The following questions are intended to help those completing the Risk Assessment Form for the implementation of the National Security Guidelines for Research Partnerships.
- How might my research be impacted by national security risks?
- When do I need to complete the Risk Assessment Form?
- Where can I find resources to help effectively complete the Risk Assessment Form?
- Can or should my partner organization help in completing the Risk Assessment Form?
- What is required from the researcher and their institution to comply with the Guidelines?
- What does the Government of Canada do with the information that is collected on the Risk Assessment Form?
- In cases where the researcher is confident that their project is low risk overall, should they still flag any and all risks in the Risk Assessment Form even if they are very unlikely?
- What is a Risk Mitigation Plan?
- How specific should a Risk Mitigation Plan be?
- Who is responsible for completing the “Additional Requirements” section of the Risk Assessment Form?
- Does the statement “The applicant(s) have not accepted and will not accept any offer of funding that is conditional upon the mirroring of their academic laboratory in, or the transfer of their academic laboratory to, a foreign country” under the “Additional Requirements” section refer to scenarios where the researcher is located at a foreign research institution or on a visiting scholarship?
- What information should the applicant(s) seek from their partner organization(s) about the source of the funds, in relation to the statement in the “Additional Requirements” section?
1. How might my research be impacted by national security risks?
A: Your research is valuable and, therefore, might be an attractive target for those seeking to engage in theft, espionage, or foreign interference on Canadian research and intellectual property to advance their own national priorities and gains. In some cases, sensitive research can have dual-use applications that could lead to advancements in the strategic, military, or intelligence capabilities of other state and non-state actors, or be used to purposefully cause harm.
Insufficient safeguarding of your research against security risks could lead to a number of negative impacts, such as:
- Diminished trust and confidence in your research data and results;
- Loss of research data;
- Loss of exclusive control over the dissemination of your research, including any intellectual property, patent opportunities, and potential revenue;
- Legal or administrative consequences;
- Loss of potential future partnerships; and
- Tarnished reputation.
The Risk Assessment Form helps you identify, assess and mitigate national security risks related to the nature of your proposed research project and your prospective research partnerships.
2. When do I need to complete the Risk Assessment Form?
A: This form may be required as an integral part of applications to some federal research partnership funding opportunities. To determine whether you are required to submit a Risk Assessment Form with your application, consult the literature associated with the funding opportunity for which you are applying.
3. Where can I find resources to help effectively complete the Risk Assessment Form?
A: You can find resources to help you effectively complete the Risk Assessment Form on this website, the Safeguarding Your Research Portal.
To effectively complete the “Know Your Partner” section of the Risk Assessment Form, you are encouraged to conduct open source due diligence research. This research method draws on methods from Open Source Intelligence, a discipline that collects and analyses public information to support decision-making. More information can be found here: Guidance on Conducting Open Source Due Diligence.
Our other resources can help you:
- Understand the risks to your research, which can be found in the following sections of the Safeguarding Your Research Portal:
- Determine how to assess risks by consulting Assessing Your Risk Profile and Mitigating Your Research Security Risks
You may also consult with your institution to complete the Risk Assessment Form and your institution should be involved in the development of your risk mitigation plan. Information and guidance on risk mitigation can be found on the Safeguarding Your Research Portal. To learn about how to develop your project-specific risk mitigation plan, consult the guide titled Mitigating economic and/or geopolitical risks in sensitive researcher.
4. Can or should my partner organization help in completing the Risk Assessment Form?
A: You are encouraged to consult your partner organization(s) when completing your Risk Assessment Form. To support transparency and openness, it is also recommended that you and your partner organization communicate about your mutual interests and objectives regarding your research. You should have open conversations about the sensitivity and intended uses of your research, its inputs and results, and data.
However, your partner organization should not complete your Risk Assessment Form on your behalf. You should answer the questions to the best of your ability by using information and resources that are available to you. You should also conduct your own due diligence to validate the information provided by your partner organization(s).
5. What is required from the researcher and their institution to comply with the Guidelines?
A: Both the researcher and their institution have a shared responsibility in safeguarding their research from security risks. This includes the researcher’s responsibility to conduct their due diligence, complete the Risk Assessment Form, and requirement to develop their risk mitigation plan with their institution. Researchers may involve their institution’s corporate support services (e.g., IT, security, legal) to confirm the viability and feasibility of the proposed mitigation measures. Involving your institution’s corporate support services will also ensure that your plan includes mitigation measures that are usually managed at the institutional level.
6. What does the Government of Canada do with the information that is collected on the Risk Assessment Form?
A: The information that is collected in the Risk Assessment form will only be used by the Government of Canada to assess risks to national security. All information is shared and managed in accordance with the Privacy Act.
When the Risk Assessment Form is submitted as part of a grant application, prior to the scientific merit review, the funding agencies will first conduct an administrative review of your application to ensure its completeness and validate the information you have provided, using open source tools and methods.
If your application requires a national security risk assessment, it will also be shared with Canada’s national security departments and agencies for their assessment and advice.
After the national security risk assessment has been completed, Canada’s national security departments and agencies will inform the respective granting agency of their findings regarding national security risks. The granting agency considers the risk assessment and advice received from national security departments and agencies, alongside the result of the merit assessment, to determine the funding decision for each application.
