Mitigating risk through due diligence

Due diligence is an invaluable precursor to any sizeable transaction — particularly in the nonprofit sector.

Due diligence involves the assessment of risks associated with individuals and organizations you intend to partner with, like donors or grantees. Due diligence can be an essential precursor to any sizeable transaction — particularly in the charity sector, where ethical expectations are high and any suggestion of poor governance can do significant damage to your reputation. 

In the UK, trustees of charities have a legal obligation to identify risks associated with donations and grants. Guidance from the UK’s charity regulator — the Charity Commission — is vague, but trustees are expected to demonstrate that they have made a proactive attempt to identify risks. This might involve:

  • researching the original source of any funding received (if receiving money from another organization, who is its main donor — and what is that person’s source of wealth?)
  • checking the legitimacy of any project to which you donate or make grants
  • carrying out background checks on proposed senior hires or board members. 

Levels of due diligence

There aren’t clear-cut rules determining which level of due diligence should be applied to a given transaction or relationship. The rule of thumb is: The more significant the transaction or relationship, the more in-depth the due diligence required.

Automated report

The shallowest level of due diligence might involve an automated report from a web-scraping tool. Tools like Xapien and Wealth-X aim to fully automate online research by scraping the web for millions of articles, reports, and other media relating to the individual or organization under investigation. 

These tools are great for flagging sanctions, international watchlists and political exposure. They also do a good job surfacing media reports on individuals and organizations under consideration, as well as those connecting to the individual or organization. 

However, the technology isn’t (yet!) as sophisticated as human analysis, and can produce irrelevant or inaccurate results. Media scraping often works by pulling any articles that mention the subject alongside a pre-programmed list of negatively-valenced words. This can create a misleading impression of the associated risks. For example, suppose you’re carrying out due diligence on an organization working on solutions to climate change. Automated tools might collate all articles that mention the organization’s name and the negatively-valenced word “pollution” — potentially giving you hundreds of results to wade through.

The technology is also reasonably expensive. Xapien, for example, charges £6,000 for 100 reports — and 100 reports may be overkill for small- or medium-sized organizations. At Impact Ops, we’ve been able to leverage economies of scale to support our clients. We use our own business subscription with Xapien to offer clients their desired number of reports, with no requirement to buy in bulk.


Standard report

A standard report might build on an automated report by incorporating human review. Human review helps remove irrelevant information, and typically summarizes the severity of any risks raised e.g. in a covering report.

A standard report might also include a proactive request for information from the individual or organization directly. This could include, for example:

  • charity or taxpayer identification number
  • annual expenditure and link(s) to recent tax return(s)
  • documentation to prove registration/incorporation
  • full name, date of birth, and country of residence for trustees, directors, and anyone with significant control
  • details of any investigations, official warnings, adverse reports or rulings, legal proceedings, and insolvency or bankruptcy declarations.


The information can be independently verified, typically using open sources such as charity registers, corporate records, local insolvency registers, and global litigation databases. When we write our standard reports, we also verify whether annual returns have been audited, and we run basic background checks on any individuals with significant control. This lets us flag any issues, discrepancies, or gaps in the self-reported information within our report. 

Here’s how a standard report might be structured:


Risk Overview Risk rating
Summary & reasons for rating Low/medium/high


Overview Conflicts of interest Watchlists
Associated entities Political exposure Legal proceedings
Reputation Sanctions Donations


Source checked Date checked Subjects checked


In-depth report

An in-depth report refers to the deepest level of due diligence. You can think of an in-depth report as a more comprehensive look at the subject, with a broader definition of associated risks. We recommend this approach for high-risk subjects, like those operating in sanctioned countries, or where more thorough due diligence is required due to the nature of the transaction (e.g. dealing with a financial institution or receiving a significant donation). 

The key features beyond a standard report are as follows: 

  • When conducting due diligence on an individual, background checks are run on each major corporate interest and associate (i.e. anyone with whom the subject has multiple shared business interests, where this information is available). 
  • When conducting due diligence on an organization, background checks are run on the entire board / senior leadership team — with additional automated reports on one or two key figures (such as the founder, CEO, or major funder).
  • Deeper research is conducted on potential political connections and conflicts of interest.
  • More detail is provided on litigation involving related individuals or entities.


The time taken to create a report can differ significantly across subjects. We think of subjects as having “small”, “medium”, or “large” profiles.

A subject with a small profile is either:

  • an individual with one major corporate interest and no prominent associates, or 
  • an organization with an annual budget of <$1M and no significant media profile.


A subject with a medium profile is either:

  • an individual with two or three major corporate interests and one or two associates, or 
  • an organization with a board of around five people and an annual budget of $1M–$5M.


A subject with a large profile is either:

  • a prominent public figure or someone with multiple/international corporate interests, or 
  • a large international organization with a board of six or more people and an annual budget of $5M+.


So, in-depth reports tend to vary according to the size or complexity of the subject. 

Getting support

If you’re looking for support with due diligence, first consider the significance of the transaction or relationship you’re facing. 

Automated reports are suitable for less significant transactions, and offer the quickest turnaround — but they can be reasonably expensive. This is why we’ve decided to leverage economies of scale and offer our clients individual reports, saving them the cost of an annual subscription package for dozens of reports they might not need.

As for standard and in-depth reports, there are a number of specialist due diligence providers that offer this service. These can also be reasonably expensive, with the most basic reports typically starting at £1,000–£1,250. 

Impact Ops offers a range of due diligence reports that can save you money while also meeting the requirements of good governance. We also provide optional follow-up support on an ongoing or semi-regular basis. For example, with our monitoring service, we can notify you of any new issues that arise concerning the subject (or any developments in issues we’ve already flagged, such as the outcome of a legal case). Meanwhile, our refresher reports are structured like the original reports and involve running the same checks, but are heavily discounted to reflect the significant reduction in research time required. The more frequent these reports, the less there will be to update, and therefore the lower the price. 

We’re really proud of the feedback we’ve received on our due diligence offering so far.

“The results of the reports are great and the turnaround time is great.”

– Jeffrey Poche, Operations Manager at The Centre for Long-Term Resilience


Our mission is to enable high-impact projects to grow and thrive, and we’re excited about offering due diligence as a service, so that teams can spend more time on their mission, strategy, and execution.

If you’d like support with due diligence, please get in touch at

Read more