Exception Management

Flexibility with Accountability
David Morrison
0
October 7, 2025
Comment

Exception management is a critical business tool that is often overlooked or not leveraged in the right way. When used properly, it gives organisations the ability to adapt to risks, take a more flexible approach, and reduce resource overheads and costs, all while remaining aligned with their internal risk appetite.

So how does exception management provide all these benefits, and how do you implement it in the easiest and most efficient way?

On This Page
2
3

Firstly, Why Do We Need Exceptions?

In an ideal world, we implement controls, whether governance, technical, or physical, secure our organisations, everyone complies, and we feel confident we are in a good place.

But every person, business unit, and location is different. When it comes to risk management, a one-size-fits-all approach never works.

When implementing controls, we want them to be as strong as possible while still allowing the business to operate effectively. Striking that balance between security and usability is always challenging. Go too heavy and you disrupt operations, frustrate staff, and impact productivity. Go too light and you expose the organisation to unnecessary risk.

Most organisations aim for a middle ground, trying to satisfy everyone, but this usually results in a diluted control that’s too weak for most and too strict for some.

The ideal approach is to make your controls as strong as possible for the majority of the business, then apply exceptions only where truly needed.

 

Policies Are Meant to Be Flexible

Yes. You heard me correctly. Just hear me out 😆

Policies, especially cybersecurity policies, exist to address business risk. They define a set of standards, controls, and best practices that, if followed, reduce identified risks to acceptable levels.

Ideally, we want the business to be compliant with every part of each policy, ensuring consistent risk reduction. However, most organisations end up creating one of two types of policies:

Aspirational policies – written with the hope that one day the organisation will comply. These tend to be unmeasurable, unrealistic, and disconnected from daily operations.

Weak policies – deliberately watered down because leadership knows certain teams or systems can’t comply. By resorting to the lowest common denominator, the business can ensure all areas will comply.

The better approach is to develop a strong, realistic policy that the large majority of the business can meet. Then, use exception management to handle the areas that can’t comply, while still managing and mitigating the associated risk. This keeps your policies strong and your governance honest.

 

So What’s Involved in Exception Management?

Start with a Valid Business Need

Every exception must be linked to a legitimate business requirement. For example, a team might not be able to comply with a specific control because doing so would disrupt critical operations, or because implementing the control is temporarily cost-prohibitive.

Exceptions should never be granted because someone “just doesn’t want to do it.” They exist to enable the business to function safely and effectively, not to bypass accountability.

Identify the Additional Risk

When an exception is approved, it’s important to understand what additional risks the organisation is accepting. After all, controls are there to reduce risk and an exception is technically a bypass for a control. What could go wrong as a result? How likely is it? What would the impact be?

This step ensures that decisions are made consciously, and the level of residual risk is clearly understood by stakeholders.

Introduce Compensating Controls

To reduce identified risk to an acceptable level, compensating controls are used. A compensating control is an alternate safeguard that provides equivalent or near-equivalent protection.

For example, if a legacy application can’t support multi-factor authentication, password length and complexity could be increased, and access could be restricted to a specific network segment and closely monitored for anomalies.

The key is to ensure that the compensating control meaningfully addresses the same risk the original control was designed to mitigate. And if it doesn’t completely match the original control, is the level of risk exposed acceptable to the business?

Make Exceptions Time-Bound

Exceptions should always be temporary. Each one introduces risk, so it must have a defined timeframe and review schedule.

Regular reviews help determine whether:

  • The exception is still needed.
  • The risk profile has changed.
  • The compensating controls remain effective.

Many organisations fail here. They create an exception, approve it, and then forget about it. Over time, these “temporary” exceptions quietly become permanent gaps in security. A structured lifecycle with expiry dates and review notifications prevents that from happening.

 

Turn Data into Insight

When managed properly, exception management provides valuable business intelligence. Over time, patterns begin to emerge:

  • Frequent exceptions for the same control may indicate it’s too stringent or misaligned with operations.
  • Repeated exceptions from the same business unit may highlight unique needs, or perhaps a culture of resistance.
  • Numerous cost-related exceptions could signal where investment is needed.

This insight allows organisations to refine their controls, policies, and priorities based on evidence rather than assumptions.

 

A Real-World Example

Leading penetration testing teams for the last 10 years, you can imagine penetration testers have unique operational needs. Working with exploit code means anti-malware software will constantly flag and delete tools. To do their job, penetration testers required exceptions, but only within controlled environments.

If the entire organisation’s anti-malware policy was developed and implemented based on the needs of penetration testers, it would be a disaster. Instead, we apply much needed controls across the business and then managed exceptions for those specific systems, apply compensating controls (like system and network isolation and monitoring), and ensured the risk remains contained.

That’s the essence of good exception management. Flexibility without compromise.

 

Final Thoughts

Exception management isn’t about avoiding compliance, it’s about managing risk intelligently. It allows organisations to remain secure, adaptable, and cost-effective while acknowledging that not every rule fits every scenario.

When done well, it demonstrates maturity, transparency, and accountability, qualities every regulator, auditor, and executive values.

As a side note, because we see exception management as a critical business tool, we’ve recently implemented Exception Management within MRP, our eGRC platform, to make this process easier and more effective. The new module helps organisations manage the full exception lifecycle, from creation and approval through to expiry and review, while providing powerful business intelligence to identify recurring issues, trends, and opportunities for improvement.

If you’d like to see how structured exception management can simplify compliance and strengthen your governance processes, reach out to our team for a demo or contact us at hello@morrisec.com.au.

Compliance Risk
David Morrison

David Morrison

David is the Co-CEO of Morrisec. With a wealth of experience spanning more than two decades, David has established himself as a leading cybersecurity professional. His expertise and knowledge have proven invaluable in safeguarding organisations from cyber threats across a gamut of industries and roles.
Why Penetration Testing is Critical for Your Cybersecurity Posture

Why Penetration Testing is Critical for Your Cybersecurity Posture

Sep 9, 2025

The cyber threat landscape is evolving at an unprecedented pace. Threat actors today are more organised, more resourced, and more persistent than ever before. A single incident can cause lasting damage, impacting revenue, eroding customer trust, triggering compliance...

Recall or Regret?

Recall or Regret?

Aug 5, 2025

Microsoft Recall is a new AI feature built into Windows 11 for Copilot+ PCs, designed to help users find information they have previously viewed on their computer – even if they can’t remember when or where. It works by quietly taking snapshots every few seconds or...

2025 Tax Time Scams

2025 Tax Time Scams

Jul 17, 2025

Once again, everyone’s favourite annually scheduled season has returned. Tax time continues to present a prime opportunity for threat actors. But in 2025, their methods have evolved. With increasingly convincing AI-enabled phishing attempts, sophisticated use of stolen data, and highly personalised scam content, Australians need to remain alert.

0 Comments