When exception IS the rule

Policy exception management

Each of us has policies, often undocumented, that govern our lives. We also make exceptions to those policies (sometimes consciously, sometimes not). Companies of any size can only scale by adopting policies to govern operations. Policies ensure consistency and set expectations with employees, customers, and contractors. However, policies are never perfect, and risk, compliance, and security professionals will often find themselves in the position of needing to grant an exception.

Every company I’ve worked for and with has had policies; all of them also had and made exceptions to their procedures and guidelines. The way the policies were written, stored, and communicated tends to be similar across organizations. However, the way exceptions are managed is less consistent. Depending on the company’s size and maturity, exceptions might be granted during a simple hallway conversation; or in a more formal method, as multi-level risk analysis and approval workflow using a technology.

Even Exceptions Have Rules

Exceptions usually represent a risk, which can mean opportunity or vulnerability. Policy exceptions may enable business growth, but there is also the possibility they could open the door to issues of non-compliance. Generally, it is important in a policy exception management process to make sure the following items are considered and identified:

  • The exception is linked to the policy from which you are selecting to waiver.
  • The exception’s justification is clearly described.
  • The exception is tied to the people responsible for requesting it and approving it.
  • The exception is assigned an expiration date – the date by which the exception will be mitigated or resolved.
  • The exception is consistently approved by the appropriate individuals or levels of authority.

Using technology like Onspring to consistently track exceptions and your rationale for acceptance is critical to ensuring you’re adequately prepared for audits or other compliance checks. Having automated alerts triggered to the right people as dates associated with an exception’s anticipated resolution date will ensure that they don’t live in “exception limbo.” Onspring helps our clients put structure around the exception processes they may have adopted, but are not following consistently.

About the author


Jason Rohlf 
Vice President at Onspring
20 years internal audit & GRC experience