Accessibility statement

Risk management and due diligence procedures for research

For further information contact:

Research Grants Operations General enquiries: ext 4416, email


Risk management and due diligence refer to the checks which the University has in place to identify and manage risk before an activity goes ahead.

For research, risks fall broadly into three areas:

  1. Reputational i.e. could the department/University/the research community as a whole be damaged by association with this project?
  2. Financial: e.g. Are the partners of good financial standing? Are robust financial management and record keeping processes in place to enable the University and its partners to claim from funders against expenditure? What is the overall value of the grant?
  3. Operational: e.g. Are there health and safety considerations to be addressed? Are there constraints on transferring funds to a partner in another country?

It is in the University’s interests to take reasonable care to identify and mitigate risk to the institution, and ensure that the research carried out in its name and with its partners is able to go ahead. This includes ensuring that partners understand from the outset what they are committing to in operational terms when working with us. In addition, an increasing number of external funders are placing a requirement on the University to undertake due diligence checks as a condition of award (i.e. in order to protect their investment). It is the University's responsibility to mitigate any risks arising from those checks

For an individual research project, the degree of risk hinges on three key elements:

  1. Where the research is taking place
  2. Who the University is working with
  3. What the individual research project involves.

These elements are not mutually exclusive, and the degree of risk needs to be assessed in the round with reference to the relationship between all three, which will vary from project to project.

Summary of procedures

Pre-award risk management

  • Risk Management tab in Worktribe – completed by the PI (or DRA) for all projects and assessed by RGO grant co-ordinators. This is a high level assessment to identify risk at an early stage relating to: PI experience, dependence on partners, working overseas, resource requirements, reputational considerations and conflicts of interest, data management, insurance.

Guidance on completing the Risk tab

The Global Engagement team is able to help with conducting checks on prospective new international partners and advising on risk mitigation.

  • Risk Management assessment: pre-award – completed by RGO grant co-ordinators for ALL 'complex' projects and for 'simple' projects where a risk is identified during the standard review. This is a high level assessment to identify risk at an early stage, looking at finance, audit and legal considerations in relation to funders and partners. 

Due diligence

  • Pre-award queries for Research Collaborators – completed by overseas partner organisations and assessed by RGO grant co-ordinators. This covers potential operational risks to the project related to working with overseas partners (e.g. permission to conduct research; costings; transfer of funds; insurance).
  • Collaborative Research Projects Due Diligence Pro Forma – completed by partner organisations and assessed by RGO. For completion by any collaborator with whom the University has never worked or has not worked with in the last two years, with the exception of other UK Higher Education Institutions, partners on EC grants, RCUK eligible IROs, UK Government bodies and NHS Trusts. The form covers governance and status; finance and financial procedures; experience of collaborative research projects; research good standing; policy framework re: insurance, health and safety, equality, data management. Due diligence is usually carried out at award stage but may be carried out at application stage if deemed necessary (e.g. application has a high chance of being successful and a short-turn around at award stage).

University Scheme of Delegation

The University also operates a Scheme of Delegation for all research-related projects, whereby projects where the value to the University of York is >£1m require additional authorisation by the PVC Research. Departments are advised that forms should be submitted for approval two weeks before the deadline for submission. Please note that the University's risk management and due diligence procedures undergo regular review in response to the changing HE environment, so may be subject to change.

Due diligence

What is the process?

For most research grants due diligence checks would be undertaken, if required, at the point that the award is made to the University.

For GCRF grants we would start this process much sooner - partly to identify any potential risks that could be mitigated when we are putting together the application and partly to avoid delays at the award stage. For GCRF grants it is common that the peer review process will happen much quicker than any other schemes and that there will be a short turnaround between the issue of the award letter and the start date of the project. With this in mind the due diligence process will begin with the pre-award queries for research collaborators prior to submission, followed by the more comprehensive form at  award stage.

Who handles this process?

RGO will advise the PI on what documentation is required at what stage. They will request the contact details for your collaborator(s) (name, email address) and will then issue the document to the collaborator for completion.

What happens once the collaborator has completed the form?

Returns will be assessed on an individual basis.
RGO will make an initial assessment of the responses and escalate if there are any concerns to the PI and to colleagues in other support departments of the University. The aim is to work with the PI and collaborator to try and resolve any issues which we feel may pose a risk to the project and to the University. There are many ways in which risk can be mitigated and proposed actions will depend upon the type of risk and the level of risk. Any mitigation actions will be incorporated into the legal agreements that we issue.