I have adopted a policy of escalation. Post-investigation, when you find that an organization is not compliant, our first response would be to seek a rapid remedy for that and essentially require them to comply within a specific period of time.
I have avoided using fines because fines don't change behaviour. There is always a danger than an organization pays a fine and continues not to comply, so we work very hard with organizations to change non-compliant behaviours.
The one thing we've found to be useful is requiring a work plan that we monitor to ensure that they achieve compliance. Rather than hitting an organization very hard with financial penalties, it's far more effective, in my belief, to work with them to achieve compliance. I'd happily use fines if an organization just ignores me, but I do find that working side by side works well.