The following guidance outlines the key risk areas we look into for funded research third parties due diligence process, how risk is measured within the University and the possible mitigating actions that could be put in place to manage risk: 

Frequently asked questions Managing Risk

1) What are the key risk areas to consider when assessing funded research third parties?

When planning research activities which involve working with a new or existing third party organisation, PIs should consider potential risks in the following key areas:  

1) Financial Probity 
 
It is important to consider a third party's financial probity and governance structure to ensure the organisation can receive payments from Imperial and manage expenditure related to its share of the work. To minimise the financial risk, the proposed third party is expected to:

  • Operate in a country that can receive funding from foreign sources. Hold a bank account in its legal name that can be reconciled to a finance management system. 
  • Be able to identify individual transactions, retain supporting evidence of income and expenditure, and reconcile its bank account. Have procedures to manage and control expenditure, e.g. expenses, per diem, review of receipts. 
  • Have policies to manage subcontractors and ensure the flow-down of funder terms and conditions. 
  • Be subject to an institutional-level financial audit on an annual basis. 
     
    NOTE: If a country is subject to sanctions or embargoes, it may not be possible to transfer funds to them. Refer to Imperial’s Anti-Money Laundering Resource Centre which includes information about UK and US Sanctions Lists. 
     
    2) Third Party Relationship and Ability to Deliver 
     
    It is important to consider why the third party organisation is suitable for the project, how the original relationship was established and how governance will be managed during the lifetime of the relationship. To minimise the risk of scientific non-delivery (especially when a third party does not have an established relationship with the University), the third party is expected to:

  • Have a track record of working with other universities and research organisations, delivering research activities and managing external research funding. 
  • Have a governing board with responsibility for overseeing project performance, decision making and risk management. 
  • Have suitable processes for the collection, management, analysis and dissemination of data. 
  • Have measures put in place to identify and manage conflicts of interest. 
     
    3) Organisational Policies and Procedures

    It is important to consider how the third party organisation manages standards of conduct and the integrity of its staff. Copies of policies or weblinks in English should be obtained so they can be checked against UK standards. To minimise the associated risks, the third party is expected to have suitable policies and procedures to: 

  • Promote and maintain the highest standards of ethics and behaviours. 
  • Govern financial procedures and if they are subject to institutional-level financial audits. 
  • Investigate allegations of fraud, bribery and corruption. 
  • Manage conflicts of interest. 
  • Investigate allegations of research misconduct. 
  • Manage safeguarding concerns of children, vulnerable adults and others directly affected by research activities. 
  • Support the recruitment of staff in line with labour legislation and best practice principles. 
  • Govern the management of research data and protection of personal data during the lifetime of the research project. 
     
    4) Political, Economic and Geographical Risks 

    It is important to consider any potential risks resulting from the location of the third party organisation and the wider political and economic status of the host country, as well as the safety of Imperial staff and local workers employed by the project. NOTE: Countries that are subject to Sanctions and Embargoes may be restricted, which means it may not be possible to transfer funds to them.   
     
    Under the University Relationships Policy, certain countries are deemed ‘sensitive’ and require escalation to the Relationships Review Committee. Please contact your relevant Due Diligence Coordinator for up to date guidance.  

    Further Guidance: 
    • Staff travel and expenses (includes information on Travel Registration, country guidance, overseas working, travel insurance) 
    • Research Security (provides detailed guidance on the key aspects of Research Security, the principles of Trusted Research and what support is available at Imperial). 
    • Imperial Global (find out more about Imperial’s collaborations and partnerships to tackle global issues across four global hubs in Ghana, India, Singapore and the USA). 
2) What other aspects need to be considered?

1) Further Subcontracting 

Ensure that further subcontracting is permitted by the funder’s terms and conditions. Understanding the delivery chain and flow of funds from the original funder to downstream third parties is an important part of risk management. The Foreign, Commonwealth and Development Office (FCDO) delivery chain risk mapping guidance can be used as a useful tool in conducting due diligence and project monitoring. 

If the proposed Third Party intends to further sub-contract or commission any part of their work to another in-country entity, then the Third Party is expected to conduct its own appropriate due diligence checks on that entity. However, it is still Imperial’s responsibility as the lead organisation to maintain a comprehensive view of all third parties who are receiving funds, and to understand and manage the risks and interdependencies, e.g. the potential for fraud, bribery and corruption; funding of terrorism or illegal activities etc. 

2) Safety Risks and Concerns 

It is recognised that some projects are designed to take place in high-risk environments because the objective is to benefit a particular area or region, e.g. working in fragile or conflict affected areas. Decisions about risk must be balanced with the benefits of the proposed research. If these circumstances apply, consider how the higher risks of working in such an environment will be mitigated. 

3) Safeguarding Arrangements 

Carefully consider the arrangements for the safeguarding of children, vulnerable adults, research subjects, patients, local communities, project staff and collaborators. This should be part of project delivery and risk assessment planning. Ensure that any concerns are managed throughout the lifetime of the project and reported to the relevant Imperial College London safeguarding officer. More information can be found on Imperial’s Safeguarding for Research Projects webpage. 

3) How do we measure risk?

The following risk assessment process forms part of the additional and enhanced due diligence requirements for Funded Research Third Parties once broader organisational and activity reviews have been completed in accordance with the University’s Relationships Policy: 

  • A risk score is assigned to each section of the questionnaire, resulting in an overall risk rating of LowMedium or High. 
  • Risk ratings are determined using the University's standard risk assessment methodology, which assesses both impact and likelihood. Impact refers to the consequences if the risk occurs and Likelihood is the probability of the risk occurring. 
  • Upon completion of the assessment, a summary of the key risks identified, together with any recommended mitigating actions, will be provided to the Principal Investigator (PI)Department and Faculty Contracts team. 
  • Escalation: Where concerns arise and mitigating actions are considered insufficient, the Chief Research Support and Compliance Officer shall undertake an initial review of the original assessment, recommend any further appropriate mitigation, and seek to resolve the issues in the first instance. Any matters that remain unresolved shall be escalated in accordance with the process set out in the  Relationships Policy 
4) Possible Mitigating Actions

Any risk identified by the Research Support and Compliance Division independent risk assessment process will be given a risk score and the recommended mitigating actions will depend on the severity of the risk. Examples include (but are not limited to) the following: 

  • Requesting detailed transaction listings and supporting evidence of expenditure from the Third Party.
  • Credit checks for high-risk organisations.
  • Payment terms to be specified as quarterly in arrears.
  • Requirement to provide relevant organisational policies or to abide by Imperial's or the Funder's own policies for the duration of the project.
  • Limiting travel to high-risk countries or regions.
  • Assurance/confirmation from the Third Party that no project team members are associated with incidences of fraud, research misconduct, etc.
  • Follow-up review of the relationship at a later date (i.e. post-award project monitoring).