The starting point is not necessarily speaking to that company. The forms, as you've mentioned, would be filled out by the researchers. They'd be asked to identify a series of pieces of information, including their partners.
The point on this one is that it's intended to be a project-by-project or an initiative-by-initiative assessment. In this instance, there could be flags that push the NSERC folks to take a deeper look at it and seek input. If they were really concerned about it, as Nipun mentioned before, it would be reviewed by some of our security agencies, which might look deeper into this.
The fact that it is on a case-by-case, initiative-by-initiative basis allows us to weigh the risks with regard to individuals.