Exception Template
Use this template to document approved deviations from a control's expected governance tier. Exceptions should be time-boxed, reviewed, and retained as part of the examination-ready record set.
FSI language rules
This framework is provided for informational purposes only and does not constitute legal, regulatory, or compliance advice. Exceptions do not remove the underlying regulatory obligation; organizations should verify that compensating controls remain sufficient for their specific obligations. See the full disclaimer.
Exception summary
| Field | Value |
|---|---|
| Exception ID | EX-YYYY-NNN |
| Control ID | e.g. 2.1 |
| Control name | … |
| Tier deviated from | Baseline / Recommended / Regulated |
| Requested by | name / role |
| Requested on | YYYY-MM-DD |
| Approved by | name / role |
| Approved on | YYYY-MM-DD |
| Expiry date | YYYY-MM-DD |
| Review cadence | quarterly / semi-annual |
Business justification
Describe the business need. Note any affected Copilot surface (Chat, Pages, Agents, Teams, Viva, etc.) and user population. Avoid prohibited language — the exception helps meet business needs; it does not "guarantee" an outcome.
Risk assessment
| Dimension | Assessment |
|---|---|
| Regulatory exposure | e.g. supports compliance with SEC Rule 17a-4 — residual risk to records retention requires compensating archive |
| Data sensitivity impacted | e.g. Highly Confidential; Client PII |
| Residual risk rating | Low / Medium / High |
| Likelihood of occurrence | Low / Medium / High |
| Impact if realised | Low / Medium / High |
Compensating controls
- Describe the compensating control(s) that help address the residual risk.
- Owner and verification cadence for each compensating control.
- Evidence trail — where proof of operation is stored.
Monitoring plan
- Metric(s) reviewed: …
- Frequency: …
- Trigger for early remediation: …
- Reviewer: …
Sunset plan
| Milestone | Target date | Owner |
|---|---|---|
| Interim review | YYYY-MM-DD | … |
| Remediation complete | YYYY-MM-DD | … |
| Exception closed | YYYY-MM-DD | … |
Approval trail
| Date | Actor | Action | Notes |
|---|---|---|---|
| YYYY-MM-DD | Risk committee | Approved / Renewed / Closed | … |
This template aids in maintaining a record of exceptions. Organizations are recommended to review exception registers during internal audit cycles and at each regulatory examination to verify that compensating controls remain effective.