Create a GRC Exemption
Enter a GRC Exemption to document and gain approval for non compliance with an Audit, Risk, or Policy.
To create an Exemption:
- On the CSM Desktop Client or Browser Client toolbar, select New > New GRC Exemption.
- Select the exemption type and requester.
A tab for the exemption type association will also display in the form arrangement.
- Add details for the current use and reason for the exemption.
- Select an exemption term in months and (optional) a device type.
- Select the assigned team and owner.
The assigned team will drive the options available in the Assigned To drop-down list.
- (Optional) Provide details in the Mitigation field.
- Depending on the exemption type and device type you chose, there may be additional fields to complete (example: GRC Audit, Asset, Device Name).
- Select Save if you need to come back to the form later to submit it.
- When the Exemption form is complete, select the Next: Submitted link under Status.
While in the Submitted phase, the assigned team reviews the request and determines if more information is required.
- When the Exemption is ready for approval, select the Next: Approving link under Status.
An Approvals tab appears in the form arrangement.
- The approver can vote to Approve, Deny, or Abstain, as well as provide comments. Add additional approvers, if necessary. If there are multiple approvers, each will need to provide approval before the Exemption can move to the next step.
The approver for the Exemption is determined by the Exemption Type:
Exemption Type Approver Risk Risk Owner Audit Lead Auditor Policy Business Owner
- Once the Exemption is approved, the status changes to Active.
If the Exemption is approved and the status is not Active, select the green refresh button.
- Close the Exemption when it is no longer applicable.