Amid the coronavirus pandemic, organizations have deviated from their standard operations to maintain some sense of business as usual – working from home, for example, rather than on site. Such shifts can expose an organization to new risks, and even elevate existing ones.

The pandemic may have changed the operating models of some businesses, but not the responsibilities of executive leadership, who are still expected to manage risks and meet corporate obligations. Leadership teams are still accountable for the decisions they make today and their potential impact on the future of the organization, making risk management programs more important than ever.

How is your organization keeping track of decisions? Do you have processes and systems in place to provide a holistic view of the underlying risks to your organization? How are you managing risk exceptions and mitigating underlying risks today? When exceptions and deviations aren’t tracked, when their severity is not evaluated, when the appropriate compensating controls are not in place, decisions can pose great risks to the organization.

The concept of risk exception management is not new; it is a vital component of any risk management program. A risk exception management program enables users to request exception or exemption to comply with corporate policy, or deviate from standard practice for a stipulated period of time.

A typical risk exception management process consists of several steps:

• Create a risk exception request.
• Assess the severity of potential impact of allowing the exception.
• Identify compensating controls to mitigate the risk and determine the period of the exception to comply with corporate policy or to deviate from standard practice.
• Accept or deny the exception request. Track and monitor all approved risk exceptions.
• Extend or mitigate expired risk exceptions. Monitor the risk mitigation status of all rejected or expired risk exceptions.

Risk exception management provides a great deal of flexibility for users who are unable to comply with a corporate policy or standard practice or mitigate risk due to technical constraints or circumstances beyond their control. For instance, the application owners who aren’t able to comply with password policy requirements may request exception due to technology constraints in a legacy application or till the budgets allocated to make necessary enhancements to a legacy application.  

At the same time, programs enable organizations to keep track of risks and ensure appropriate compensating controls are in place to guard the backdoors that were left open due to the risk exception.

Common pitfalls: The importance of understanding your program

It’s common for organizations to struggle with risk exception management programs, but it doesn’t have to be. Most challenges to implementation stem from a lack of familiarity with the processes:

• Scope and coverage
  The most common misconception about risk exception management is that it is only applicable to information and cybersecurity risks. This limited scope results in many organizations having limited coverage, much less than their risk management systems may be capable of handling risk level exceptions.
  
  
• Prioritization
  Exception requests are not always assessed to understand the severity of exception, making it difficult to prioritize requests in the context of an organization’s desired risk.
  
  
• Monitoring compensating controls
  Failure to define metrics or build the appropriate support mechanisms to monitor effectiveness of the compensating controls...for a timely action.
  
  
• Multiple extensions
  Enabling multiple extensions without addressing the root cause may lessen the significance of the program,  downsizing it to a procedural exercise.     
  
  
• Ensuring risks are mitigated
  Organizations are generally good at capturing risk exceptions, but sometimes fail to follow through to ensure remediation plans are in place to mitigate the underlying risk after the exception has expired or been denied.  

Key elements of an effective risk exception management program

A good risk exception management program should:

• Be an integrated, unified, standardized process capable of managing exceptions to any specified standard, from end to end.
• Go beyond information and cybersecurity to cover any risk the organization might face
  
• Provide a holistic view of exposure to risks due to risk exceptions. It should allow leaders to engage data and metrics, and provide them details of the most critical or most requested areas, so they can track, monitor, and report on risk exceptions, and take appropriate action.
  

Challenges in managing risk exceptions

Risk exception management may seem straightforward, but many organizations that are slow to go digital, standardize, train, and govern also struggle with the following common challenges:

• Manual processes
  Spreadsheets and emails are used to review, approve, maintain, and manage risk exceptions. Manual processes such as these are time consuming and result in an increased cost of processing and maintenance and also increase the chance of human errors.

• Lack of standardization
  Multiple versions of risk exception processes across the organization – when programs vary from silo to silo, there’s no single source of truth, and consolidating data to provide a holistic view at the enterprise level requires a heavy lift.

• Lack of awareness
  Users aren’t trained in risk exception processes, resulting in lapses in reporting, tracking and follow-ups on exceptions.
  
  
• Poor governance
  There’s no clear responsibility, authority, or accountability.

Seven steps to build an effective risk exception management program

Step 1: Evaluate the maturity of the program
Understanding the maturity of the current program is the key to developing and implementing an effective risk exception management program.

Step 2: Define a framework
Establish a cross-walk between risk exception, risk, policies, and controls, with an ability to fully engage data to mitigate and manage risks.

Step 3: Define a governance structure
An ideal governance model should include a clearly laid-out RACI matrix, including process and procedures for reporting willful violations.

Step 4: Define metrics
Define risk exception metrics to track, monitor, and predict potential impacts on risk posture and be proactive in mitigating risks.

Step 5: Automate processes
Automate the risk exception management process, including checks and balances, to eliminate silos, standardize programs throughout the organizations, and establish a single source of truth.

Step 6: Create awareness
Create roll-out awareness sessions to educate users on the process for requesting exceptions, their roles and responsibilities in managing risk exceptions. Conduct awareness sessions via WebEx based, e-modules, and class room based trainings. Also, roll-out campaigns to review and report metrics on level of awareness via quick polls, surveys, contests, and quizzes as part of awareness initiative.

Step 7: Track and monitor metrics
Keep thorough accounting of metrics and take timely actions on expired risk exceptions.

As stated above, untracked risk exceptions may result in the underlying risks being left open when things return to normal, posing greater risks to the organization. Managing risk exceptions is therefore key to managing risks, especially during unprecedented times.

How can we help?

With deep roots in technology and domain expertise, Wipro is uniquely positioned to help organizations implement risk and compliance programs successfully.

We provide end-to-end services – from developing governance, risk, and compliance (GRC) strategies, selecting the right tools to implementing programs, and work closely with executive and stakeholders to design, configure, onboard, and maintain solutions for managing various risk and compliance programs.

We have developed pre-defined frameworks, toolkits that can help you to understand the maturity of your current risk exception management program, address gaps, and jumpstart automation with plug-and-play solutions.

To learn more about how Wipro enables enterprises to better manage risk exceptions, click here.

Sesh Vaidyula
Sesh heads the Americas region of Wipro’s risk compliance and assurance practice. He is a seasoned professional with 20+ years of experience advising companies on cybersecurity, risk, compliance, and audit matters.

Sesh is a subject matter specialist in GRC with a multi-domain exposure to the areas of enterprise/operational risk, cybersecurity, third-party risk, internal audit, systems audit, fraud investigations, business cycle and ITGC reviews, and compliance, especially with respect to Sarbanes-Oxley, HIPAA, CCPA and the like.

Email: seshagiri.vaidyula@wipro.com