University of Utah Exception and Risk Assumption Process
When Exceptions Are Allowable
University faculty, staff, students, and volunteers must comply with all applicable policies, procedures, standards, and guidelines. However, there are circumstances where the cost of such implementation exceed
the risk represented from non-compliance with applicable policies and standards. In such instances, an exception must be documented and approved. The following defines this requirement.
Stated Simply: The Exception & Risk Assumption process applies to cases where the cost to remediate practices and systems not compliant with applicable policies and standards greatly exceeds the risks.
Exceptions to applicable policies and standards may be permitted in instances where a risk analysis has been performed. The risk analysis must be documented by a written risk assessment, prepared jointly by
the responsible business owner, data owner, principle investigator, business process owner and/or system administrator.
The responsible managers will prepare and sign a standard risk acceptance form. The cognizant Vice President, Dean, Executive Director, or CxO and the OIT Compliance Office must review the request. The OIT Compliance Office
is responsible for tracking policy exemptions.
Requests for exception must include:
a valid business justification;
a risk analysis;
compensating controls to manage risk; and
technical reasons for the exception.
Requests for exception that create significant risks without compensating controls will not be approved.
Requests for exceptions are reviewed for validity and are not automatically approved.
Requests for exceptions must be periodically reviewed to ensure that assumptions or business conditions have not changes. Exemption renewals are not automatically approved.
Exceptions Process
Complete the Exception and Risk Assumption Agreement.
Complete the Risk Assessment Document.
Obtain all required signatures.
Submit the request to the OIT Compliance Office.
