Governance and risk frameworks

On this page:

The Guidelines to Counter Foreign Interference in the Australian University Sector (the Guidelines) are foundational elements essential for building resilience within a university. They are designed to be holistic and reinforce each other. Understanding threats and risks will help drive and build proportionate and calibrated counter foreign interference activities. A positive security culture that supports international engagement is a core component within universities that will help to embed considerations of risk at all levels of the university. Being part of a community of best practice to share our journey and intelligence will promote the resilience of the sector and the nation.

This guidance material is designed to assist universities to develop and implement governance and risk frameworks in accordance with the Guidelines. It is advisory only. It is intended to provide specific considerations to which decision makers can refer appropriate to their circumstances to address key themes and objectives in the Guidelines.

Mutual support and information sharing within universities and across universities and Government can add to the practices.

Frameworks for managing foreign interference risks

Integrating foreign interference risks into existing risk frameworks may help to promote a positive security culture and can help to avoid unnecessary duplication. Examples may include but are not limited to frameworks supporting:

  • Audit and assurance
  • Risk Management
  • Enterprise-level risks
  • Cyber security
  • Project-level risk assessments
  • Conflicts of interest
  • Secondary employment
  • Workplace health and safety
  • Business continuity.

Universities could consider their activities in relation to threats of foreign interference to determine potential risks and consequences. Below are some examples to assist. Once risks and consequences are identified, assessments can made to determine the level of risk and the level of mitigation.

Threats of foreign interference in universities

Examples of how foreign interference can occur include, but are not limited to:

  • improper attempts to obtain information (such as sensitive or confidential information) from students or staff via foreign delegations, seminars, collaborations, or obligations of financial support
  • inappropriately targeting and recruiting staff and students, including HDR students, to further a foreign actor’s interests
  • actions by or for a foreign actor that are inconsistent with academic freedom and the university’s values or codes of conduct, such as demands or inducements to change academic programs for the benefit of a foreign political, religious or social agenda
  • inappropriate efforts to alter or direct the university’s research agenda into particular areas of research (this may occur through subtle forms of undue influence and engagement, and through funding arrangements that may also lead to a loss of future value and/or control of intellectual property)
  • seeking inappropriate access to, or influence over, particular persons, areas of activity, or research outcomes through various forms of funding arrangements (e.g. donations) or collaborations, financial or other inducements targeted at individuals; and
  • cyber targeting by exploiting network vulnerabilities and unauthorised access.

Those seeking to exert undue influence on Australia’s university sector may attempt to inappropriately alter, direct or introduce their own agendas into particular activities and research.

This can occur through subtle forms of undue influence and engagement that may cause an individual distress, and through funding or other arrangements, including those that may lead to loss of future value and/or control of intellectual property (IP).

Risks to universities and academics from foreign interference

Examples of risks for universities foreign interference include:

  • Unwanted access and potential interference to research, sensitive or personal data
  • Loss of future partnerships / collaborations / talent attraction
  • Breach of legal obligations – contractual or legislative
  • Loss of intellectual property / commercialisation opportunity
  • Cultivation of the university community for information gathering
  • Undue influence of an agenda within or outside the classroom

Consequences of risks of foreign interference

Examples of consequences of foreign interference risks include:

  • Damage to reputation – institution or researcher or research team
  • Loss of public or partner trust, credibility and integrity of research results or data
  • Loss of control over confidential data or findings, if another individual patents research outcomes, restricts access to it by other means
  • Loss of professional recognition of work / effort and career progression opportunities
  • Loss of potential revenue
  • Existing or potential partners may lose confidence in abilities to hold confidential information in the future.
  • Ineligibility of future funding opportunities.

More serious activities can lead to sanctions, infringements, litigation or criminal charges. At their most serious, foreign interference activities can provide a pathway to espionage against Australia.

Accountable authorities

An accountable authority is a senior executive or executive body, responsible and accountable for the security of people, information and assets to counter foreign interference.  An accountable authority may be a:

  • Deputy Vice-Chancellor
  • Chief Information Security Officer
  • Suitably senior university staff member
  • Suitable senior university-level committee.

Universities and sector bodies could consider adding foreign interference as a standing agenda item or including it in Terms of Reference for existing Executive/leadership/project groups.

