Managing risk in international research and innovation

What is the challenge? 

UK universities have become global institutions, with students, staff and research partnerships across the world. This has allowed the sector, and the UK, to flourish. 

However, there are risks associated with internationalisation, which are increasingly dynamic and complex.  

Threats from hostile state actors are the most prominent security issue universities face, but organisations face a range of other risks from state and non-state actors, who may: 

• seek personal, financial or social gain through actively hostile and illegal actions, such as cyber attacks, or through fraudulent or legally ambiguous business proposals and practices 

• try to increase their scientific and technological advantage over other countries for economic and military gain 

• seek to use these advantages to against their own people 

• use scientific and economic ties to the UK as a PR tool to gloss over human rights violations 

New guidance for the sector  

The nature of threats, and the threat actors themselves, are not static. State and non-state actors may target and seek to exploit academic institutions and collaborations – for example, to transfer or steal information and intellectual property. 

Because of this, institutions have continued to review and adapt their risk management processes. In recent years there has been a plethora of guidance on the matter. This can often feel overwhelming for universities and staff tasked with the reviewing existing and implementing new security policies. 

To this end, Universities UK (UUK), National Protective Security Agency (formerly the Centre for the Protection of National Infrastructure) and UK Research and Innovation (UKRI) have released a new publication.  

Managing risks in international research and innovation: An overview of higher education sector guidance outlines the main security threats that universities face, and summarises three major pieces of guidance universities should acquaint themselves with. It also proposes steps universities should take to implement the guidance, and provides case studies from institutions.  

Among top recommendations are that all universities appoint a member of their senior leadership team to take responsibility of security-related matters and convene a taskforce from internal stakeholders to review existing processes. 

What actions have universities taken? 

Universities have taken a range of actions to tackle these threats, including, but not limited to: 

• unifying due diligence management across departments, e.g. research, finance, and philanthropy 

• expanding risk registers and sharing them across teams within a given institution 

• upgrading due diligence processes and checks 

• updating, revising or creating policies on institutional values, academic freedom and freedom of speech 

• improving policy and training programmes, staff training on security related matters, and creating new working groups or reporting processes 

• conducting cyber-attack and physical penetration tests to update virtual and physical security infrastructure 

• ‘stress testing’ policies, such as using phishing email tests, visitor simulations, and crisis procedures against use cases 

We also strongly recommend that universities develop a plan to ensure that practitioners, academics, and broader academic services staff are aware of policy updates and their rationale and buy-in to the reasons for updates and changes. These plans should be regularly revisited and reviewed to reflect changing security priorities and threats. The report includes case studies on how universities are doing this.

Read the full report.