grantmaking — How technology helps detect and deter fraud across the grant lifecycle
- How to Run a Modern Grants Programme — End-to-end guide to modernising your grants programme
Last updated: February 2026