• Section 1 - Purpose 
• Scope 
• Section 2 - Policy 
• Section 3 - Procedures 
• Outputs 
• Principles 
• Initial Risk Review 
• Research Risk Review 
• Dual-use Research Review 
• Research Risk Review Committee (RRRC) Advice 
• Deputy Vice-Chancellor (Research) Decision 
• Implementation, Communication and Monitoring 
• Review 
• Section 4 - Guidelines 
• Section 5 - Definitions 

Section 1 - Purpose 

(1) This Procedure specifies the way in which risks arising from research at the University will be identified and managed. 

(2) This Procedure should be read in conjunction with Research Risk Review Procedure Appendix 1 - Communication with Subject Matter Experts, Research Risk Review Procedure Appendix 2 - Request for Reconsideration of DVCR Decision, and Research Risk Review Procedure Appendix 3 - Research Risk Review Tool for Researchers. 

Scope 

(3) This Procedure applies to all staff and Higher Degree Research (HDR) students involved in research.  

Section 2 - Policy 

(4) Nil. 

Section 3 - Procedures 

(5) The Procedure has the following high-level steps: 

1. Initial Risk Review; 
2. Research Risk Review OR Dual-Use Research Review; 
3. Research Risk Review Committee (RRRC) Advice; 
4. Deputy Vice-Chancellor (Research) Decision; 
5. Implementation, Communication and Monitoring; and 
6. Review. 

(6) The Procedure relies on the following items: 

1. Initial Research Risk Review Report;
2. Research Risk Review Procedure Form - Referral to Research Risk Review Committee;
3. Research Risk Review Procedure Form - Dual-Use Research Risk Review;
4. Research Risk Register; and 
5. Due Diligence Framework on Counter Foreign Interference. 

Outputs 

(7) The key outputs from this Procedure are research risk assessments and Deputy Vice-Chancellor (Research) decisions regarding how to control identified research risks. The outputs below are created for relevant activities reviewed beyond the initial risk review stage: 

1. a Research Risk Assessment of a potential or existing collaborative research partner; 
2. a Research Risk Assessment of a dual-use research discipline or technology; 
3. a Schedule of Dual-Use Research Disciplines (located in the Research Risk Register); and 
4. a Schedule of Partner Organisation Risk (located in the Research Risk Register). 

Principles 

(8) The research risk assessment process is based on the following principles: 

1. proportionality – the scope and depth of assessments are proportional to the risk and value of the proposal; 
2. minimum baseline assessment – a minimum set of assessment criteria apply regardless of risk; 
3. evidence based assessment – assessments are based on the best available and most up-to-date evidence; 
4. validity – assessments remain valid for a maximum period of twelve (12) months; 
5. delegate responsibility – Financial Delegates remain responsible for ensuring appropriate due diligence activities (financial, academic and Countering Foreign Interference (CFI) risks) have been undertaken on a prospective partnership; 
6. centralised coordination and storage – the RRRC will have oversight for the storage of assessments and associated information undertaken by the National Security and Defence team; and 
7. ongoing monitoring – that if substantive changes occur in open-source information available about a partner organisation or research discipline, any related assessments should be revised. 

Initial Risk Review 

(9) Initial Risk Review encompasses multiple processes that proactively review new and existing research for higher risk activities and partners. This review is automated via reporting processes where possible. However, as per the Due Diligence Framework on Counter Foreign Interference, any University staff member can refer an external entity, partner or a Macquarie University research activity for an Initial Risk Review.  

(10) The questions that are used in determining the research risk of a project, discipline or relationship during an Initial Risk Review are: 

1. does the activity require notification under Australia’s Foreign Relations (State and Territory Arrangements) Act 2020; 
2. is the activity controlled by the Defence Trade Controls Act 2012; 
3. could the activity lead to human rights violations, including instances of modern slavery; 
4. could the activity provide an external organisation with access to sensitive University intellectual property; 
5. does the activity involve any entities or individuals that are subject to Australian autonomous sanctions or strategic trade controls; 
6. does the activity involve research that has military, security or intelligence end-uses not captured by any of the above questions; and 
7. is the activity likely to conflict with Australian foreign policy or Australia’s national interests. 

(11) If the answer for each question is negative, then the Initial Risk Review is deemed low risk and no further action is required. Best practice advice may be provided at this point to ensure that the risk remains minimised.  

(12) Initial Risk Reviews deemed higher risk will be considered at an ad-hoc meeting of the Pro Vice-Chancellor, Research Services, the Deputy Dean(s) Research and Innovation for the associated faculty/faculties, and the Manager, National Security and Defence, where it will be determined whether a Research Risk Review or Dual-Use Research Review is required. This determination may be conducted via circular resolution. 

