Policy Exception Management

When the Exception is the Rule

By Beth Strobel

I don’t mean to incite a riot, but I want to address an incendiary topic that’s been on my mind—when to decorate for the holidays. There has been a lot of discussion this year around the appropriate timing to adorn your home for upcoming seasonal celebrations. In my social circles, this debate started back in the dog days of summer as people began setting pumpkins and mums on their front porches, then hanging ghosts and fall wreaths from their doors for Halloween and autumn. I’m not even going to mention that Starbucks started serving its famous Pumpkin Spice Latte on August 27.

Fast forward to November 1—Christmas trees, holiday lights, wreaths and Santa Clauses began appearing and popping up all around town. And, of course, Starbucks started serving its signature holiday drinks (peppermint mochas and chestnut praline lattes to name two) just a couple of days later.

Personally, I’ve always adhered to an unwritten—yet still very strict—holiday decorating timeline: fall décor may be displayed beginning October 1 or later; winter holiday décor may be placed after Thanksgiving. Oh, since I’m talking about putting it up, said winter holiday décor should be removed and stored in plastic tubs within a day or two of New Year’s Day.

Always a Consideration

There are times when I am willing to make allowances to the above policies. For example, Thanksgiving is a little late this year, so I may put up my decorations the week before Thanksgiving. New Year’s Day is a on a Wednesday, so I may not get those decorations down until January 4 or 5. Justifiable reasons to bend the rules.

Each of us has policies, often undocumented, that govern our lives. We also make exceptions to those policies (sometimes consciously, sometimes not). Companies of any size can only scale by adopting policies to govern operations. Policies ensure consistency and set expectations with employees, customers and contractors. However, policies are never perfect, and risk, compliance and security professionals will often find themselves in the position of needing to grant an exception.

I’ve worked in the compliance and risk field for almost 15 years. Every company I’ve worked for and with has had policies; all of them also had and made exceptions to their procedures and guidelines. The way the policies were written, stored and communicated tends to be similar across organizations. However, the way exceptions are managed is less consistent. Depending on the company’s size and maturity, exceptions might be granted during a simple hallway conversation; or in a more formal method, as a multi-level risk analysis and approval workflow using a technology.

Even Exceptions Have Rules

Exceptions usually represent risk, which can mean opportunity or vulnerability. Policy exceptions may enable business growth, but there is also the possibility they could open the door to issues of non-compliance. Generally, it is important in a policy exception management process to make sure the following items are considered and identified:

  1. The exception is linked to the policy from which you are selecting to waiver.
  2. The exception’s justification is clearly described.
  3. The exception is tied to the people responsible for requesting it and approving it.
  4. The exception is assigned an expiration date – the date by which the exception will be mitigated or resolved.
  5. The exception is consistently approved by the appropriate individuals or levels of authority.

Using a technology like Onspring to consistently track exceptions and your rationale for acceptance is critical to ensuring you’re adequately prepared for audits or other compliance checks. Having automated alerts triggered to the right people as dates associated with an exception’s anticipated resolution date will ensure that they don’t live in “exception limbo.” Onspring helps our clients put structure around the exception processes they may have adopted, but are not following consistently.

With all that said, I guess it’s time for me to file an exception request for putting up my holiday decorations next week. I hope it makes it through the necessary approvals. Happy Thanksgiving, everyone!