Beyond the checklist: implementing TREF for impact

The Trusted Research Evaluation Framework (TREF) offers institutions a structured way to reflect on how they approach research security. Used well, it can support proportionate decision‑making, highlight gaps in capability, and create a shared language across complex institutions. Used less carefully, it risks becoming another checklist layered onto already crowded and stretched compliance environments.

In practice, the success of TREF implementation is shaped less by the framework itself and more by how institutions go about implementing it. In other words: whether it becomes a meaningful change programme or just another compliance exercise comes down to intent, sequencing, and culture. Seen through that lens, TREF implementation sits in the overlap between governance, compliance and culture.

Start with intent, not the checklist

A common early move is to map existing activity directly against the framework’s indicators. This can feel efficient, particularly where there is pressure to evidence progress. But starting with assessment rather than intent often leads to superficial alignment rather than meaningful change.

Before engaging in detailed evaluation, it is worth being clear about what problem you are trying to solve. Are decisions about international collaboration inconsistent? Are risks being identified too late to be managed effectively? Are responsibilities unclear or overly concentrated in a small number of roles?

Clarity on intent also makes it easier to articulate the benefits colleagues will actually feel (for example, earlier support, clearer escalation routes, more consistent decisions, and less disruption to research activity). TREF is most effective when used as a diagnostic tool to help answer those questions rather than a scorecard to be completed.

The risks of checklist thinking

Treating TREF as a checklist can also obscure sequencing. When the focus becomes whether something exists, rather than whether the conditions are in place for it to work, implementation problems are almost inevitable.

A simple example illustrates the point. If staff are trained to follow a new expectation for international travel (for example, taking secure travel equipment), but no route exists to access that support, it does not take long for frustration to arise. From a checklist perspective, training has been delivered. From the perspective of those expected to change their behaviour, the system feels incoherent and unworkable. Failures of sequencing can erode confidence in the very systems designed to support secure practice.

Checklist approaches also tend to prioritise visible outputs (policies, guidance, training modules) over whether systems are usable in practice. That gap between expectation and experience is one of the fastest ways to drive disengagement.

If intent and sequencing address the what and when, the next question is how that change lands with the people expected to deliver it. This is where implementation becomes most interesting: not only whether controls exist on paper, but how governance, compliance and culture reinforce (or undermine) each other in practice.

Trusted research is a cultural shift

At its core, the Trusted Research Evaluation Framework is about supporting security‑conscious research cultures. That ambition matters, because culture does not change on the same timeline as documentation.

Institutions are often well‑equipped to update policies and procedures. Templates, thresholds, ownership and escalation routes can be introduced relatively quickly before there is shared understanding of risk appetite or proportionality.

Initiatives, and the individuals driving them, can run out of steam before they reach the critical work of embedding new behaviours: helping people understand why expectations are changing, supporting them to act differently, and reinforcing those behaviours consistently over time.

If we want researchers and professional services colleagues to pause earlier, ask different questions, and feel confident escalating concerns, implementation plans need to allow time not just for delivery but for absorption.

Don’t forget the importance of “how”

Checklist thinking draws attention to what needs to be in place, while sidelining how change is introduced. In practice, the “how” is often far more important.

Two institutions can introduce identical policies and training programmes and see very different outcomes. The difference is rarely the content. It is more often the process: who was involved in shaping the approach, how expectations were communicated, whether people recognised their own realities in the guidance, and whether systems were designed to support new behaviours rather than simply mandate them.

Case studies and training materials frequently foreground what can go wrong: sanctions, loss of funding, reputational damage, national security threats. While these risks are real, fear is a weak driver of sustained behaviour change. It rarely builds confidence, judgement, or ownership; over time it can encourage avoidance, disengagement, or workarounds that bypass the very controls you are trying to embed.

When trusted research measures are experienced as something done to researchers, engagement tends to be shallow. When they are developed with the research community, they are far more likely to lead to lasting behavioural change. This includes developing content that shows how research has been enabled through challenges and what measures can protect, preserve and build.

Building for durability, not just delivery

Ultimately, implementing the Trusted Research Evaluation Framework is not a technical exercise. In our experience, the institutions that make the most progress treat trusted research as a connected system—where governance sets direction, compliance provides assurance, and culture determines whether the approach is actually adopted.

Getting the sequencing right, allowing time for behavioural change, and paying close attention to how implementation is experienced will not make progress faster. But it will make it more durable. In practice, sustained impact tends to come from disciplined governance, clear ownership and a commitment to learning as the approach matures.

If your institution is translating TREF into practice, a short sense‑check early on can help surface where intent is unclear, sequencing risks are building, or cultural factors may determine whether the work sticks.