# Risk Acceptance and Exception Governance — Operating Model > **Intro:** Exceptions are not an administrative afterthought. They are one of the clearest ways a Product Security program shows whether it can turn risk into **visible, owned, time-bound decisions**. ![Risk Exception Governance Flow](/files/4qoq0DwwOMPy5uK4cuId) ## What this page focuses on This page is the **operating layer** of exception governance: * who can approve what; * what evidence must exist before approval; * when renewals are allowed; * how exception data becomes leadership signal instead of ticket noise. For the shorter conceptual explanation, start with [Risk Acceptance, Exceptions, and Decision Records](/strategy-governance-and-leadership/index/risk-acceptance-exceptions-and-decision-records.md). ## Exception categories worth distinguishing | Category | Example | Why category matters | | -------------------------------- | -------------------------------------------------------------- | ----------------------------------------------------------- | | control not yet implemented | a service cannot meet a new baseline before a deadline | may indicate roadmap or platform sequencing issue | | temporary operational workaround | manual approval replaces automated gate during migration | should have short expiry and compensating telemetry | | legacy-system constraint | older component cannot support the required control yet | needs explicit modernization or retirement plan | | business-accepted residual risk | leadership chooses to ship with known exposure | requires clear business ownership and time-bound acceptance | | emergency exception | incident response or urgent restoration bypasses normal policy | must be backfilled with review and closure actions | ## Minimum approval package A request should not be approved without: * system name and criticality; * business owner and technical owner; * control or policy requirement being missed; * plain-language risk statement; * why the standard cannot be met now; * compensating controls already in place; * expiry date and review date; * closure plan or milestone; * proposed approver. ## Approval matrix pattern | Risk shape | Typical approver | Notes | | ------------------------------------------------------------------------- | ---------------------------------------------------------- | -------------------------------------------------- | | low blast radius, short-lived, strong compensating controls | engineering manager or delegated control owner | still requires registration and expiry | | medium blast radius or cross-team impact | Product Security manager / platform owner + business owner | co-approval reduces silent risk transfer | | high blast radius, internet exposure, sensitive data, or repeated renewal | director / designated risk board | should include explicit leadership decision record | | emergency operational bypass | incident authority + follow-up approver | must be reviewed after stabilization | ## Renewal rules that prevent decay Renewals should require new evidence, not only a new date. Require the requester to show: * why the blocker still exists; * what changed since the previous approval; * whether compensating controls improved; * whether the standard or golden path needs adjustment instead. Escalate when: * the same service requests the same exception repeatedly; * many services need the same exception; * the exception is becoming part of normal delivery. ## Compensating controls that justify short exceptions better than others High-value examples: * narrower scope or smaller rollout blast radius; * additional logging and alerting on the exposed path; * manual approval or four-eyes review on the risky action; * temporary disablement of the most sensitive capability; * stronger monitoring on the identity or environment involved. Weak examples: * “the team will be careful”; * “production is internal only” without proving trust boundaries; * “we will fix it next quarter” with no tracked milestone. ## Exception board operating rhythm | Cadence | Focus | | ------------------- | ---------------------------------------------------------------- | | Weekly or bi-weekly | urgent approvals, expiring exceptions, stuck renewals | | Monthly | concentration, repeated categories, overdue closures | | Quarterly | policy updates, platform investments, retirement of bad patterns | ## What leadership should see every month At minimum, report: * total active exceptions; * exceptions expiring in the next 30 / 60 / 90 days; * oldest active exceptions; * repeated exception categories; * teams or services holding the most residual risk; * renewals approved vs closed exceptions. ## Good exception hygiene signals You are probably doing this well when: * the number of renewals is lower than the number of closures for the same category over time; * recurring exception themes lead to new platform defaults or standards updates; * teams know the approval path and required evidence before the deadline panic starts; * leadership can name the top residual risks without reading raw tickets. ## Best cross-links * [Risk Acceptance, Exceptions, and Decision Records](/strategy-governance-and-leadership/index/risk-acceptance-exceptions-and-decision-records.md) * [Policy Exception Governance Pack](/metrics-audit-risk-evidence-and-compliance/index/policy-exception-governance-pack.md) * [Leadership Metrics Pack for Product Security](/strategy-governance-and-leadership/index/leadership-metrics-pack-for-product-security.md) * [Secure Defaults and Golden Paths for Product and Platform Teams](/architecture-api-crypto-and-identity/index-1/secure-defaults-and-golden-paths-for-product-and-platform-teams.md) ## Suggested reference links * NIST SSDF — * OWASP SAMM — \---*Author attribution: Ivan Piskunov, 2026 - Educational and defensive-engineering use.* --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.product-security.expert/strategy-governance-and-leadership/index/risk-acceptance-and-exception-governance-operating-model.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.