Policy exceptions provide temporary relief for a non-compliant control. The policy
exception captures the rationale, comments, and evidence to support the acceptance or rejection of
a policy exception request. The control owner, the compliance manager, and the risk manager may be
involved in the policy exception workflow. When a policy exception request exceeds the expiration
date by more than 3 days, the approver, the requestor, and the requestor's manager receive a
notification that it is expired.
Policy exception workflow
Approved policy exception