Three Strategies for Addressing Operational Risk and Perfecting Policy Exceptions

Mike Ogden

During the COVID-19 pandemic, organizations are assessing current suppliers for resiliency. The pandemic has disrupted so many supply chains that companies are under pressure to speed up the vetting and approval process for vendors. To work with a new vendor, business units might ask Compliance for a policy exception, which is a method for maintaining the policy but allowing an individual or entity to circumvent one or more restrictions.  

For example, a business unit needs to shift from an Asian supplier to one closer in the US, but the US vendor doesn’t meet a policy requirement. As a result, the business unit requests an exception.  

Approve or deny the exception request? That’s the question facing you, and it's increasingly a common one during the COVID-19 pandemic with global supply chains disrupted.  

What’s good for business may come with added operational risk. In fact, many incidents are the direct result of policy violations. For risk management with business needs in mind, maybe the answer isn’t nay or yea but a more nuanced approach. One that allows for exceptions, as well as helps address risk. 

Here are three strategies for granting exception requests while mitigating the additional operational risk: 

1. Attach conditions to the exception request                           

Compliance is signing on for additional risk whenever granting an exception request. That knowledge should give you carte blanche to attach conditions to the request. For example, you might limit the time period the exception is valid or add disclosure requirements to the vendor contract. 

In essence, you’re saying to the business unit that you understand the business imperative behind the exception request, but that you also have a responsibility to protect the organization. The business unit should be more receptive if carried out in the spirit of what’s best for the organization. Most vendors will be happy to land the contract, and if the attached conditions upset the vendor, the business unit can commiserate about company rules.  

2. Monitor exceptions to manage operational risk 

You took on more risk in approving the exception, so you shouldn’t treat your         exceptions as a set and forget it. Treat them as special cases requiring extra attention because of the added operational risk. Ongoing monitoring services, along with periodic assessments, are in your purview to use. 

Ongoing monitoring services offer independent, unbiased inputs on the status of third parties. RiskRecon and SecurityScorecard are two firms that provide this service. 24/7 monitoring enables you to keep a closer eye on higher risk vendors like those with exceptions. If an exempted vendor is hit by anything negative in the public domain, a monitoring service will issue an alert, which you can then evaluate against the exception to see if it increases the operational risk to the organization. If the added risk is unacceptable, you can attach more conditions to the exemption or, if necessary, revoke the exemption. 

Learn about PolicyTech for managing policy exceptions  

3. Regularly review and update company policies 

A review of exception requests may well uncover the need to update or write a new policy. A sure indicator is a concentration of requests associated with a specific policy. Having all policies current won’t eliminate exception requests, but it can reduce the number significantly. 

As a best practice, you should review policies annually. Michael Rassmussen of GRC 20/20 frequently presents on policy management and sees policies as defining “boundaries of behavior for individuals, processes, relationships and transactions.” Your exempted vendors have some leeway with their boundaries, but having policies defined, updated and articulated provides clarity to users, helps manage operational risk, and protects the organization. 

Managing policy exceptions varies from company to company. For some, it’s a simple matter handled manually on a case-by-case basis. For others, like GCI Communications Corp. (GCI), the process for managing exceptions is more complex and demanding. GCI uses a GRC platform that helps process exceptions through multiple approval workflows, provides risk scoring and then presents data to give a holistic view of risks associated with exceptions.  

When you proactively manage exceptions with conditions, monitoring and current policies, exceptions are good for business and deliver the goods for risk management. 


Chat with a solutions expert to learn how you can take your compliance program to the next level of maturity.



Four Keys to Making Risk Meaningful

NAVEX Global’s Adam Billings shares common risk management challenges and the four keys organizations can use to overcome them and make risk meaningful to stakeholders, other departments, and beyond. 

Previous/Next Article Chevron Icon of a previous/next arrow. Previous Post

After COVID-19, Where Was the Board?

COVID-19 is testing every part of a corporation, including the board of directors. But what are the board’s responsibilities during this crisis? It’s a question that directors should understand clearly and quickly — because after the pandemic ends, investors sifting through the significant financial losses will start asking the inevitable question: “Where was the board?”  

Next Post Previous/Next Article Chevron Icon of a previous/next arrow.