Policy

Due Diligence Policy

Version 1.2
Effective date: 01/06/26
Last updated: 10/06/2026
Download this document (Word, 55.6 KB)

Compliance and Risk
Email: complianceandrisk@cardiff.ac.uk

1. Purpose and Scope

Cardiff University, as stated in its Charter, exists to advance knowledge and education through teaching, research, and the example and influence of its corporate life. It also contributes to the social, cultural, and economic development of Wales and the United Kingdom.

We extend that commitment to the communities in which we engage internationally where our position is one of culturally sensitive, contextual and relevant contributions to social, cultural and economic development.

To support this mission and extend its reach as a global civic institution, the University may form partnerships or relationships with a wide range of third parties—such as individuals, companies, organisations, subcontractors, funders, donors, sponsors, consultants, honorary or lay members, other universities, foreign governments, and charities. The University has a responsibility to assess the suitability of engaging with such entities.

To safeguard the University’s interests and reputation, and to ensure consistency and clarity in decision-making, a formal approach is required before entering into any third-party relationship. This approach is outlined in the University's Due Diligence Framework for Partnerships and Relationships with Third Parties (“the Framework”), which supports informed, ethical, and accountable engagement across all projects and activities.

The Framework serves as a practical guide for staff negotiating interactions with external parties. It supports risk assessment and transparent evaluation of whether a proposed relationship is appropriate. It also helps ensure that colleagues meet their legal duties and broader responsibilities to external partners.

This policy, which implements the Framework, is intended to:

Remind all staff of the need to carefully consider the relationships they form, and to be alert to financial, legal and reputational risks associated with the prosed and continuing relationships.
Highlight the key considerations through which staff should assess the proposed relationship and decide whether it is appropriate to escalate the decision about whether to enter into the relationship; and
Explain how the due diligence, risk assessment and escalation processes should work.

The scope of this policy includes all relationships with third parties entered into, by or in connection with Cardiff University. The University is committed to academic freedom and freedom of speech within the law and values and safeguards its autonomy and the freedom of inquiry by students and staff. It therefore does not enter into partnerships or relationships when any condition of the partnership would compromise these fundamental principles.

1.1 Exclusions

Many organisations that the University works with or accepts funding from have their own transparent governance and/or are subject to UK or European legislation or further regulation and audit, such that they are considered to be low risk. Due diligence arrangements are therefore not normally required before working with them, although colleagues should always consider whether there are any financial, security, reputational, or legal risk with any relationship. A list of relevant organisations is included in the Framework.

1.2 Applicable Partnerships / Relationships

Due diligence may be required at organisation, individual or activity level (or a combination of these).

The following activities must be subjected to Due Diligence review and assessment. These activities are indicative and not exhaustive: The table also indicates the process owner for each potential partnership/relationship who is the point of escalation for more complex due diligence decisions.

Activity	Process Owner
Research partnerships/collaborations, except where covered by the exclusions above	Director of Research Services
Commercial royalty revenue	Director of Research Services
Cardiff Innovations, Sparc and Medicentre tenants	Director of Research Services
Receipt of funding for research, consultancy, innovation and studentships, except where covered by the exclusions above	Director of Research Services
Receipt of gifts or donations, whether solicited or offered	Director of Development and Alumni Relations
CPD Activity	Head of CPD Unit
UK Education Partnerships/collaborative provision, except where covered by the exclusions above	Head of Education Governance
International Education Partnerships/collaborative provision except where covered by the exclusions above	Director of Communications, Marketing and Student Recruitment
Appointment of international recruitment agents	Director of Communications, Marketing and Student Recruitment
Careers fairs and events/ external student support and mentoring/ work placements and experience	Head of Careers
Student exchanges	Head of Global Opportunities
Student work or educational placements or co-supervision of research students	Global Opportunities – international placements University Organised Work placements - Careers service Academic placements – School/Programme managers Co supervision of research students – Principal Investigators
Contracting of services, sub-contracts or shared services from, e.g., small stationery contracts to major capital development projects	Director of Procurement
Appointment of suppliers, including consultants	Director of Procurement
Hosting or supporting external events and conferences	Director of Communications, Marketing and Student Recruitment
Hosting external speakers	Head of Compliance and Risk
Conferment of honorary degrees or fellowships	Director of Communications, Marketing and Student Recruitment
Appointment of lay members of Council and its committees	Chief Operating Officer and University Secretary
Appointment of members of advisory boards or groups	Chief Operating Officer and University Secretary

2. Policy

Cardiff University is committed to conducting its affairs responsibly, transparently, and in compliance with national and international regulations. This includes ensuring that staff meet both statutory obligations and broader responsibilities when engaging with third parties, including collaborators, funders, and stakeholders.

