Policy Exception approvals not allowed without Control Objective/Policy?

Community Alums
Not applicable

Hello,

I came across to following scenario:

  • Created a policy exception from an issue linked to a control without control objective.
    find_real_file.png
  • The system automatically added an "Impacted Control" which is visible through the related lists.
    find_real_file.png
  • I was able to proceed all the way until the approval stage without having policy / control objective field populated. No warnings, no mandatory fields, no client scripts or business rules prompting me to populate one of these values. 
  • Approvals are generated and when I tried to approve the request, the following message which prevents me to approve the policy exception. The BR responsible for this behavior is Approvals for policy exception - 53598ea85b23001065ea12300a81c74a.
    find_real_file.png

My questions is:

  • Why are policy exceptions allowed to be raised without any policy/control objective and only to be warned about it once approvals are generated?
  • If either Control Objective or Policy is required to approve a policy exception, why there's NO restrictions in place for the Issue field? Otherwise the whole policy exception workflow gets stuck on the approval stage.
  • What about adhoc controls without a control objective (a completely valid scenario) and Policy Exceptions for those? As it stands, we cant request Approval for adhoc controls without control objective because of the OOTB business rule "Approvals for policy exception" preventing it to happen.

    @Jan Spurlin @Scott Ferguson @Phil Swann any idea?

    Thank you!
2 REPLIES 2

Community Alums
Not applicable

Raised as an idea in case this ends to be a bug: 

Policy Exception approvals should be allowed without Control Objective/Policy

Community Alums
Not applicable

Hey Rafael, 

 

Hope you are good. With some dev, you can make the field not mandatory and it won't affect the process.