The Cost of Non-Compliance in Grantmaking
Non-compliance costs UK funders 2.71x more than compliance itself. Learn the financial, legal and reputational risks and how to prevent them.
Non-compliance in grantmaking is not an abstract regulatory concern. It is a tangible financial, operational and reputational burden that affects funders of every size. When grant processes lack adequate controls, the consequences compound quickly: wasted funds, damaged relationships with grantees, loss of public trust, and formal regulatory intervention by the Charity Commission.
The Charity Commission for England and Wales concluded 4,375 regulatory concern cases in 2024-25, an 18 per cent increase on the previous year's 3,710 cases (Charity Commission Annual Report 2024-25). It opened 112 new statutory inquiries in the same period, up from 89 the year before. These are not fringe cases affecting only large foundations. Small and mid-sized funders face the same regulatory expectations, often with fewer resources to respond when things go wrong.
Research from the Ponemon Institute found that the total cost of non-compliance averages 2.71 times the cost of maintaining compliance in the first place (Ponemon Institute / Globalscape, 2017). Prevention, in other words, is significantly cheaper than remediation. This article examines where compliance failures arise, what they actually cost, and how funders can build proportionate controls that protect both their organisation and the communities they serve.
What does non-compliance actually cost?
The costs of non-compliance extend far beyond regulatory fines. They accumulate across financial losses, operational disruption, legal fees, and the harder-to-quantify erosion of trust and reputation.
Direct financial costs include recovery of misspent funds, legal expenses for investigations or litigation, and potential fines. Under UK law, failure to comply with charity reporting requirements can lead to fines of up to 1,000 pounds. But fines are often the smallest element. The BDO Charity Fraud Report found that 42 per cent of charities surveyed had been victims of fraud in the previous 12 months, with average losses per incident ranging from 102,000 to 197,000 pounds (ICAEW, November 2024).
Indirect costs are typically larger. They include staff time diverted to crisis response, lost productivity during investigations, suspended grantmaking while issues are resolved, and the cost of rebuilding processes after a failure. When the Charity Commission opens a statutory inquiry, the organisation's leadership can expect months of disruption.
Reputational costs are the most damaging of all. Funders depend on the trust of donors, beneficiaries, partner organisations and the public. A single high-profile compliance failure can undermine years of credibility. The Captain Tom Foundation inquiry, which concluded in 2024 with the disqualification of two trustees, demonstrated how governance failures become national news stories that overshadow the charitable purpose entirely.
| Cost category | Examples | Typical scale |
|---|---|---|
| Direct financial | Fines, fund recovery, legal fees | 1,000 to 200,000+ pounds per incident |
| Operational disruption | Staff time, suspended programmes, process redesign | Weeks to months of reduced capacity |
| Regulatory burden | Inquiry responses, evidence gathering, compliance plans | 6 to 24 months of senior leadership time |
| Reputational damage | Media coverage, donor withdrawal, partner hesitancy | Years to rebuild; some damage permanent |
| Opportunity cost | Grants not made during suspension, talent lost | Difficult to quantify but substantial |
Where do compliance failures most commonly occur?
Most compliance failures are not dramatic events. They are the accumulation of small, persistent weaknesses in everyday processes. Understanding the most common failure points allows funders to prioritise their controls effectively.
Inconsistent eligibility and assessment. When criteria are unclear or applied differently by different reviewers, decisions become difficult to defend. The Charity Commission expects funders to demonstrate that decisions are made transparently and consistently. Without standardised assessment frameworks, organisations risk both poor outcomes and regulatory criticism.
Weak due diligence. Due diligence failures remain one of the top concerns in Charity Commission inquiries. This includes failing to verify charity registration, not checking governing documents, overlooking safeguarding policies, and not confirming that organisations have adequate financial controls. The Commission assessed 3,132 serious incident reports in 2024-25 (Charity Commission Annual Report 2024-25), many of which related to failures that better upfront checks would have identified.
Inadequate payment controls. Releasing funds without adequate conditions, failing to stage payments against milestones, or not reconciling payments against approved budgets all create risk. Half of all detected charity fraud is committed by internal perpetrators (ICAEW, November 2024), making robust payment controls essential.
Poor monitoring and close-out. Funders who award grants but fail to monitor delivery or formally close out completed grants leave themselves exposed. Missing monitoring data means they cannot demonstrate that funds were used for their intended purpose, which is a fundamental requirement of charity law.
