Question - Difference between Risk Exception and Policy Exception

I have a query about the interpretation and usage of Risk Exception and Policy Exception since they may mean the same thing in certain cases.
How are you using them? Are you using both or do you prefer using only one of them to manage exceptions?


risk exception

  • links to risks only!
  • used when the solution of a risk does not involve a control (typically we ca call this mitigation). so if you have a risk for which no-one wants to do anything about you typically use a risk exception.

policy exception

  • links to policies alone!
  • used to document that someone needs to breach a policy, standard or process for whatever the reason. if a developer needs access to a production databse and that is not allowed on your policies, that can be recorded as an exception

exceptions can use notifications as reminders, filters to let you know when they expire, etc … so of course you need to use those features on the module to properly keep track of them

i hope this helps

That is a very clear explanation. Thank you Esteban!

finally i did something useful today!