Would it be possible to relate exemptions to business units. This would allow to create a workflow that the business unit owner has to approve the exemption. Whilst the CISO role has the ability to advise on the risks it is ultimately the business units owners risk and they have the ability to approve or decline exemptions.
This would be the same for Compliance Exemptions