Incomplete record-keeping. Without decision logs, conflict of interest records, and documented rationale for awards, funders cannot demonstrate good governance. The Charity Commission's double defaulter inquiry in 2024-25 acted against charities that had failed to file annual documents for two or more years, with 130 separate instructions issued to trustees to prepare missing documents.
How does the Charity Commission respond to non-compliance?
The Charity Commission has a graduated range of responses, from advice and guidance through to formal enforcement action. Understanding this spectrum helps funders appreciate the seriousness of their obligations.
At the lightest end, the Commission provides regulatory advice and guidance, or issues official warnings. These are not penalties in themselves, but they signal that the Commission has identified concerns and expects corrective action. Ignoring warnings escalates the situation significantly.
Statutory inquiries represent a serious escalation. The Commission opened 112 new inquiries in 2024-25, up from 89 the previous year. During an inquiry, the Commission can exercise protective powers including suspending trustees, freezing bank accounts, and appointing interim managers. It used a total of 13,076 individual powers across the year, up from 11,108 in 2023-24 (Charity Commission Annual Report 2024-25).
Trustee removal and disqualification is the most severe sanction. To disqualify a trustee, the Commission must be satisfied that the individual is unfit to serve and that disqualification is in the public interest. This is a three-part test applied carefully, but when the Commission exercises this power the consequences are career-ending for those involved.
Removal from the register is the ultimate consequence for a charity that fails to demonstrate it is operating. In the 2024-25 double defaulter inquiry, two charities were removed from the register entirely after being found to have ceased operating.
Whistleblowing disclosures to the Commission reached 546 in 2024-25, the second-highest figure in the past decade. Governance failures were the most commonly reported issue, with 303 governance-related disclosures, nearly double the 152 reported the previous year (Charity Commission Whistleblowing Disclosures 2024-25).
What does proportionate compliance look like?
Not every funder needs enterprise-grade compliance infrastructure. The Charity Commission expects controls to be proportionate to the scale and complexity of the grantmaking activity. A family foundation distributing 50,000 pounds annually needs different controls from a national lottery distributor managing hundreds of millions.
The principle is straightforward: identify the risks that are material to your organisation and put in place controls that address them consistently. What matters is not the sophistication of the system, but the reliability of its application.
For small funders (under 250,000 pounds in annual grants), proportionate compliance typically means: documented eligibility criteria, basic due diligence checks on every applicant, a simple conflict of interest register, clear payment authorisation procedures, and a record of why each decision was made.
For mid-sized funders (250,000 to 2 million pounds), additional controls become important: formal assessment frameworks with scoring criteria, structured monitoring requirements linked to payment schedules, periodic review of closed grants, and regular board reporting on risk and compliance matters.
For large funders (over 2 million pounds), the expectation extends to: independent external reviews, comprehensive risk registers with regular updates, detailed audit trails across the full grant lifecycle, and dedicated compliance capacity within the team.
Regardless of size, every funder should be able to answer three questions about any grant: why was this decision made, what checks were completed before funds were released, and how was delivery monitored?
How can funders build a compliance-ready culture?
Compliance is not solely a systems problem. It is a cultural one. The most robust processes in the world will fail if the people using them do not understand why they matter or feel empowered to raise concerns.
Training and calibration. Reviewers and decision-makers need regular training on the criteria they are applying and the standards they are expected to meet. Calibration exercises, where multiple reviewers assess the same application independently and compare results, help identify inconsistency before it becomes a problem.
Clear policies, easily accessible. Compliance policies that sit in a drawer are not policies at all. Conflict of interest procedures, escalation routes, and reporting requirements need to be documented in plain language and accessible to everyone involved in grantmaking decisions. The Charity Commission's guidance on managing conflicts of interest provides a useful starting framework.
Leadership accountability. Trustees and senior leaders set the tone. When compliance is treated as an administrative burden rather than a governance priority, staff follow that lead. Conversely, when leaders actively engage with compliance reporting and ask probing questions about risk, it signals that these matters are taken seriously.
Reporting culture. Organisations need mechanisms for staff and stakeholders to raise concerns without fear of reprisal. The doubling of governance-related whistleblowing reports to the Commission, from 152 to 303 in a single year, suggests that more people are willing to speak up, but also that there are more issues to speak up about. Internal reporting channels should be the first line of defence, not the Charity Commission.
