We try to make exceptions most difficult. We have a tool we use which is built on OpenPages. The tool is controlled and managed by our Business Controls group. (A small team of Risk Analysts with the authority to evaluate and enter these risks.) The requestor will have to identify a Director Level person to be the business focal.
We also have a list of approved suppliers and sub-processors. Should a group or team need a product from a supplier who is not on the list, they must open a Risk in the tool. Our tool only recognizes two kinds of Risk, Exceptions which will not be fixed and Deviations which will be fixed. For suppliers and sub-processors, exceptions are not allowed. Your Risk must be a deviation.
Lately, we have excluded SolarWinds for several reasons. The business has given the teams until the end of the year to replace all components. In the meantime, these teams need to continue to run this tool until a suitable replacement can be found. The deviation is then in place to manage the Risk until the problem is solved. No exceptions.
Hope this makes sense.
_Mark
Original Message:
Sent: 11-01-2021 08:02 AM
From: Anonymous Member
Subject: Filing an exception
This message was posted by a user wishing to remain anonymous
What process does your program use when a business owner wants to seek an exception to due diligence? In particular. what types of forms do you use and who reviews the exception after it's been filed?