# Policy Exception Governance Pack

> **Intro:** Exceptions are not evidence of failure. Uncontrolled exceptions are. This page explains how to make temporary risk acceptance visible, reviewable, and short-lived.

## The rule

Every exception should have:

* an owner
* a reason
* a scope
* an expiry date
* a compensating control if needed
* a reviewer

## Exception fields

| Field                 | Why it matters                                      |
| --------------------- | --------------------------------------------------- |
| exception\_id         | lets you track and discuss a specific risk decision |
| control               | shows what standard or rule is being bypassed       |
| asset / service       | makes scope explicit                                |
| owner                 | creates accountability                              |
| justification         | explains why the exception exists                   |
| expiry                | prevents silent permanence                          |
| compensating controls | shows what reduces risk in the meantime             |
| approver              | documents decision authority                        |

## Good reasons for exceptions

* platform dependency not yet ready
* vendor constraint
* migration in progress with committed retirement date
* release-critical business event with defined fallback controls

## Weak reasons

* “it breaks the app”
* “we did not have time”
* “the scanner is annoying”
* “the team said it is fine”

## Governance rhythm

* weekly review for new critical exceptions
* monthly review for aging exceptions
* quarterly review for exception volume and repeat classes

## Metrics

* total open exceptions
* exceptions older than policy
* average exception age
* exceptions by business-criticality
* repeat exceptions by control

## Cross-links

* [📈 Product Security Director Metrics](/metrics-audit-risk-evidence-and-compliance/index/product-security-director-metrics.md)
* [📊 Product Security Maturity, Scale, and Business Translation](/metrics-audit-risk-evidence-and-compliance/index/product-security-maturity-metrics-and-business-translation.md)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.product-security.expert/metrics-audit-risk-evidence-and-compliance/index/policy-exception-governance-pack.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.