What role does technology play in preventing non-compliance?
Technology alone does not guarantee compliance. But the right tools, applied consistently, can embed good practice into everyday workflows and make non-compliance harder to occur by accident.
Centralised record-keeping. When applications, assessments, decisions, payments and monitoring reports all live in one system, there are no gaps in the audit trail. This is far harder to achieve with spreadsheets, email chains and shared drives, where documents are easily lost, overwritten or filed inconsistently.
Automated checks and reminders. Systems that automatically verify charity registration numbers, flag overdue monitoring reports, or prevent payments from being released before conditions are met reduce reliance on individual memory and diligence.
Structured workflows. When the grantmaking process follows a defined sequence, with each step requiring completion before the next begins, it becomes procedurally difficult to skip due diligence or release payments without approval.
Tools like Plinth take this further by building compliance controls into the platform by default. Plinth's AI-powered due diligence checks automatically review uploaded governance documents, safeguarding policies and equality policies for compliance issues, checking elements such as charity register matching, dissolution clauses, conflict of interest coverage, named safeguarding leads, DBS check references and Equality Act 2010 compliance. This does not replace human judgement, but it ensures that common oversights are flagged before decisions are made.
Plinth also provides structured grant agreements with digital signatures, timestamped audit trails across the full lifecycle, staged disbursement tracking with burn-down charts, and monitoring timelines that keep both funders and grantees accountable to agreed reporting schedules. The platform includes a free tier, making proportionate compliance tools accessible even to the smallest funders.
How should funders respond when things go wrong?
Even with strong controls, compliance incidents will occasionally occur. The quality of the response matters as much as the quality of prevention.
Act quickly. The moment a potential issue is identified, pause the relevant activity. If a payment is in question, hold it. If a conflict of interest is suspected, recuse the relevant parties. Speed matters because continued activity compounds the problem.
Gather evidence before drawing conclusions. Document what is known, what is suspected, and what remains uncertain. Avoid premature judgements that may need to be reversed later. Keep records of every step taken in the response.
Notify stakeholders as required. The Charity Commission expects serious incidents to be reported promptly. The Commission assessed 3,132 serious incident reports in 2024-25, and regards timely reporting as a sign of good governance rather than an admission of failure. Delays in reporting are themselves treated as a compliance concern.
Be transparent. Honest, proactive communication with stakeholders, donors, partner organisations and, where appropriate, the public, protects long-term credibility far more effectively than attempting to minimise or conceal the issue. The Charity Commission's inquiry reports consistently note that organisations which responded openly fared better than those which were defensive or obstructive.
Learn and update. Every incident should result in a documented review of what happened, why existing controls failed, and what changes are being made. This is not just good practice; it is what the Commission will expect to see if it becomes involved.
The risk management approach matters here. Organisations that have already identified their key risks and developed contingency plans are better positioned to respond calmly and effectively when incidents occur.
Prevention versus remediation: the business case
The economic argument for investing in compliance is compelling. The Ponemon Institute's research found that non-compliance costs 2.71 times more than compliance, with the average cost of non-compliance reaching 14.82 million US dollars compared to 5.47 million dollars for maintaining compliance (Ponemon Institute / Globalscape, 2017). While these figures come from the corporate sector, the ratio holds instructive lessons for grantmakers.
For a mid-sized UK funder spending 2 million pounds annually in grants, the practical calculation might look like this:
| Investment | Annual cost | What it covers |
|---|---|---|
| Proportionate compliance (prevention) | 15,000 to 40,000 pounds | Software, training, periodic review, staff time for due diligence and monitoring |
| Single compliance incident (remediation) | 50,000 to 300,000+ pounds | Investigation, legal advice, staff time, suspended grantmaking, process redesign |
| Regulatory inquiry response | 100,000 to 500,000+ pounds | Senior leadership time, legal representation, evidence gathering, compliance plan |
The comparison is stark. A funder investing 30,000 pounds annually in compliance infrastructure, including appropriate software, staff training, and periodic external review, is spending less than the lower end of what a single significant incident would cost.
