Thank you for your feedback.
Form temporarily unavailable. Please try again or contact to submit your comments.

Request a policy exception

Log in to subscribe to topics and get notified when content changes.

Request a policy exception

Control owners may request a temporary policy exception for controls that are non-compliant. The policy exception request is related to the policy, policy statement, or issue from which it originates. All impacted controls are identified in a related list. After a policy exception is approved, the control owner may ask for an extension using the original policy exception.

Before you begin

Role required: control owner


  1. Navigate to Policy and Compliance > My Policy Exceptions.
  2. Click New.
  3. Fill in the fields on the form, as appropriate.
    Table 1. Policy Exception Request
    Field Value
    Number Read-only field that is automatically populated with a unique identification number.
    Requester The person requesting the policy exception, usually the control owner.
    Approval group The group that is notified for approval.
    Approver The approver of the request.
    Short description A description for the policy exception request.
    Justification Evidence or rationale for the policy exception.
    State The state of the policy exception within the approval workflow.
    Substate The approval substate of the policy exception within the approval workflow.
    Priority The approval priority of this policy exception
    Watch list Users that will be notified when the request is updated.
    Policy Statement The policy statement associated with this policy exception.
    Policy The policy associated with this policy exception.
    Issue The issue associated with this policy exception.
    Business Impact Analysis
    Risk description The description of the risk as performed by the risk manager during risk assessment.
    Residual likelihood The likelihood of this risk occurring.
    Residual impact The residual impact of this risk.
    Residual score The calculated possibility of this residual risk occurring. This score is calculated after a residual likelihood and residual impact rating have been selected.
    Created The day the policy exception was requested.
    Valid from The day on which the policy exception begins.
    Valid to The day on which the policy exception ends.
    Date approved The day the policy exception was approved.
    Requested Extension Indicates whether an extension has been requested for this policy exception.
    Work Notes Information about how to resolve the issue, or steps already taken to resolve it, if applicable. Work notes are visible to users who are assigned to the issue.
    Additional comments Contains more information, if necessary.
  4. Perform one of the following actions:
    To add impacted controls to the policy exception
    1. Click the Impacted Controls tab.
    2. Click Add or Add All.
    3. Choose the controls to associate to the policy exception.
    To view mitigating controls on the policy exception
    • Click the Mitigating Controls tab.
    To add risks to the policy exception
    • Click the Risks tab.
    Note: This option is available when Governance, Risk, and Compliance is also activated.
    To add approvers to the policy exception
    • Click the Approvers tab
  5. Click Submit.
    An email notification is sent to the approver group.