Policy exception management

Every company I’ve worked for and with has had policies; all of them also had and made exceptions to their procedures and guidelines. The way the policies were written, stored, and communicated tends to be similar across organizations. However, the way exceptions are managed is less consistent. Depending on the company’s size and maturity, exceptions might be granted during a simple hallway conversation; or in a more formal method, as multi-level risk analysis and approval workflow using a technology.

Even Exceptions Have Rules

Exceptions usually represent a risk, which can mean opportunity or vulnerability. Policy exceptions may enable business growth, but there is also the possibility they could open the door to issues of non-compliance. Generally, it is important in a policy exception management process to make sure the following items are considered and identified:

• The exception is linked to the policy from which you are selecting to waiver.
• The exception’s justification is clearly described.
• The exception is tied to the people responsible for requesting it and approving it.
• The exception is assigned an expiration date – the date by which the exception will be mitigated or resolved.
• The exception is consistently approved by the appropriate individuals or levels of authority.

Using technology like Onspring to consistently track exceptions and your rationale for acceptance is critical to ensuring you’re adequately prepared for audits or other compliance checks. Having automated alerts triggered to the right people as dates associated with an exception’s anticipated resolution date will ensure that they don’t live in “exception limbo.” Onspring helps our clients put structure around the exception processes they may have adopted, but are not following consistently.

About the author