Beyond the direct financial calculation, prevention protects the organisation's capacity to fulfil its mission. Every pound spent responding to compliance failures is a pound not spent on grants. Every hour a senior leader spends preparing for a regulatory inquiry is an hour not spent on strategy, relationships, or impact.
Governance costs for charities with incomes over 500,000 pounds typically account for 1 to 3 per cent of total expenditure (Charity Commission Accounts Monitoring Review). Funders spending below this range on compliance should consider whether their controls are truly proportionate, or simply under-resourced.
How does grant compliance connect to broader governance?
Grant compliance does not exist in isolation. It is one expression of an organisation's overall approach to governance, risk management and accountability.
Funders that excel at grant compliance tend to have strong governance cultures more broadly. They have active boards that ask challenging questions, clear delegated authorities, regular risk reviews, and a commitment to transparency in all their activities.
Conversely, compliance failures in grantmaking are often symptoms of wider governance weaknesses. The Charity Commission's inquiry reports frequently identify patterns where grant-related problems coexist with broader issues such as inadequate board oversight, unclear financial controls, or failure to manage conflicts of interest.
This connection matters because it means that improving grant compliance often requires addressing the underlying governance framework. Investing in better grantmaking processes is valuable, but it achieves most when supported by a board that understands its responsibilities, a risk register that is regularly reviewed, and an organisational culture that values accountability.
For funders looking to strengthen their overall approach, the Charity Commission's guidance on good governance, combined with sector resources from organisations like the Association of Charitable Foundations, provides a solid foundation. Tools that provide transparency in decision-making support this broader governance objective.
FAQs
Are small funders really at risk of compliance action?
Yes. The Charity Commission's double defaulter inquiry in 2024-25 targeted charities that had failed to file annual documents, regardless of their size. Small funders face the same legal obligations as large ones. The Commission expects proportionate controls, not no controls. Lightweight but consistent processes are essential for every funder.
What is the most common type of compliance failure in grantmaking?
Incomplete record-keeping is the most widespread issue. Many funders make sound decisions but fail to document the rationale, the checks completed, or the conditions attached. Without records, even good decisions become impossible to defend if questioned by the regulator, auditors or stakeholders.
How much should a funder spend on compliance?
Governance costs for UK charities with incomes over 500,000 pounds typically range from 1 to 3 per cent of total expenditure. For grantmakers, this should cover due diligence processes, monitoring systems, staff training and periodic external review. The exact figure depends on the volume, value and complexity of grants.
Can technology replace a compliance team?
No. Technology can automate checks, enforce workflows and maintain audit trails, but it cannot replace the human judgement needed for complex decisions, the leadership culture that prioritises accountability, or the policy framework that defines what good looks like. Technology is an enabler, not a substitute.
What should I do if I discover a compliance problem?
Act immediately: pause the relevant activity, gather evidence, and document what you know. Report serious incidents to the Charity Commission promptly, as timely reporting is viewed positively. Communicate transparently with affected stakeholders. After resolution, conduct a formal review and update your processes to prevent recurrence.
Does the Charity Commission publish the outcomes of its inquiries?
Yes. Statutory inquiry reports are published on GOV.UK and are publicly accessible. The Commission also publishes quarterly casework and registrations data, whistleblowing statistics, and its annual report. These publications are valuable resources for funders seeking to understand current regulatory expectations and common failure points.
How often should compliance processes be reviewed?
At minimum, annually. Many funders review their compliance framework alongside their annual accounts cycle. However, processes should also be reviewed after any significant incident, after changes in regulation or Commission guidance, or when the scale or nature of grantmaking changes materially.
Is a serious incident report an admission of wrongdoing?
No. The Charity Commission is clear that reporting a serious incident is part of effective charity management and is not in itself an indication of wrongdoing. The Commission assessed 3,132 serious incident reports in 2024-25. Failure to report a serious incident, however, is treated as a compliance concern.
Recommended next pages
- Audit Trails in Grant Software — Why digital records matter for accountability and assurance across the grant lifecycle
- Risk Management in Grantmaking — How to identify, monitor and mitigate risks early and proportionately
- Grant Compliance in the UK: What Every Funder Must Know — Essential UK rules, Charity Commission expectations and practical controls
- Managing Conflict of Interest in Grants — Practical guidance on identifying, declaring and managing conflicts
- Build Transparency into Decisions — How open decision-making strengthens funder credibility
Last updated: February 2026