As part of ensuring good governance and ethical decision-making, due diligence is required in various areas on potential companies and personnel with whom the University may enter into agreements, contracts, associations or significant monetary exchanges.

The Framework enables the University to:

Establish whether a proposed partnership or relationship aligns with its objectives and values.
Consider potential reputational risks associated with the third party.
Assess the level of potential risk presented by the proposed relationship.
Ensure that any proposed partnership or relationship takes into account the University’s compliance requirements with relevant legislation and with external research funders terms and conditions.
Determine whether identified potential risks are proportionate to the potential benefits.

Due Diligence Assessments will be undertaken in a timely manner on formalised institutional relationships where Cardiff University intends to, or will, agree a contract with a third party.

3. Roles and responsibilities

The Chief Operating Officer and University Secretary is the senior officer responsible for the University’s adherence to the Due Diligence Framework.

The University Secretary’s Office is responsible for:

Overseeing application of the Due Diligence Framework.
Developing and maintaining the Central (Umbrella) Due Diligence Policy and Procedure.
Providing advice, guidance and training where required, on the application of the due diligence policy, including the correct process for discussion and approval of due diligence assessments.
Providing signposting advice to specific Due Diligence procedures, making referrals to relevant process owners or decision makers as appropriate.
Providing an annual assurance report to Audit and Risk Committee on the application and effectiveness of the due diligence policy and procedure.

All Staff members who are exploring a new partnership or relationship are responsible for:

Undertaking an initial assessment of the potential risk of the activity and the partner/third party.
Maintaining records associated with the Due Diligence Process, including frequency of reviews, in line with University information handling procedures.

Process Owners (Decision Makers) are responsible for:

Nominating Designated Due Diligence Individuals from their area to carry out due diligence activities under the procedure including initial/local assessments.
Advising on the application of due diligence procedures within their remit and on carrying out assessments as required, advising on potential risk mitigations where concerns have been identified.
Recording and maintaining information about the process, criteria, sources, method of assessment and roles and responsibilities.
Acting as a point of escalation for decision making where an initial/local assessment identifies a moderate or significant concern.
Reporting information on recorded numbers and outcomes of due diligence activities to the University Secretary’s Office (ComplianceandRisk@cardiff.ac.uk) for reporting purposes where the Framework identifies a requirement.

When any new related Due Diligence process is developed, the process owner must inform the University Secretary’s Office (via ComplianceandRisk@cardiff.ac.uk) in order to update the Due Diligence Framework document (Related policies and procedures).

Designated Due Diligence Individuals within each relevant professional service or academic unit are responsible for:

Acting as a point of escalation for decision making where an initial/local assessment identifies no or limited concerns.

Each professional service/academic unit should have at least two such designated individuals of appropriate seniority and who have received institutional due diligence training.

Decision Makers (normally the relevant process owner in section 1.2 above) are responsible for:

Making decisions on whether the partnership/relationship should proceed where moderate or significant concerns are identified.
Deciding on the proposed frequency of future reviews for ongoing collaborations. This should normally be at least every two years (or if new information comes to light giving rise to new concerns or relating to accuracy of initial information).
In cases that are felt to be particularly complex or controversial, the Audit and Risk Committee of Council will be consulted by the decision maker (process owner), via the Chief Operating Officer and University Secretary, and will be the final decision maker.
Where it is decided to proceed with a relationship which carries a level of risk, the decision maker will be responsible for ensuring that appropriate mitigations can be put in place. Where relevant, this should be done in discussion with the University Secretary’s Office and/or the relevant process owner.

All individuals shall undertake relevant training as identified by the University Secretary’s Office.

4. Monitoring and review

The operation of the Due Diligence Framework and all subsidiary documents noted within it will be monitored on a regular basis by the Chief Operating Officer and University Secretary or their nominee and further developed, as required, in the light of experience of its operation.

Departments responsible for Due Diligence are required to regularly monitor, and if required make amendments / improvements to, their Due Diligence review processes.

5. Related Policies and procedures

Document control table

Document title:	Due Diligence Policy
Version number:	1.2
Effective date:	01 June 2026