Policy exceptions provide temporary relief for a non-compliant control. The policy exception captures the rationale, comments, and evidence to support the acceptance or rejection of a policy exception request. The control owner, the compliance manager, and the risk manager may be involved in the policy exception workflow. When a policy exception request exceeds the expiration date by more than 3 days, the approver, the requestor, and the requestor's manager receive a notification that it is expired.

Policy exception workflow

Approved policy exception