Research Risk Review 

(13) The purpose of a Research Risk Review is to undertake an in-depth risk review of a prospective or existing collaborative partner and the risk of prospective or existing research associated with that external partner.  

(14) The risks reviewed are primarily those comprising foreign interference, national security, and defence considerations. Other risks are expected to be captured via business-as-usual risk management practices at the University. 

(15) The Referral to Research Risk Review Committee Form is used by Office of the Pro Vice-Chancellor (Research Services) to undertake desktop research on the identified matter. This desktop research is supplemented by interviews with any identified senior researchers who have expert knowledge of the activity and the research involved. Communication with identified subject matter experts (SMEs) will follow the process specified in Research Risk Review Procedure Appendix 1 - Communication with Subject Matter Experts.  

(16) The National Security and Defence team will undertake the desktop research and SME interviews in their role as secretariat for the RRRC. 

(17) Desktop research and SME interview information will be used to complete a first draft of the Referral to Research Risk Review Committee Form. The draft will be reviewed at a meeting of the Pro Vice-Chancellor, Research Services, the Deputy Dean(s) Research and Innovation for the associated faculty/faculties, and the Manager, National Security and Defence. The Manager, National Security and Defence will act on one of the following options as decided at the meeting: 

1. changes to the draft; 
2. submission of the draft to the Deputy Vice-Chancellor (Research) for a decision; or 
3. submission of the draft to the next meeting of the RRRC for consideration. 

(18) When Higher Degree Research students are active members of a project undergoing Research Risk Review, desktop research should involve consultation with the Graduate Research Academy (GRA) in order to inform the review process. Consultation should be directed to the Operations Director, Graduate Research. 

Dual-use Research Review 

(19) The purpose of a Dual-Use Research Review is to undertake an in-depth review of an emerging area of research to determine if the area should be classified as a Dual-Use Research Discipline. This term captures new, emerging, and critical technologies that are assessed to constitute a higher-than-normal risk of foreign interference. 

(20) A Dual-Use Research Review uses an amended version of Parts 4 and 5 of the Research Risk Review Form. 

(21) The decision to initiate a Dual-Use Research Review can be made by the Deputy Vice-Chancellor (Research); the RRRC; or at a meeting of the Pro Vice-Chancellor, Research Services, the Deputy Dean(s) Research and Innovation for the associated faculty/faculties, and the Manager, National Security and Defence. 

(22) Once a review has been initiated, the Dual-Use Research Risk Review Form is used by Office of the Pro Vice-Chancellor (Research Services) to guide the conduct of desktop research on the discipline concentration at the University, as well as the wider CFI risks of research typical in the University’s domain of expertise. This desktop research is supplemented by Australian Government information developed by the Critical Technologies Hub in the Department of Industry, Science and Resources. Those critical technologies designated by the Critical Technologies Hub as of initial concern are assessed as being most likely to constitute a higher-than-normal CFI risk for the University. 

(23) Desktop research is supplemented by interviews with any identified senior researchers who have expert knowledge of the activity and the research involved. Communication with identified subject matter experts (SMEs) will follow the process specified in Research Risk Review Procedure Appendix 1 - Communication with Subject Matter Experts. 

(24) Desktop research and SME interview information will be used to complete a first draft of the Dual-Use Research Risk Review Form. The draft will be reviewed at a meeting of the Pro Vice-Chancellor, Research Services, the Deputy Dean(s) Research and Innovation for the associated faculty/faculties, and the Manager, National Security and Defence. The Manager, National Security and Defence will act on one of the following options as decided at the meeting: 

1. changes to the draft; 
2. submission of the draft to the Deputy Vice-Chancellor (Research) for a decision; or 
3. submission of the draft to the next meeting of the RRRC for consideration. 

(25) When Higher Degree Research students are active members of a project undergoing Dual-Use Research Review, desktop research should involve consultation with the Graduate Research Academy (GRA) in order to inform the review process. Consultation should be directed to the Operations Director, Graduate Research. 

Research Risk Review Committee (RRRC) Advice 

(26) The Research Risk Review Committee (RRRC) will provide advice to the Deputy Vice-Chancellor (Research) on a Research Risk Review and any risk controls for a research project or partner. 

(27) RRRC Advice can be submitted to the Deputy Vice-Chancellor (Research) out-of-session as per the Terms of Reference for the RRRC. The Deputy Vice-Chancellor (Research) may make an out-of-session decision on reviews that have been considered by two (2) members of the RRRC, excluding the Manager, National Security and Defence. 

