Home
Policies & Guidance
Risk Mitigation: What You Need to Know

Risk Mitigation: What You Need to Know

IMPORTANT

PIs should not respond independently. These requests require a coordinated institutional response due to potential compliance risks and broader implications.

These requests often have very short turnaround times, so prompt action is critical.

The Export Controls and International Compliance (ECIC) team will coordinate the response with the PI and relevant units (e.g., COI, OGC, Sponsored Research).

Who can I go to with questions?
Contact the ECIC team at: exportcontrols@northwestern.edu
Thank you!

Federal agencies are increasingly conducting research security reviews and may send a Request for Information (RFI) or require a full Risk Mitigation Plan (RMP) as part of an award review, proposal review, or ongoing project.

If you receive a request for a risk mitigation plan—or if you notice non-standard research security requirements in an award or award modification—contact Northwestern's Export Controls and International Compliance (ECIC) and Sponsored Research teams immediately. Early coordination helps ensure a timely and accurate response.

Forward requests to:

ECIC team: exportcontrols@northwestern.edu

Amy Weber: amy.weber@northwestern.edu

Sponsored Research: SR Specialist listed on the CERES Funding Proposal (FP) or Award (AWD) record. Be sure to include the CERES reference number in the subject line of the message.

Frequently Asked Questions

What does a research security RFI or request for a mitigation plan look like?
Requests vary widely by agency. Common formats include:
- Formal letters (often sent to Sponsored Research, the PI, and/or ECIC)
- Emails requesting specific information or certain certifications (e.g.,” No Covered Individual identified in this proposal is actively collaborating on fundamental research with a prohibited entity, or an employee of a prohibited entity, as defined by current Department of Defense research security policy”?)
- Do NOT send standard certifications to the ECIC for simply verifying research security training or “Certify that covered individuals are not members of a Malign Foreign Talent Recruitment Program.” These are handled by SR and the RAs.
Even if the request appears to have been shared with others, always forward it to ECIC/SR to ensure visibility and coordination.
What is a Risk Mitigation Plan (RMP)? A Risk Mitigation Plan (RMP) is an internal Northwestern document that outlines processes and procedures to mitigate research security risks when required by a sponsor or award terms. An RMP:
- Documents compliance measures and institutional due diligence, such as research security training, travel reporting, collaboration concurrence
- Includes relevant screening results (e.g., restricted party screening)
- Provides guidance and resources to ensure compliance throughout the project
The ECIC team works closely with the PI to develop and finalize the plan. SR is not involved in the development of the plan but may need to assist if any changes are needed to the project scope, timing, or budget based on the sponsor’s response.
How else might mitigation requirements appear? Some agencies—particularly DoD—are increasingly including research security requirements and mitigation measures directly in proposal solicitations as well as in award terms and conditions, including award modifications. All stakeholders play a role in proactively identifying and escalating these terms.
What triggers RMP requests or research security RFIs? Triggers vary by agency but are typically based on risk assessment criteria or matrices. Examples include, but are not limited to:
- Foreign appointments or affiliations (including honorary roles) in foreign countries of concern (FCOCs) – China including Hong Kong and Macau, Iran, North Korea and Russia;
- Funding from FCOCs;
- Collaborations with FCOCs, including co-authorship even if they are not on a restricted list; and
- Other activities identified through agency-specific risk assessment frameworks.
The ECIC team maintains a consolidated resource of agency risk criteria and guidance.
What should I do if I receive a request for a RMP or research security RFI from a federal agency? Receipt of an RFI or RMP request does not necessarily indicate wrongdoing or a compliance concern. Many such requests are generated through standard agency risk assessment processes and simply require additional documentation or mitigation measures before funding can proceed. However, it is critical to make both ECIC and SR aware of the request as soon as possible. Please promptly forward the request to both:
- ECIC team: exportcontrols@northwestern.edu
- Amy Weber: amy.weber@northwestern.edu
- Sponsored Research: SR Specialist listed on the CERES Funding Proposal (FP) or Award (AWD) record. Be sure to include the CERES reference number in the subject line of the message.