What’s good for business may come with added risk. In fact, many incidents are the direct result of policy violations. For risk management with business needs in mind, maybe the answer isn’t nay or yea but a more nuanced approach. One that allows for exceptions, as well as helps address risk.

A security organization can be a complex structure, it can lay out frameworks, processes, procedures and policies. However, during day to day operations it is likely that organizations run into a situation that violates existing policies and procedures. Risks, they are unavoidable, and the key is to identify that exposure and that is where risk exception begins. Risk exception recognizes and area where you are not compliant with in regard to laws, policies or regulations. The resources are at risk for exposure to malicious activity or for penalties due to non-compliance.  


Risk exception is best explained using an example:

Let’s assume that an organization has a policy to remediate all of their exposures within five months from the date of reporting. The organization has recently conducted a security assessment from a third-party auditor who has raised several security issues in the with data at rest within the organization and they’re on premises datacenter/servers are easily penetrable. The organization states they have a logical solution to this problem; however, it may not be feasible to fix this exposure in the five-month timeframe. This is where risk exception comes into play.


Implementing Risk Exceptions as a part of a Security Framework:

The organization should take it one step further and implement exception management as a part of their security framework where they can handle exceptions and have proper policies and procedures defined.  This will assist the organization handle exceptions and also provide assurance to senior management. This way, the organization will see security framework as a business enablement rather than considering it as a procedural hindrance.  In order to implement this for the Compliance and Risk Management team we will need to consider the following:

  • Identify Key Stakeholders – The organization will need to identify people who’ll be involved in managing exceptions. Normally the approving official owns the exceptions and someone from the Security Team will approve the exception. The number of stakeholders will differ from organization to organization, based on their risk management process and the way in which it is designed.


  • Implementing Roles and Responsibilities – Once the organization has identified stakeholders, they need to create a roles and responsibilities chart that will clearly define the process of communication. This is a formal way to communicate each stakeholder’s accountability and responsibility.


  • Associating Timelines with every Exception – Exceptions are deviations from a process or policy. However, they are provided so that the business isn’t held back and both, the security and business can function together. With this implementation, there will be a logical deadline set and these exceptions can be tracked.


  • Extending Exceptions on a need to basis – Although working with business is good, the organization needs to ensure that someone takes the responsibility for such extensions from the business end. The Risk Management/Compliance team should explain the pros and cons of extending such exceptions. The key stakeholders need to understand that taking the responsibility that in case of a system compromise that happens due to an extension to exceptions, they will be entirely responsible and will need to explain to a higher authority.


  • Accepting Irresolvable Exceptions – Budgets have to be approved for getting rid of the existing solutions and businesses may not be interested in investing a huge amount for something they do not deem necessary or beneficial. For example, a legacy payroll application hosted on a mainframe server because completely removing payroll and changing payroll is a tedious task and comes with a huge cost for migrating from older technology to newer.

Developing Supporting Policies and Procedures – If the organization wants to enforce exception management as a part of Risk Management, then the organization needs to develop supporting policies and procedures which formally document how to handle exceptions in every scenario. Once the organization has proper documentation in place, then they can integrate it into the existing Security Framework.