(28) If a research risk review matter is considered to be simple or high priority, then the matter should be referred out-of-session to the Deputy Vice-Chancellor (Research) for decision and RRRC Advice should be provided by the relevant Deputy Dean(s) Research, and the Pro Vice-Chancellor, Research Services, with support provided by the Manager, National Security and Defence as appropriate. 

(29) If a research risk review matter is considered to be complex, then the matter should be considered by the RRRC at its next meeting and advice provided to the Deputy Vice-Chancellor (Research) at that time.  

(30) If a research risk review matter is assessed as both complex and high priority, then the matter should be considered out-of-session by the RRRC at an extraordinary meeting or via circular resolution, with advice to be provided to the Deputy Vice-Chancellor (Research). Circular resolution procedures will be managed by the RRRC secretariat. 

Deputy Vice-Chancellor (Research) Decision 

(31) A decision of the Deputy Vice-Chancellor (Research) will be based on advice from the RRRC and represents the University’s assessment of risk for a research project, as well as the required controls for that risk to be satisfactorily mitigated so that associated projects can go ahead. If a risk cannot be satisfactorily mitigated, then the project may not be able to continue without a modification to the project design or the choice of collaborative partners. 

(32) The decision of the Deputy Vice-Chancellor (Research) will be recorded in the Research Risk Register. If the decision was taken out-of-session, information about that decision will be submitted to the next meeting of the RRRC for noting. 

(33) The decision of the Deputy Vice-Chancellor (Research) will be communicated via correspondence to the University Chief Investigator/s affected by the decision. This correspondence will be copied to the relevant Deputy Dean(s) Research and Innovation, and the Pro Vice-Chancellor, Research Services. The correspondence will include information that describes how the decision may be reconsidered, if requested. 

(34) A request for reconsideration can be made to the Deputy Vice-Chancellor (Research) decision, and must be lodged within ten (10) working days of the date of the Deputy Vice-Chancellor (Research) decision correspondence (refer to Research Risk Review Procedure Appendix 2 - Request for Reconsideration of DVCR Decision, for procedural advice relating to a request for reconsideration). After ten (10) working days, Office of the Pro Vice-Chancellor (Research Services) will commence implementation of the Deputy Vice-Chancellor (Research) decision. If correspondence is received from the affected University Chief Investigator/s communicating their intent not to request a reconsideration of the decision before the ten (10) working days having elapsed, the implementation may commence earlier. 

Implementation, Communication and Monitoring 

(35) The National Security and Defence team within Office of the Pro Vice-Chancellor (Research Services) will work with relevant University staff to implement any risk controls specified in the Deputy Vice-Chancellor (Research) decision correspondence. 

(36) The National Security and Defence team will work with relevant University staff to draft correspondence to any external partners if external communication is required in order to implement the decision of the Deputy Vice-Chancellor (Research). External communication will usually be undertaken as written correspondence communicated via email from foreign.relations@mq.edu.au and signed by the Pro Vice-Chancellor, Research Services. External communication requirements can be amended based on the needs of the University staff affected as long as those amendments ensure that the risk controls specified in the Deputy Vice-Chancellor (Research) decision correspondence are implemented. 

(37) The National Security and Defence team are responsible for implementing any processes that assure the relevant risk controls remain active for the duration of the research activity at the University. These processes will be developed and implemented based on the principles of:  

1. streamlining the work required for enterprise assurance; 
2. implementing automated monitoring protocols where possible; and  
3. only implementing automated and manual monitoring protocols that are in proportion to the identified risks. 

Review 

(38) Research risk assessments will have a maximum review timeframe of twelve (12) months. A shorter review timeframe may be appropriate for research risks that are of significant concern or where significant material changes are expected to occur. Research risk assessment reviews will be submitted for noting to a RRRC meeting that precedes the review period elapsing. Reviews will be undertaken on the principle of identifying changes in a risk rating that might arise from new public information, new information provided to the University from the Australian Government on an official basis, or new information gathered via SME interviews. 

(39) A change in information that is material to an identified risk may require the assessment to be reviewed on an ad-hoc basis. Any member of the RRRC can request the early ad-hoc review of a research risk.  

Section 4 - Guidelines 

(40) Nil. 

Section 5 - Definitions 

(41) For the purpose of this Procedure: 

1. Financial Delegate means a University officer empowered under the Delegations of Authority Register to execute arrangements with a foreign partner on behalf of Macquarie University or a controlled entity of the University. A financial Delegate may be at a local level or involve senior leadership. The financial Delegate is ultimately responsible for ensuring research risk due diligence will be undertaken appropriate to the value and risk of the prospective arrangement, as per the relevant financial delegation.