Manage policy exceptions

Policy exceptions provide temporary relief for a non-compliant control. The policy exception captures the rationale, comments, and evidence to support the acceptance or rejection of a policy exception request. The control owner, the compliance manager, and the risk manager may be involved in the policy exception workflow.

Policy exception workflow

Approved policy exception

Request a policy exception

Control owners may request a temporary policy exception for controls that are non-compliant. The policy exception request is related to the policy, policy statement, or issue from which it originates. All impacted controls are identified in a related list. After a policy exception is approved, the control owner may ask for an extension using the original policy exception.

Before you begin

Role required: control owner

Procedure

  1. Navigate to Policy and Compliance > My Policy Exceptions.
  2. Click New.
  3. Fill in the fields on the form, as appropriate.
    Table 1. Policy Exception Request
    Field Value
    Policy The policy associated with this policy exception.
    Issue The issue associated with this policy exception.
    Policy Statement The policy statement associated with this policy exception.
    Business Impact Analysis
    Risk description The description of the risk as performed by the risk manager during risk assessment.
    Residual likelihood
    Residual impact
    Residual score
    Schedule
    Created The day the policy exception was requested.
    Valid from The day on which the policy exception begins.
    Valid to The day on which the policy exception ends.
    Date approved The day the policy exception was approved.
    Requested Extension Indicates whether an extension has been requested for this policy exception.
    Comments
    Work Notes Information about how to resolve the issue, or steps already taken to resolve it, if applicable. Work notes are visible to users who are assigned to the issue.
    Additional comments Contains more information, if necessary.
    Activities
    Policy exception
    Number Read-only field that is automatically populated with a unique identification number.
    State The state of the policy exception within the approval workflow.
    Requester The person requesting the policy execption, usually the control owner.
    Substate
    Approval group The group that is notified for approval.
    Priority
    Approver The approver of the request.
    Watch list Users that will be notified when the request is updated.
    Short Description A description for the policy exception request.
    Justification Evidence or rationale for the policy exception.
    Additional comments Public information about the policy exception.
  4. Perform one of the following actions:
    OptionAction
    To add impacted controls to the policy exception
    1. Click the Impacted Controls tab.
    2. Click Add or Add All.
    3. Choose the controls to associate to the policy exception.
    To view mitigating controls on the policy exception
    • Click the Mitigating Controls tab.
    To add risks to the policy exception
    • Click the Risks tab.
    Note: This option is available when Governance, Risk, and Compliance is also activated.
    To add approvers to the policy exception
    • Click the Approvers tab
  5. Click Submit.
    An email notification is sent to the approver group.

Review the policy exception request

After reviewing a policy exception request, a compliance manager can accept or reject the request. However, if the compliance manager does not have enough information to make a decision, they can request a risk assessment by the risk manager.

Before you begin

Role required: compliance manager

Procedure

  1. Navigate to Policy and Compliance > My Policy Exceptions.
  2. Select the policy exception.
  3. Review the following fields:
    Table 2. Policy exception request Business Impact Analysis tab
    Field Value
    Risk description Enter a description of the risk.
    Residual likelihood Update this value.
    Residual impact Update this value.
    Residual score Update this value.
  4. Perform one of the following actions:
    OptionAction
    To view or add impacted controls to the policy exception
    1. Click the Impacted Controls tab.
    2. Click Add or Add All.
    3. Choose the controls to associate to the policy exception.
    To view mitigating controls on the policy exception
    • Click the Mitigating Controls tab.
    To view or add risks to the policy exception
    • Click the Risks tab.
    Note: This option is available when Governance, Risk, and Compliance is also activated.
    To view or add approvers to the policy exception
    • Click the Approvers tab.
  5. Perform one of the following actions:
    OptionAction
    To approve the policy exception
    • Click Approve.

    An email notification is sent to the requester that the PER was approved and goes into effect.

    To reject the policy exception
    • Click Reject.

    An email notification is sent to the requester that the PER was rejected and the request is closed.

    To request a risk assessment on the policy exception
    • Click Request Risk Assessment.

    An email notification is sent to the risk managers group.

    Note: This option is available when Risk Management is also activated.
    To request business owner approval
    • Click Request Business Owner Approval.

    An email notification is sent to the business owner.