The following guidance outlines the key risk areas, how risk is measured within the College and the possible mitigating actions that could be put in place to manage risk:
Frequently asked questions Managing Risk
- 1) What are the key risk areas to consider?
- 2) What other aspects need to be considered?
- 3) How do we measure risk?
- 4) Possible Mitigating Actions
When planning research activities which involve working with a new or existing third party organisation, PIs should consider potential risks in the following key areas:
1) Financial Probity
It is important to consider a third party's financial probity and governance structure to ensure the organisation can receive payments from Imperial and manage expenditure related to its share of the work. To minimise the financial risk, the proposed third party is expected to:
- Operate in a country that can receive funding from foreign sources. Hold a bank account in its legal name that can be reconciled to a finance management system.
- Be able to identify individual transactions, retain supporting evidence of income and expenditure, and reconcile its bank account. Have procedures to manage and control expenditure, e.g. expenses, per diem, review of receipts.
- Have policies to manage subcontractors and ensure the flow-down of funder terms and conditions.
- Be subject to an institutional-level financial audit on an annual basis.
NOTE: If a country is subject to sanctions or embargoes, it may not be possible to transfer funds to them. Refer to Imperial’s Anti-Money Laundering Resource Centre which includes information about UK and US Sanctions Lists.
2) Third Party Relationship and Ability to Deliver
It is important to consider why the third party organisation is suitable for the project, how the original relationship was established and how governance will be managed during the lifetime of the relationship. To minimise the risk of scientific non-delivery (especially when a third party does not have an established relationship with the College), the third party is expected to: - Have a track record of working with other universities and research organisations, delivering research activities and managing external research funding.
- Have a governing board with responsibility for overseeing project performance, decision making and risk management.
- Have suitable processes for the collection, management, analysis and dissemination of data.
- Have measures put in place to identify and manage conflicts of interest.
3) Organisational Policies and Procedures
It is important to consider how the third party organisation manages standards of conduct and the integrity of its staff. Copies of policies or weblinks in English should be obtained so they can be checked against UK standards. To minimise the associated risks, the third party is expected to have suitable policies and procedures to: - Promote and maintain the highest standards of ethics and behaviours.
- Govern financial procedures and if they are subject to institutional-level financial audits.
- Investigate allegations of fraud, bribery and corruption.
- Manage conflicts of interest.
- Investigate allegations of research misconduct.
- Manage safeguarding concerns of children, vulnerable adults and others directly affected by research activities.
- Support the recruitment of staff in line with labour legislation and best practice principles.
- Govern the management of research data and protection of personal data during the lifetime of the research project.
4) Political, Economic and Geographical Risks
It is important to consider any potential risks resulting from the location of the third party organisation and the wider political and economic status of the host country, as well as the safety of Imperial staff and local workers employed by the project. NOTE: Countries that are subject to Sanctions and Embargoes may be restricted, which means it may not be possible to transfer funds to them.
Those involving entities in sensitive countries will receive additional due diligence and verification under Imperial’s Relationship Review Policy. Sensitive countries listed in Appendix A of the Relationship Review Policy require the ‘due diligence proforma’ in Appendix B of the Policy to be completed and submitted to the Head of Department or equivalent, and is subject to further consideration by Imperial’s Scrutiny Committee.
Further Guidance: - Anti Money Laundering Resource Centre (includes information on US and UK Sanctions Lists).
- Corruption Perceptions Index collated by Transparency International.
- UK Government Foreign Travel Advice.
- Marsh Political Risk Map (Political Instability Index).
1) Further Subcontracting
Ensure that further subcontracting is permitted by the funder’s terms and conditions. Understanding the delivery chain and flow of funds from the original funder to downstream third parties is an important part of risk management. The Foreign, Commonwealth and Development Office (FCDO) delivery chain risk mapping guidance can be used as a useful tool in conducting due diligence and project monitoring.
If the proposed Third Party intends to further sub-contract or commission any part of their work to another in-country entity, then the Third Party is expected to conduct its own appropriate due diligence checks on that entity. However, it is still Imperial’s responsibility as the lead organisation to maintain a comprehensive view of all third parties who are receiving funds, and to understand and manage the risks and interdependencies, e.g. the potential for fraud, bribery and corruption; funding of terrorism or illegal activities etc.
2) Safety Risks and Concerns
It is recognised that some projects are designed to take place in high-risk environments because the objective is to benefit a particular area or region, e.g. working in fragile or conflict affected areas. Decisions about risk must be balanced with the benefits of the proposed research. If these circumstances apply, consider how the higher risks of working in such an environment will be mitigated.
3) Safeguarding Arrangements
Carefully consider the arrangements for the safeguarding of children, vulnerable adults, research subjects, patients, local communities, project staff and collaborators. This should be part of project delivery and risk assessment planning. Ensure that any concerns are managed throughout the lifetime of the project and reported to the relevant Imperial College safeguarding officer. More information can be found on Imperial’s Safeguarding for Research Projects webpage.
The College has an established assessment criteria for managing risk which may be useful in considering the potential pitfalls in any third party relationship. The process focusses on the potential ‘Impact’ if something occurs and the ‘Likelihood’ of it occurring. Visit the risk management webpage for guidance on applying the assessment criteria to your project.
The Research Office's independent risk assessment process uses the College's risk scoring criteria to provide a robust and consistent assessment of the risks. Mitigating actions are then recommended to PIs, Departments and Faculty Contracts teams to lessen the College's exposure to risk. More information can be found on the Undertaking Due Diligence webpage.
PIs should discuss the management of any risks identified by the Research Office process with their Head of Department and Department Manager / Departmental Operations Manager in the first instance, taking account of the size and value of the project. Any discussion determining the nature of the risk and departmental decisions to accept or mitigate it should be documented and retained for audit purposes.
Any risk identified by the Research Office's independent risk assessment process will be given a risk score and the recommended mitigating actions will depend on the severity of the risk. Examples include (but are not limited to) the following:
- Requesting detailed transaction listings and supporting evidence of expenditure from the Third Party.
- Credit checks for high-risk organisations.
- Payment terms to be specified as quarterly in arrears.
- Requirement to provide relevant organisational policies or to abide by Imperial's or the Funder's own policies for the duration of the project.
- Limiting travel to high-risk countries or regions.
- Assurance/confirmation from the Third Party that no project team members are associated with incidences of fraud, research misconduct, etc.
- Follow-up review of the relationship at a later date (i.e. post-award project monitoring).
- Escalation to the Director of the Research Office, Faculty Operating Officer, Faculty Dean or Vice-Provost (Research and Enterprise).