For more information on the overview of the process, visit the Risk Assessment Review Process.
7. In cases where the researcher is confident that their project is low risk overall, should they still flag any and all risks in the Risk Assessment Form even if they are very unlikely?
A: Yes, even in cases where the researcher is confident that their project is low security risk overall, they must still flag any and all risks.
You must describe all reasonable risks, no matter their magnitude or their likelihood, in your response in the Risk Assessment Form. You are advised to demonstrate that you have completed your due diligence, and should state why you believe these risks to be of low magnitude and/or likelihood.
8. What is a Risk Mitigation Plan?
A: The Risk Mitigation Plan is the fourth section of the Risk Assessment Form. It involves a response of up to 900 words where you identify any measures that address, or seek to address, all of the identified risks to your research that were listed in the section of the Risk Assessment Form, titled “Risk Identification”.
For any Risk Assessment Form question where you answered “yes” or “unsure”, you must describe these risks and address them in your risk mitigation plan. Any grant application where this has not been properly completed (e.g., where a risk is not described, or where there is no corresponding mitigation measure) will be removed from consideration.
Visit the Mitigating Your Research Security Risks page for additional information and guidance.
9. How specific should a Risk Mitigation Plan be?
A: We encourage you to be as specific as possible in your Risk Mitigation Plan and to consult both your partner organization and research institution when determining the appropriate risk mitigation measures to address the identified risks.
Mitigation measures should be tailored to the research project and commensurate with the risks identified while considering open science principles. For instance, your risk mitigation plan could cover areas, such as, but are not limited to:
- Raising research security awareness and building capacity across your research team
- Ensuring that your partner organization(s)’ objectives align with the objectives of the partnership
- Ensuring sound cybersecurity and data management practices
- Agreement on intended use of research findings
Keep in mind that all projects are unique, and some may require more risk mitigation measures than others. Examples of specific measures to consider in your risk mitigation plan include, but are not limited to:
- Training (research security, cyber security, and intellectual property training)
- Guidance and best practices from Government of Canada departments
- Partnership agreements that include intellectual property and technology transfer clauses that address national security risks
- Data management plan (for useful resources, consult the Frequently Asked Questions of the Tri-Agency Data Management Policy)
- Cyber security plan (for useful resources, consult the Canadian Centre for Cyber Security’s Security Considerations for Research and Development)
- Establishing access restrictions for partners and personnel to an “as needed” basis
- Regular reporting to your institution on the implementation and effectiveness of the proposed risk mitigation measures
For each mitigation measure you propose, you must also provide a timeline for its implementation and discuss how you and your institution will monitor its effectiveness. It is not sufficient to refer to existing or upcoming policies and practices within your institution. If you refer to a policy or practice, you must also describe what this policy or practice entails and how it will be applied to mitigate the identified risks.
For more information on completing the risk mitigation plan, consult these resources: Mitigating economic and/or geopolitical risks in sensitive research projects and Mitigating Your Research Security Risks.
10. Who is responsible for completing the “Additional Requirements” section of the Risk Assessment Form?
A: In consultation with all co-applicants, the primary applicant is responsible for confirming both statements under this section before submitting the Risk Assessment Form.
11. Does the statement “The applicant(s) have not accepted and will not accept any offer of funding that is conditional upon the mirroring of their academic laboratory in, or the transfer of their academic laboratory to, a foreign country” under the “Additional Requirements” section refer to scenarios where the researcher is located at a foreign research institution or on a visiting scholarship?
A: No. Dual affiliations and visiting scholarships/fellowships are regular research activities, and are expected to be transparently disclosed to your home institution and in your funding applications to the federal granting agencies. The Government of Canada is supportive of these activities. If you will travel to participate in such activities, you should be aware of any associated risks and mitigation strategies. For more information, consult the How can you protect your research during travel? page as well as the appropriate travel information and advice provided by Global Affairs Canada.
However, researchers should not accept any offer of funding that is conditional upon the establishment of a “shadow” or “mirror” laboratory in a foreign country, or to the transfer of their laboratory from Canada to, a foreign country. “Shadow” or “mirror” laboratories exist for the sole purpose of duplicating the research program of a pre-existing laboratory, in another country and/or institution, often without the knowledge or consent of the original institution. Any research activity that could be perceived as a “shadow” or “mirror” laboratory should be disclosed to the implicated institutions and funders, to ensure that these activities are pursued in compliance with any appropriate policies, professional or disciplinary standards, laws, and regulations.
12. What information should the applicant(s) seek from their partner organization(s) about the source of the funds, in relation to the statement in the “Additional Requirements” section?
A: The applicant should ask their partner organization whether the funding that is being provided is from the partner organization itself, based on its own decision making and priorities, or if the funding is related (wholly or in part) from a budget or priority allocated to them from another person or organization (e.g., parent organization, shareholder, donor, or government entity). If so, the applicant should seek to understand the interests that these third-party organizations may have in the research partnership being funded and/or its outcomes. This due diligence should be considered as part of the risk identification process and, if a risk is identified, the relevant information should be provided in your Risk Assessment Form and the risk should be addressed by appropriate mitigations.