Define policy exceptions and extensions with the GRC Approval Configurator

  • Release version: Yokohama
  • Updated September 29, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Define Policy Exceptions and Extensions with the GRC Approval Configurator

    The GRC Approval Configurator is a tool within the Governance, Risk, and Compliance (GRC) application that allows compliance managers to define policy exceptions and extensions through granular, multi-level approval workflows. A policy exception is a temporary authorization to deviate from a standard policy, while a policy extension requests to prolong an existing exception, requiring re-assessment and possibly additional approvals.

    Show full answer Show less

    Key Features

    • Customized Approval Processes: Create tailored approval rules based on specific conditions like exception type or requester role.
    • Multi-level Approvals: Configure workflows that include sequential approval levels for thorough review, involving various stakeholders.
    • Dynamic Rule-based Approvals: Set multi-level approval rules that adapt based on dynamic conditions, allowing for manual selection of approvers.
    • Automated Routing: Automatically route exception and extension requests to relevant approvers, minimizing delays.
    • Workspace Integration: Approvers can review and act on requests directly within their workspace, enhancing operational efficiency.

    Key Outcomes

    Using the GRC Approval Configurator streamlines the management of policy exceptions and extensions by establishing a structured workflow. The approval process consists of several states, from creation to final approval and closure. Roles required for configuration include compliance managers for creating rules and business users for viewing records.

    After enabling the configurator, managers can define policy verification rules, approval rules for exceptions, and extension rules to accommodate multiple approvers, enhancing the overall compliance process.

    If you're a compliance manager, you can define the policy exceptions and extensions for granular, multi-level approval workflows by using the GRC Approval Configurator. The GRC Approval Configurator is a tool within the Governance, Risk, and Compliance application.

    GRC Approval Configurator Overview

    A policy exception is a formal, temporary authorization to deviate from a standard policy or procedure, typically for a defined business reason or in response to an issue. A policy extension is a request to prolong the duration of an existing policy exception, requiring a re-assessment of the situation and potentially another approval. Both processes can be handled by using the GRC Approval Configurator.

    The GRC Approval Configurator enables you to define the approval rules for exceptions and extensions, assign approvals to designated users or groups, and implement multi-level approval flows. Exception and Extension requests are automatically routed based on the configured rules and data within the record, and approvers can directly approve or reject extensions within their workspace.

    Benefits of using the GRC Approval Configurator for policy exceptions and extensions

    The GRC Approval Configurator provides the following benefits for managing policy exceptions and extensions:
    • Customized approval processes: Create customized approval rules that are based on specific conditions such as the exception type, requester role, or policy domain. This process helps to control the approval workflow and verify that each request is evaluated appropriately.
    • Multi-level approvals: Configure a workflow that contains sequential approval levels to enable a thorough review and accountability. The workflow can include various stakeholders, such as compliance managers, subject matter experts (SMEs), and designated approvers.
    • Dynamic rule-based approvals: Set up multi-level approval rules that are based on dynamic conditions. For example, an approval workflow can be sent to users or groups that are selected from fields in the source record, or can be assigned to users or groups that you select manually. You can also configure whether only one approval or all approvals are required at each level.
    • Automated routing: Automate direct exception and extension requests to the relevant approvers based on the configured rules. The automated routing reduces manual effort and minimizes delays.
    • Workspace integration: Enable your approvers to review and act on requests directly within their workspace so that you can help to maintain a clear audit trail and improve operational efficiency.

    Workflow for policy exception approvals

    The policy exception approval process consists of the following states:

    • New: When a policy exception is created, it enters the New state.

      At this stage, the verification approvals are triggered to validate whether the exception request is legitimate. These approvals are created by using the Verification Configuration template.

    • Analyze: After the verification is complete and approved (based on the verification rule), the request moves to the Analyze state.

      In this state, a compliance manager evaluates the request. If additional domain-specific insight is needed, they can either move it to the Review state for further analysis, or request input from an SME.

    • Review: In this state, the request is reviewed in detail by the SME for technical validation.

    • Awaiting Approval: After the SME input is gathered, the request enters the Awaiting Approval state for gathering the final approvals from the designated approvers (based on the final approval configuration rules).

    • Approved: After final approval, the policy exception is marked as Approved and becomes active.

    • Closed: When the exception is no longer required, it's moved to the Closed state.

    Workflow for policy extension approvals

    You can extend approved extensions through a similar approval process. Extension requests are routed by using the same GRC Approval Configurator. You can configure multiple approvers or groups to approve or reject extension requests.

    Roles required for configuring policy exceptions and extensions

    To configure policy exceptions and extensions, you must have the following roles:
    • sn_compliance.manager to create approval rules.
    • sn_grc.business_user or sn_grc.business_user_lite to view exception and extension records.

    Configuring policy exceptions and extensions

    After you have the required roles, you can then configure the policy exceptions and extensions by using the Approval Configurator.

    Enable the GRC Approval Configurator

    Enable the GRC Approval Configurator so that you can manage policy exceptions and extensions with granular, multi-level approval flows.

    Define the policy verification rules

    Configure granular approval rules for policy exception verification rules by using the GRC Approval Configurator.

    Define the policy exception approval rules

    Configure granular approval rules for policy exception approval rules by using the GRC Approval Configurator.

    Define extension rules for policy exceptions

    Enable the GRC Approval Configurator from the Policy and Compliance Properties page to allow multiple approvers for policy extension approvals, replacing the single default approver (Compliance Manager).