Three strategies for perfecting policy exceptions

A business unit wants to hire a vendor that doesn’t meet policy standards and requests an exception. Approve or deny the exception request? That’s the question facing you.

What’s good for business may come with added risk. In fact, many incidents are the direct result of policy violations. For risk management with business needs in mind, maybe the answer isn’t nay or yea but a more nuanced approach. One that allows for exceptions, as well as helps address risk.

Here are three strategies for granting exception requests while mitigating the additional risk:

Attach conditions to the exception request
You’re signing on for additional risk when you grant an exception request. That knowledge should give you carte blanche to attach conditions to the request. For example, you might limit the time period the exception is valid or add disclosure requirements to the vendor contract.

In essence, you’re saying to the business unit that you understand the business imperative behind the exception request, but that you also have a responsibility to protect the organization. The business unit should be more receptive if it’s carried out in the spirit of what’s best for the organization. Most vendors will be happy to land the contract, and if the attached conditions upset the vendor, the business unit can commiserate about company rules.

Monitor and analyze granted exceptions
You took on more risk in approving the exception, so you shouldn’t treat your exceptions as a set and forget it. Treat them as special cases requiring extra attention because of the added risk. Ongoing monitoring services, along with periodic assessments, are in your purview to use.

Ongoing monitoring services offer independent, unbiased inputs on the status of third parties. RiskRecon and SecurityScorecard are two firms that provide this service. 24/7 monitoring enables you to keep a closer eye on higher risk vendors like those with exceptions. If an exempted vendor is hit by anything negative in the public domain, a monitoring service will issue an alert, which you can then evaluate against the exception to see if it increases the risk to the organization. If the added risk is unacceptable, you can attach more conditions to the exemption or, if necessary, revoke the exemption.

Regularly review and update company policies
A review of exception requests may well reveal the need to update or write a new policy. A sure indicator is a concentration of requests associated with a specific policy. Having all policies current won’t eliminate exception requests, but it can reduce the number significantly.

As a best practice you should review policies annually. Michael Rassmussen of GRC 20/20 frequently presents on policy management and sees policies as defining “boundaries of behavior for individuals, processes, relationships and transactions.” Your exempted vendors have some leeway with their boundaries but having policies defined, updated and articulated provides clarity to users and helps protect the organization.

Managing policy exceptions varies from company to company. For some, it’s a simple matter handled manually on a case-by-case basis. For others, like in the case study for GCI Communications Corp. (GCI), the process for managing exceptions is more complex and demanding. GCI uses a GRC platform that helps process exceptions through multiple approval workflows, provides risk scoring and then presents data to give a holistic view of risks associated with exceptions. Discover how GCI built its security compliance program in this on-demand webinar. Exceptions are discussed at the 34-minute mark.

When you proactively manage exceptions with conditions, monitoring and current policies, exceptions are good for business and deliver the goods for risk management.

Related Articles