If your organization passes federal funding through to subrecipients, you have a category of liability on your balance sheet that doesn't appear on your balance sheet. The subrecipients are spending federal money you're responsible for. Their compliance is your compliance. Their findings become your findings. Their disallowed costs flow back to you. And in most organizations, the infrastructure for tracking, monitoring, and managing this liability is dramatically inadequate to the actual exposure it represents.

This is one of the cleanest examples of risk that hides in plain sight. Subrecipient relationships are documented in agreements. The pass-through funding flows through the accounting system. The subrecipient names appear on schedules. From every visible angle, the organization is managing the relationships. Underneath the visible layer, the substantive monitoring infrastructure required to actually manage the federal liability is incomplete, inconsistent, or essentially absent. The organization is carrying exposure it doesn't track, generating documentation it can't defend, and accepting risk it doesn't price into the relationship.

Here's the structural reality. When your organization passes federal funds to a subrecipient, federal regulations under 2 CFR 200 require you to perform substantive monitoring of that subrecipient's use of those funds. The requirement isn't symbolic. It's specific. You're required to assess subrecipient risk, conduct ongoing monitoring proportional to that risk, follow up on findings, and ensure the subrecipient is using the funds in compliance with the applicable program requirements and cost principles. The federal government holds you accountable for the subrecipient's compliance. If the subrecipient fails, you absorb the consequence.

Most organizations have a subrecipient monitoring policy. The policy describes the framework. It references risk assessment, monitoring activities, documentation expectations, and corrective action procedures. The policy is usually adequate as a document. The substantive operation underneath it varies enormously, and in most organizations, the operation falls well short of what the policy describes.

Here's how the gap shows up consistently.

The risk assessment is performed superficially or not at all. Federal regulations require a documented risk assessment for each subrecipient, considering factors like prior experience, audit history, organizational complexity, and the nature of the federal program. Most organizations perform something they call risk assessment that's actually a perfunctory exercise of categorizing subrecipients based on funding level or organizational size. The actual risk factors that would matter to a federal reviewer aren't being evaluated systematically. The risk classification isn't driving the monitoring intensity. The framework exists. The substance underneath it is thin.

The monitoring activity is sporadic and reactive. Substantive subrecipient monitoring requires a planned schedule of activities, including desk reviews, on-site visits where appropriate, single audit follow-up, financial reporting analysis, and program performance review. Most organizations conduct monitoring when something prompts it, when a problem surfaces, when a deadline approaches, when a federal program officer asks. The proactive, scheduled, risk-based monitoring the regulations contemplate is largely absent. Activity happens. It happens unevenly, in response to triggers rather than according to a documented plan.

The documentation supporting monitoring is incomplete. Even when monitoring activity occurs, the documentation that captures it is often inadequate. Notes from a phone call. An email exchange about a financial report. An informal conversation with the subrecipient's program lead. The documentation that would survive a federal examination, showing that the monitoring was substantive, identified specific issues, evaluated specific risks, and produced specific outcomes, is rarely produced. The activity might be real. The evidence of the activity isn't.

Single audit findings from subrecipients aren't actively followed up. When a subrecipient's single audit identifies findings related to the federal funds you passed through, federal regulations require you to follow up, ensure corrective action, and incorporate the findings into your ongoing risk assessment. Most organizations review the single audits when they're submitted and rarely take substantive action on the findings unless the findings are severe. The follow-up infrastructure is incomplete. The findings get filed. The corrective action is the subrecipient's responsibility from the prime's perspective. The federal framework expects more than that.

Subrecipient agreements don't fully capture the compliance requirements. The agreements often reference federal regulations generically, without specifically incorporating the substantive requirements that the prime is responsible for ensuring the subrecipient meets. When a subrecipient deviates from a substantive requirement, the agreement doesn't provide clean grounds for enforcement, because the requirement wasn't specifically articulated in the agreement. The prime is left in a position of trying to enforce compliance through general references rather than specific contractual provisions.

The cumulative effect of these gaps is that the organization is carrying substantial federal liability through its subrecipient relationships and managing that liability with infrastructure that wouldn't survive a structured federal review. The liability isn't theoretical. If a federal program officer or auditor decides to examine subrecipient monitoring substantively, the gaps surface immediately. Findings get issued at the prime level for inadequate monitoring. Subrecipient questioned costs flow back to the prime. The reputational consequence with funders compounds. Future awards become more difficult to secure or come with more restrictive monitoring requirements imposed by the funders themselves.

The financial exposure can be significant. For an organization passing through $10M in federal funds annually to subrecipients, the cumulative exposure across the funding portfolio over a five-year period is in the tens of millions of dollars. Most of that exposure never materializes, because most subrecipients perform adequately and most monitoring environments don't generate the kind of structured federal review that would surface inadequate prime-level oversight. But the exposure is there, and the organizations that don't manage it actively are operating on a hope-based risk model rather than an infrastructure-based one.

The subtler cost is what inadequate subrecipient monitoring does to the relationships themselves. Subrecipients that aren't being monitored substantively don't get the feedback that would help them strengthen their own compliance. Performance issues that could be addressed early through proactive engagement instead surface later, at higher cost, often as findings rather than as corrected behaviors. The prime relationship becomes transactional rather than developmental. The funding flows. The compliance posture of the subrecipient drifts. Eventually, something surfaces, and the relationship becomes adversarial rather than collaborative.

The organizations that manage subrecipient risk well have built specific infrastructure. Documented risk assessment methodology that produces defensible classifications. Scheduled monitoring activity proportional to assessed risk, with documentation produced in real time as a byproduct of the activity. Active follow-up on single audit findings, with the findings incorporated into ongoing risk assessment. Subrecipient agreements that specifically articulate the substantive compliance requirements the prime is responsible for ensuring. Internal capacity, either in compliance, finance, or program staff, dedicated to substantive subrecipient management rather than treating it as a residual responsibility absorbed by people whose primary roles are elsewhere.

The investment required to operate this way is real. The cost of not operating this way is the cumulative federal liability the organization is carrying through subrecipient relationships, plus the indirect costs of relationships that drift toward findings rather than performance. Most organizations don't make the investment because the visible cost is on the budget and the hidden cost is unmaterialized exposure. The exposure is real. It's just unmaterialized, until it isn't.

If your organization passes through federal funds and you can't tell me with operational specificity what your monitoring activity has been on each subrecipient in the past twelve months, what risks were identified, what corrective actions were taken, and what evidence supports the monitoring claim, you're operating in this gap. The gap isn't theoretical. It's a category of liability you're not tracking, and the federal framework expects you to track it.