Fraud risk starts with culture, not controls

Charity fraud is back in the headlines.

The latest Charity Fraud Report, published recently, revealed some interesting and valuable data. More than a third of respondents experienced fraud or attempted fraud in the past 12 months. Of those affected, nearly three quarters suffered a financial loss.

Significantly, in 38% of cases the perpetrator was directly linked to the charity as a staff member, volunteer or trustee. Recent news stories reinforce this point: in one, a former employee of a youth charity was jailed for theft that ultimately led to its closure; in another, a former manager was imprisoned for a £40,000 embezzlement.

Whatever the outcome of a fraud or attempted fraud against a charity, it is far better to prevent it happening in the first place. Yet when prevention is discussed, attention quickly turns to the systems, policies and controls that are (or aren’t) in place.

These matter – vitally – but they’re rarely at the true starting point of any incident of fraud.

In practice, I believe a charity’s culture plays a far greater role in shaping how vulnerable it is to fraud, how quickly issues are identified, and how effectively they’re dealt with.

Stigma, embarrassment and fear of reputational damage mean warning signs go ignored and incidents often go undetected or unreported. As a result, published figures are, at best, an estimate.

A simple question – “would staff, volunteers or trustees feel able to speak up if something didn’t feel right?” – can be revealing. If fraud is treated as a taboo subject, concerns are more likely to be ignored, dismissed or quietly rationalised. At worst, they may not be raised at all. Meanwhile, fear of damaging the organisation’s reputation, or being seen as disloyal can result in silence, which is then misread as evidence that there is nothing to worry about.

Imagine instead a culture where openness and communication are actively encouraged. Raising a concern would be viewed positively, rather than as a demonstration of disloyalty, and more importantly, it would allow for the concern to be addressed before it escalates. As a result, fraud might become something that can be actively managed – avoided, even – rather than feared.

Proactive fraud risk assessment remains rare across the sector. Too often it follows an incident, rather than precedes one. Worse still, some organisations fail to learn even then.

Why don’t more charities take an honest look at their exposure? Because it feels unlikely to happen to them. Because it is uncomfortable. Because it slips down the priority list.

Yet with so much data suggesting a significant proportion of fraud incidents involve individuals within the organisation, fraud risk assessment absolutely should be a priority as trust alone clearly isn’t a strong enough safeguard.

Charities that routinely reflect on where they might be vulnerable and which are prepared to have honest conversations about risk, are far better placed to detect issues early, or prevent them altogether. These organisations approach fraud risk as part of good governance, not as a sign of suspicion. In my experience, however, they remain in the minority.

Integrating an honest and transparent approach to fraud risk successfully requires the whole team to be on board. If fraud is brushed under the carpet at board or senior management level, it’s unlikely to be taken seriously amongst the rank and file of the organisation.

Of course, the introduction of the Economic Crime and Corporate Transparency Act (ECCTA) in September 2025 tackles this issue head-on and whilst this absolutely IS an example of compliance, it also highlights the importance of organisational culture in tackling fraud.

It’s no secret that charities operate in increasingly pressured environments – especially those involved directly in fundraising – and so having the necessary checks and balances in place to prevent inappropriate behaviour that would benefit the charity is not only a shrewd move, but also now a legal requirement. For those legal requirements to be effective, however, surely a positive and open culture is necessary.

In an increasingly pressurised world with ever-sophisticated cyber threats, I’m not naïve enough to believe that the right culture alone will protect a charity from fraud. Immunity is sadly not achievable.

However, charities that foster openness and encourage constructive dialogue will be better equipped to tackle fraud and in doing so, protect their people, their beneficiaries and their reputation. If you are unsure where cultural vulnerabilities may lie – or whether your current environment would surface concerns early enough – an impartial review can provide clarity and confidence.

Perhaps it’s time to consider a fraud risk assessment.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.