Manage Policy Exception & Extension :

1. Policy exceptions and extensions provide temporary relief for a non-compliant control.

2. The policy exception captures the rationale, comments, and evidence to support the acceptance or rejection of a policy exception request.

Also, extension to an approved policy exception can be requested before the 
policy exception validity period. The control owner, the compliance manager, and the risk 
manager may be involved in the policy exception and extension workflow

Hi Guy, 

I believe in that scenario when you are reviewing if you would like to create a policy exception you would look to consider what the mitigating controls for this particular policy and that could affect your decision of creating an exception. 

In short, to provide further visibility to the policy and what controls are currently in place for that policy that could be inherited due to your entity type. 

Hope that helps. 

Please mark my answer correct and helpful if this resolves your issue.

When creating a Policy Exception, if the Source Type is Control Objective, Issue, or Control, you must add the impacted controls in the related list. If a selected control is associated with a Risk, the Risk related list will automatically populate with the corresponding risk. If that Risk has multiple related controls and only some are added as impacted controls, the remaining controls will automatically appear in the Mitigating Controls related list. For example, if a Risk has five associated controls and you add one as an impacted control, the other four will automatically populate under the Mitigating Controls related list.