Running a grant programme carries risks that funders often underestimate. Fiduciary risk, reputational risk, programme failure, grantee distress, and unintended harms are all real possibilities in grantmaking. Effective grant programme risk management doesn't mean being risk-averse — it means understanding risks well enough to take the right ones, mitigate avoidable ones, and respond quickly when things go wrong.
Grant programme risks fall into several categories:
Fiduciary and financial risks:
- Funds misused or misappropriated by grantees
- Grants paid to organisations that are insolvent or poorly governed
- Payments made without appropriate accountability measures
- Fraud — deliberate false applications or misreporting
Programme failure risks:
- Funding ineffective interventions that don't achieve intended outcomes
- Poorly designed grant criteria that attract the wrong applicants
- Overfunding or underfunding relative to what's needed
- Grantees unable to deliver due to capacity gaps
Reputational risks:
- Public association with controversial grantees or activities
- Perceived conflicts of interest in assessment or awarding decisions
- Lack of transparency inviting criticism or OIA/FOI scrutiny
- Funding decisions that appear inconsistent or arbitrary
Equity and harm risks:
- Grant processes that inadvertently exclude marginalised communities
- Reporting requirements that burden small organisations disproportionately
- Power imbalances that disadvantage community applicants
- Funding activities that cause unintended harm to communities
Operational risks:
- Data breaches or loss of confidential application information
- Staff errors in assessment or decision-making
- Loss of institutional knowledge when staff turn over
- Technology failures at critical deadlines
Legal and compliance risks:
- Funding activities that breach charity law or tax requirements
- Conflict of interest failures that expose the funder to legal challenge
- Privacy breaches in handling personal information in applications
Likelihood × impact matrix. The standard approach: for each identified risk, assess the likelihood it will occur (low/medium/high) and the impact if it does. Risks that are both high likelihood and high impact are priorities for mitigation. This is a starting point, not a complete methodology.
Inherent vs. residual risk. Inherent risk is the risk level before any controls are in place. Residual risk is what remains after controls are applied. Good risk management focuses on what controls actually reduce risk, not just on documenting risks.
Risk appetite statement. Effective risk management requires knowing what risk levels the organisation accepts. A risk appetite statement — approved by governance — defines tolerable risk levels for different risk categories. Without this, risk decisions default to individuals rather than organisational policy.
Due diligence on applicants. Checking Charities Register status, company registration, governance structure, and recent financial statements before awarding significant grants reduces fiduciary risk without requiring onerous application requirements.
Proportionate accountability. Larger grants warrant greater accountability requirements — milestone reporting, financial acquittals, audited accounts. Applying heavy accountability requirements to small grants is both burdensome and unnecessary.
Grant agreements. Clear, enforceable grant agreements that specify permitted use of funds, reporting obligations, and clawback provisions provide legal protection and signal expectations clearly.
Random or risk-based monitoring. Not every grant needs intensive monitoring. A risk-based approach — targeting monitoring resources at grants with higher risk profiles — is more effective than uniformly light or heavy oversight.
Fraud indicators. Train staff to recognise warning signs: applications that seem template-copied, organisations that appear on multiple applications, inconsistencies between application claims and public information, sudden changes in governance or banking details after grant award.
Robust conflict of interest processes. A documented, consistently applied conflict of interest policy — with proper declaration registers and recusal processes — protects the funder's credibility and reduces legal exposure.
Transparency in decision-making. Publishing funding decisions (with summary rationale), declined applicant feedback processes, and public accountability reports reduces the risk of criticism based on perceived arbitrariness.
Media and crisis planning. What happens if a grantee is involved in a scandal? Having a media protocol — including who speaks, what the funder's position is, and how it communicates with affected stakeholders — reduces reputational damage from events the funder couldn't have predicted.
Accessibility audits of grant processes. Who is applying, and who isn't? If certain communities are consistently underrepresented in applicant pools, the grant process itself may be creating barriers. Regular equity analysis of application data identifies these patterns.
Community consultation on programme design. Programmes designed without input from target communities frequently miss what's needed. Building in consultation — especially with Māori and Pacific communities in New Zealand — reduces the risk of designing programmes that don't fit community realities.
Grantee wellbeing monitoring. Organisations under financial stress can behave in ways that harm beneficiaries. Understanding the financial health of grantees — through regular check-ins, not just formal reports — allows early intervention.
A risk register is a living document that captures identified risks, their likelihood and impact ratings, the controls in place, the residual risk level, and who is responsible for managing each risk. In grants management:
Grant management software that includes risk flagging — allowing programme managers to mark grantees of concern and trigger review processes — makes risk management practical rather than just theoretical.
Tahua's grants management platform includes risk flagging, audit trails, and compliance controls that support funders in managing risk across their grant portfolios.