I just wanted to know how everybody else handles risk acceptance and exceptions to policy.
To avoid making risk decisions in isolation, it is recommended that organizations establish a formalized policy and process for risk acceptance at an enterprise-wide level. Such policies typically involve a matrix or other set of guidelines that outline the necessary level of approval based on various risk levels and factors. To ensure accountability and consistency, it is important to document the risk acceptance process and periodically revisit it.
Let's say that your company's senior management has accepted a risk associated with a critical vendor's contract. This could be due to a security control that needs to be addressed but would take a year to remediate. If the vendor is unable to fix the issue within the given timeframe, your senior management may decide to pursue a different vendor rather than continue accepting the risk.
Formalized risk acceptance processes are beneficial in providing the appropriate information to the right level of management so that they can consider the risk appetite, make informed decisions, and be accountable for them. Formalized risk acceptance processes also can prevent improper risk-taking by unauthorized persons or without relevant data.
Risk and policy exceptions should also be formalized at the organizational level for the same reasons.
Whether you need management to accept a risk or make an exception to policy, it should always be documented, tracked, and revisited at regular intervals. Risk acceptances and exceptions are almost always reviewed by auditors and examiners.
I hope that is helpful, but I would love to hear what other members might recommend.