Policies and procedures setting out responsibilities and conduct

Universities have a range of existing policies and procedures that support compliance with legislation and these may also may be considered as part of managing foreign interference risks.  Examples of policies and procedures include, but are not limited to:

  • Sensitive research
  • Gifts and donations
  • Incident management
  • Ethical conduct in the workplace
  • Responsible conduct of research
  • Student codes of conduct
  • Staff codes of conduct
  • Complaints reporting and management
  • Anti-discrimination and freedom from bullying and harassment
  • Risk management procedures
  • Fraud and corruption control

Elements that could address conduct that could lead to foreign interference that may be included in policies and procedures:

  • protections in university codes of conduct for all students and staff from actions that contravene the codes, such as harassment and intimidation of individuals on campus, with codes of conduct publicly accessible to all students and staff.
    • alignment with codes on freedom of speech and academic freedom
    • address activities such as doxxing or targeting individuals due to their academic contribution.
  • consideration of issues particular to off campus, offshore and international delivery
  • manage claims of foreign interference sensitively, in line with university policies and taking account of confidentiality issues,
  • mechanisms to protect individuals — both students and staff — from undue influence, harassment or intimidation, such as enabling the anonymisation of academic work and grading when engaging on sensitive topics.
  • mechanisms that check a staff or student’s understanding of foreign interference risk and mitigations prior to the university providing an individual with access to information and assets that may be at risk.

Transparent escalation and reporting requirements

Effective reporting mechanisms help to facilitate the two-way flow of information within universities and with Government to enhance understanding of the security environment in universities.  Examples of escalation and reporting requirements that may already exist that could be used for or to model a new mechanism to report and track the resolution of foreign interference risks, management and concerns/incidents include:

  • internal audit schedules and report
  • program review schedules and reports
  • annual reports
  • information security incident management reports
  • workplace grievances and complaints systems

Templates or forms that guide staff will help consistency in reports on, for example, international collaborations, concerns or incidents of harassment, unauthorised access to data. 

Reporting provided to the accountable authority may address, for example:

  • summary of the incident
  • those involved in the incident, including those affected and those who handled the incident
  • detailed incident description, including any technical details
  • response actions
  • if or how the issues have been resolved
  • lessons learnt.

Useful resources and tools

Accountable authority

  • Which senior executive or executive body has responsibility for foreign interference and safeguards?

Managing foreign interference risks

  • Which policies and procedures:
    • acknowledge foreign interference as a risk?
    • promote awareness of safety and security to safeguard against foreign interference?
    • enable staff and students to understand who is affected by foreign interference risks?
    • manage responses to foreign interference concerns or incidents?
    • trigger engagement with relevant Commonwealth agencies on legislative compliance and foreign interference (such as Defence Export Controls, the Foreign Arrangements Scheme and Autonomous Sanctions)?
  • How have relevant stakeholders been considered in foreign interference-related policies and procedures?
  • How effective are internal reporting mechanisms to support university evaluation and communication with external stakeholders?
  • How is the level of risk assessed in a particular research project, and is the nature of the governance and oversight that could be applied to mitigate this risk considered?
  • What documentation and templates capture these considerations, should a retrospective assessment of the research activity be undertaken? This could include how records and information are managed.
  • How can existing internal frameworks highlight efforts to mitigate foreign interference?
  • Do these mechanisms address concerns or incidents of harassment and intimidation that could lead to self-censorship?

Policies and procedures setting out responsibilities and conduct

  • What approvals processes are in place for staff appointments at various levels at universities?
  • Are staff and students provided training or refreshers on foreign interference at appropriate intervals during their engagement, which might include during orientation or induction, after promotion, or role-changes? Information includes the ways in which foreign interference may manifest in the university context and the university’s policies, frameworks and expectations to manage this.
  • What processes help staff to be aware of their responsibilities, rights and obligations at the university?
  • How can students and staff readily access information about foreign interference, university policies, codes of conduct and consequences if codes are breached?
  • What training does the university offer to staff to build capacity in identifying potential instances of foreign interference, including harassment or intimidation? How can training for staff and students be clear about the difference between this and important academic processes such as disagreeing well.
  • What training is offered for staff and students to understand their role in the university’s risk mitigation strategies?
  • How can universities seek assurance that staff are implementing their risk mitigation strategies?
  • How can a university-wide picture of incidents be compiled to inform potential risks of foreign interference, including possible harassment of students?

Risk assessment and reporting frameworks to guide decision-making

  • What risk mitigation strategies does the university have that deal with foreign interference?
  • Who is responsible for maintaining, promoting and applying these strategies?
  • How are these strategies informed by the range of activities undertaken in the university and the associated level of risks?

Transparent escalation and reporting requirements

  • How clear is the escalation pathway and is the appropriate response to these risks clearly articulated?
  • When would it be appropriate for the university to seek further information from Government or law enforcement through available resources or through direct contact?
  • Are due diligence and internal reporting applied to international funding sources and partnerships? Is the level appropriate to aid accountability and risk management?
  • How do staff and students escalate issues within the university?
  • What are the avenues available for accountable authorities to escalate issues with Government?