Due diligence, risk assessments and management

The Guidelines to Counter Foreign Interference in the Australian University Sector (the Guidelines) are foundational elements essential for building resilience within a university. They are designed to be holistic and reinforce each other. Understanding threats and risks will help drive and build proportionate and calibrated counter foreign interference activities. A positive security culture that supports international engagement is a core component within universities that will help to embed considerations of risk at all levels of the university. Being part of a community of best practice to share our journey and intelligence will promote the resilience of the sector and the nation.

This guidance material is designed to assist universities to develop and implement due diligence, risk assessments and management in accordance with the Guidelines.  It is advisory only. It is intended to provide specific considerations to which decision makers can refer appropriate to their circumstances to address key themes and objectives in the Guidelines.

Mutual support and information sharing within universities and across universities and Government can add to the practices.

Identifying risk does not preclude an activity from proceeding.

Declaring international associations or affiliations allows the management and mitigation of potential risks.

The following guidance material will assist universities and academics to have confidence in their collaborations and to make informed decisions around potential risks.

There are a number of useful resources and reference sites which can assist universities in undertaking due diligence. These include, but are not limited to:

• The ASIO Due Diligence Integrity Tool (please contact the ASIO Outreach Team at outreach@asio.gov.au for a copy of the ASIO Due Diligence Integrity Tool)
• Foreign Influence Transparency Scheme (FITS)
• DFAT Consolidated List
• Defence Export Controls (DEC)
• Due Diligence Assistance Framework
• Guidance for developing and undertaking open source searches

Separately, universities should also consider whether the proposed activity, partnership or variation to an existing arrangement needs to be notified under the DFAT Foreign Arrangements Scheme.

Assess the technology and research

The Australian Government has a range of requirements that researchers need to consider when collaborating internationally on specific areas or disciplines. This includes unintended applications of research outcomes, and commercial potential of research outcomes.

For more information, go to:

• Defence Strategic Goods List (DSGL) self assessment tool
• Department of Foreign Affairs and Trade - Australian Sanctions Office: Australian sanctions regimes: export and import sanctioned goods and the provision of sanctioned services 
• Critical Technology Supply Chain Principles: Principles outlined on this website are useful for universities to understand supply chains for critical technologies.
• Department of Prime Minister and Cabinet: Protecting and promoting critical technologies (available on the web archive)
• Blueprint for Critical Technologies (available on the web archive): Document from PM&C to assist universities to identify which technologies are critical to Australia's national interest.

Assess the partner and personnel

• Can the university determine, to the extent that is reasonable and consistent with the level of risk, whether the partner is being upfront and transparent about their reasons for collaborating?
• Similarly, has the university explored whether the partner is being upfront and transparent about affiliations, ownership/subsidiary status, parent partners and intent? These may include existing vendor relationships, sourcing partners and stakeholders with interest in the primary partner.
• When would it be appropriate for the university to seek further information from Government through available resources or through direct contact?
• Have foreign researchers expressed a concerning level of interest in obtaining the details of your research?
• Have you had any offers from foreign entities to purchase or invest in your research? If so, from whom and what were the terms of the offer? Does it look too good to be true?
• What processes are in place to monitor how conflicts of interest are reported and managed? These may include prompts to mitigate potential risks, protect academic freedom and free speech, and ensure compliance with export control laws and other regulations.
• How are incidences of non-disclosure by staff managed?
• What is the escalation pathway for assessing risk?
• Does the partner or the backing entity appear on any public registers (for example, the Foreign Influence Transparency Scheme, Register of Lobbyists, GrantConnect)?
• Does the proposed activity or partnership need to be registered under the Foreign Influence Transparency Scheme or the Foreign Arrangements Scheme?
• Is the partner or the backing entity listed as a ‘designated individual or entity’ for sanctions purposes on the DFAT Consolidated List?

Assess technology and research

• How might an adverse foreign actor exploit your research or product?
• Does your research have multiple uses? Can you imagine a scenario in which your research could be used for malicious purposes regardless of intended use?
• Is your research strategic/novel/ground-breaking or could it otherwise fill in an important piece of the puzzle for a competitor?

Comprehensive risk assessment and mitigation strategies

• Do the benefits of the activity outweigh the risks?
• What elements of the activity need to be adjusted to mitigate risk?
• Are researchers and their international partners, aware of their legal obligations including declaring conflicts of interests?
• Are there potential reputational or ethical risks to your university associated with the collaboration or activity?
• Do you have information that promotes awareness of what is being shared with foreign entities (for example within travel safety, video conferencing or other policies)?
• What access will the partner have to your IT networks? If they do have access, does this pose additional risk?
• Is there any physical separation or protection required to safeguard the research?
• Who is responsible for maintaining, promoting and applying risk mitigation?
• Considerations around commercialisation might include:
  • ownership arrangements for any intellectual property (IP) that is generated
  • how existing IP, research data, confidential or personally identifiable data is protected
  • identification and protection of commercially valuable research or research that may benefit Australia’s economic interest
  • university IP policies and procedures. Issues that may arise include personal financial gain from the use of university research, which assists outside organisations by providing inappropriate access to university IP.

Approval, audit and continuous evaluation

• Have collaborators’ conduct, interests and external relationships changed over time into something with which the university or individual is not comfortable?
• Who is responsible for reviewing and approving arrangements including risk mitigation?
• What policies exist in the university to identify research or other contracts that may require additional oversight due to the nature of the research and/or the type of partnership? What Government support is available to help you make these assessments?
• Are there clear requirements and guidance to undertake proportionate risk assessments at the start of international collaborative projects?
  • University risk and security frameworks should also consider whether it is appropriate to report security incidents (breaches of university security protocols). They should also consider when to escalate incidents of concern to Government.