Foreign Ownership, Control or Influence (FOCI) Risk Assessment Guidance

​​​The Foreign Ownership, Control, or Influence (FOCI) Risk Assessment Guidance (the guidance) helps Australian organisations that are procuring technology products or services. Medium to large and mature small-sized organisations can use this guide.

The guidance provides a template to support contract managers to assess a vendor’s exposure to FOCI and correlating security risks. This template should form part of an organisation’s broader procurement due diligence processes.

This gives organisations a repeatable methodology to identify, assess, recommend and implement mitigations commensurate to the risk posed by vendors operating in their supply chains.

Organisations can choose how to implement, in part or in whole, the guidance into their existing due diligence processes. The guidance is voluntary and does not introduce regulatory or reporting requirements.

Application of the processes within the guidance should always be supplemented with organisational risk management arrangements and the broader supply chain risk considerations available at Cyber Supply Chain Risk Management.

The assessment component of the guidance has two stages:

1. Vendor review questionnaire – to determine if you need a FOCI risk assessment for a foreign vendor.
2. FOCI risk assessment – using the research undertaken to answer the questionnaire, the full assessment will consider jurisdiction hazard against organisational exposure, FOCI activity risks and possible treatment options.

What is FOCI risk?

Foreign Ownership, Control, or Influence (FOCI) risk refers to the ability for vendors to be directed by a foreign government either through:

• direct ownership channels
• domestic laws of the foreign jurisdiction or
• outside influence.
  

Procuring technology vendors subject to FOCI increases your risk of exposure to undue influence or acts that can undermine your organisation’s security. It could also affect Australia’s national interests.

Examples of FOCI threats to your organisation include, but are not limited to:

• unauthorised access to or control of security technologies. This includes surveillance cameras, which can help threat actors identify targets for covert operations or compromise across government and industry
• unauthorised bulk data exfiltration and aggregation. This can give insights on business structures, finances, strategies, and exposure to risk that could be exploited or used for influence or interference
• theft of intellectual property. This harms Australian innovation, investment and market confidence
• sabotage, which can have significant impacts across all sectors of the economy and government security
• other activities that may conflict or interfere with the contracted or procured service.

Using the FOCI Risk Assessment Guidance

The Department of Home Affairs encourages organisations to consider FOCI risks as part of their broader risk management and due diligence processes. FOCI risk management can provide long-term benefits to organisational cyber and physical security. It can also prevent reputational damage and losses to commercial competitiveness.

You should refer to the guidance when assessing a technology product or service for procurement.

The vendor review questionnaire is a preliminary assessment tool that will help you determine if you need a full FOCI risk assessment. The vendor review questionnaire takes approximately 60-90 minutes to complete. As you gain familiarity with the questions and resources, the questionnaire should take less time to complete.

A simple to follow and printable template of the vendor review questionnaire and a completed example are available in the guidance.

The guidance also has a non-exhaustive list of publicly available resources to refer to when you complete the vendor review questionnaire.

The information you gather as part of conducting the risk assessment is a point-in-time assessment which your organisation should review throughout the procurement lifecycle.

Other considerations

The guidance does not provide an exhaustive list of security concerns associated with FOCI. Companies and organisations should not use it as a single source for supply chain risk mitigation information that will protect them from all possible activities of foreign interference, sabotage and espionage.

Companies and organisations should always supplement the processes in this guidance with organisational risk management arrangements and the broader supply chain risk considerations. You can find this information at Cyber Supply Chain Risk Management.

Documents

The guidance and accompanying materials are in beta. We will update them to ensure they stay fit for purpose.

• Guidance document with appendices included
• Guidance document without appendices
• Appendix A – Resources
• Appendix B – Vendor review questionnaire template
• Vendor review questionnaire: completed example​
  

You can find descriptions of key terms found in the guidance in a glossary the end of the guidance.

Feedback

We welcome your input on how we can improve the guidance. We will consider your suggestions for future updates to this page and relevant documents. You can submit feedback in writing or by using the feedback button at the bottom of this webpage.