Define policy exceptions and extensions with the GRC Approval Configurator

  • Release version: Zurich
  • Updated September 29, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Define policy exceptions and extensions with the GRC Approval Configurator

    The GRC Approval Configurator within ServiceNow’s Governance, Risk, and Compliance (GRC) application enables compliance managers to define and manage policy exceptions and extensions through customizable, multi-level approval workflows. A policy exception is a formal, temporary deviation from a policy, while a policy extension prolongs an existing exception requiring reassessment and additional approval.

    Show full answer Show less

    Key Features

    • Customizable Approval Processes: Create approval rules based on conditions like exception type, requester role, or policy domain to ensure appropriate evaluation of each request.
    • Multi-Level Approvals: Design sequential approval workflows involving stakeholders such as compliance managers and subject matter experts (SMEs) for thorough review and accountability.
    • Dynamic Rule-Based Approvals: Use dynamic conditions to route approvals to specific users or groups either automatically from record fields or selected manually, with configurable requirements for one or all approvers at each level.
    • Automated Routing: Exception and extension requests are automatically routed to relevant approvers, reducing manual effort and minimizing delays.
    • Workspace Integration: Approvers can review and act on requests directly within their workspace, maintaining clear audit trails and improving operational efficiency.

    Approval Workflows

    The policy exception approval process includes several states:

    • New: Initial creation triggers verification approvals to validate the request.
    • Analyze: Compliance manager evaluates the request, possibly involving SMEs through a Review state.
    • Review: SME performs technical validation.
    • Awaiting Approval: Final approvals are gathered from designated approvers.
    • Approved: Exception is approved and becomes active.
    • Closed: Exception is closed when no longer needed.

    Policy extension requests follow a similar approval workflow configured via the GRC Approval Configurator, supporting multiple approvers or groups.

    Configuration and Roles

    To configure policy exceptions and extensions, users need appropriate roles:

    • sncompliance.manager: To create and manage approval rules.
    • sngrc.businessuser or sngrc.businessuserlite: To view exception and extension records.

    Configuration steps include enabling the GRC Approval Configurator, defining policy verification rules, exception approval rules, and extension rules. The configurator replaces the default single approver model with flexible multi-approver workflows for extensions, all managed from the Policy and Compliance Properties page.

    If you're a compliance manager, you can define the policy exceptions and extensions for granular, multi-level approval workflows by using the GRC Approval Configurator. The GRC Approval Configurator is a tool within the Governance, Risk, and Compliance application.

    GRC Approval Configurator Overview

    A policy exception is a formal, temporary authorization to deviate from a standard policy or procedure, typically for a defined business reason or in response to an issue. A policy extension is a request to prolong the duration of an existing policy exception, requiring a re-assessment of the situation and potentially another approval. Both processes can be handled by using the GRC Approval Configurator.

    The GRC Approval Configurator enables you to define the approval rules for exceptions and extensions, assign approvals to designated users or groups, and implement multi-level approval flows. Exception and Extension requests are automatically routed based on the configured rules and data within the record, and approvers can directly approve or reject extensions within their workspace.

    Benefits of using the GRC Approval Configurator for policy exceptions and extensions

    The GRC Approval Configurator provides the following benefits for managing policy exceptions and extensions:
    • Customized approval processes: Create customized approval rules that are based on specific conditions such as the exception type, requester role, or policy domain. This process helps to control the approval workflow and verify that each request is evaluated appropriately.
    • Multi-level approvals: Configure a workflow that contains sequential approval levels to enable a thorough review and accountability. The workflow can include various stakeholders, such as compliance managers, subject matter experts (SMEs), and designated approvers.
    • Dynamic rule-based approvals: Set up multi-level approval rules that are based on dynamic conditions. For example, an approval workflow can be sent to users or groups that are selected from fields in the source record, or can be assigned to users or groups that you select manually. You can also configure whether only one approval or all approvals are required at each level.
    • Automated routing: Automate direct exception and extension requests to the relevant approvers based on the configured rules. The automated routing reduces manual effort and minimizes delays.
    • Workspace integration: Enable your approvers to review and act on requests directly within their workspace so that you can help to maintain a clear audit trail and improve operational efficiency.

    Workflow for policy exception approvals

    The policy exception approval process consists of the following states:

    • New: When a policy exception is created, it enters the New state.

      At this stage, the verification approvals are triggered to validate whether the exception request is legitimate. These approvals are created by using the Verification Configuration template.

    • Analyze: After the verification is complete and approved (based on the verification rule), the request moves to the Analyze state.

      In this state, a compliance manager evaluates the request. If additional domain-specific insight is needed, they can either move it to the Review state for further analysis, or request input from an SME.

    • Review: In this state, the request is reviewed in detail by the SME for technical validation.

    • Awaiting Approval: After the SME input is gathered, the request enters the Awaiting Approval state for gathering the final approvals from the designated approvers (based on the final approval configuration rules).

    • Approved: After final approval, the policy exception is marked as Approved and becomes active.

    • Closed: When the exception is no longer required, it's moved to the Closed state.

    Workflow for policy extension approvals

    You can extend approved extensions through a similar approval process. Extension requests are routed by using the same GRC Approval Configurator. You can configure multiple approvers or groups to approve or reject extension requests.

    Roles required for configuring policy exceptions and extensions

    To configure policy exceptions and extensions, you must have the following roles:
    • sn_compliance.manager to create approval rules.
    • sn_grc.business_user or sn_grc.business_user_lite to view exception and extension records.

    Configuring policy exceptions and extensions

    After you have the required roles, you can then configure the policy exceptions and extensions by using the Approval Configurator.

    Enable the GRC Approval Configurator

    Enable the GRC Approval Configurator so that you can manage policy exceptions and extensions with granular, multi-level approval flows.

    Define the policy verification rules

    Configure granular approval rules for policy exception verification rules by using the GRC Approval Configurator.

    Define the policy exception approval rules

    Configure granular approval rules for policy exception approval rules by using the GRC Approval Configurator.

    Define extension rules for policy exceptions

    Enable the GRC Approval Configurator from the Policy and Compliance Properties page to allow multiple approvers for policy extension approvals, replacing the single default approver (Compliance Manager).