Module 25: Issue, Finding & Exception Management

CRISC Domain 3 — Risk Response and Reporting Section A 10–12 min read
Controls fail.
Governance fails when issues are ignored.

This module focuses on what happens when:

  • Controls don’t operate as intended
  • Audit identifies deficiencies
  • Risk exceeds tolerance
  • Policy cannot be fully complied with

CRISC expects structured tracking, ownership, and escalation.

What the exam is really testing

When issues, findings, or exceptions appear, CRISC is asking:

  • Is the issue documented?
  • Is ownership assigned?
  • Is remediation tracked?
  • Is exception formally approved?
  • Is escalation triggered when required?
  • Is root cause addressed?

CRISC prefers structured governance response — not informal resolution.

Definitions you must separate

Issue

A problem requiring corrective action.

Example:

  • Control failure
  • Policy non-compliance
  • Process breakdown

Issues are operational and must be tracked.

Finding

A formal observation — often from audit or assessment.

Examples:

  • Audit finding
  • Regulatory observation
  • Security assessment result

Findings may lead to issues.

Not all issues originate from audit — but findings often trigger issues.

Exception

A formal, approved deviation from policy or control requirements.

Examples:

  • Temporary policy waiver
  • Accepted deviation from standard
  • Compensating control approval

Exceptions must be documented and time-bound.

CRISC frequently tests uncontrolled exceptions.

Issue management lifecycle

Mature issue management includes:

  1. Identification
  2. Documentation
  3. Ownership assignment
  4. Root cause analysis
  5. Remediation plan
  6. Target remediation date
  7. Status tracking
  8. Validation of closure

If closure is not validated, residual risk may remain.

Root cause vs symptom

CRISC expects structural correction.

Example:

Finding: Access review not performed.

Superficial fix: Perform review once.

Root cause fix: Redesign access governance process and accountability.

Recurring findings signal root cause failure.

Exception management discipline

Exceptions must:

  • Be documented
  • Have business owner approval
  • Define compensating controls
  • Be time-limited
  • Be periodically reviewed
  • Be recorded in risk register

Untracked exceptions = hidden residual risk.

The most common exam mistakes

Candidates assume:

  • Exception equals risk acceptance (not always).
  • Audit owns remediation (it does not).
  • Informal approvals are sufficient.
  • Issues can be closed once remediation begins.
  • Findings are automatically resolved.

CRISC expects formal governance structure.

Example scenario (walk through it)

Scenario:
An audit identifies that privileged access reviews are not consistently performed. Management agrees to fix the issue but does not assign a remediation owner.

What is the PRIMARY governance weakness?

A. High inherent risk
B. Lack of issue ownership
C. Weak threat modeling
D. Excessive appetite

Correct answer:

B. Lack of issue ownership

Without ownership, remediation accountability fails.

Slightly harder scenario

A business unit requests an exception to bypass encryption requirements for operational efficiency. No expiration date is defined.

What is the MOST significant governance concern?

A. Excessive mitigation
B. Uncontrolled exception duration
C. Weak inherent risk
D. Poor BIA

Correct answer:

B. Uncontrolled exception duration

Exceptions must be time-bound and reviewed.

Findings vs issues

Important nuance:

  • A finding identifies a condition.
  • An issue requires remediation.
  • An exception allows controlled deviation.

If these are confused, governance clarity fails.

Escalation discipline

If remediation deadlines are repeatedly missed:

  • Escalation is required.
  • Risk profile may change.
  • Residual risk may increase.
  • Governance oversight must intervene.

CRISC often tests failure to escalate recurring delays.

Slightly uncomfortable scenario

An issue is marked “closed” once remediation controls are implemented, but no validation testing is performed.

What governance gap exists?

A. Weak inherent risk
B. Lack of closure validation
C. Excessive appetite
D. Poor BIA

Correct answer:

B. Lack of closure validation

Control effectiveness must be validated before closure.

Exception vs acceptance

Exception:

Temporary deviation from control requirement.

Risk Acceptance:

Formal acknowledgment of residual risk within tolerance.

They are related — but not identical.

Exception may increase residual risk and require acceptance documentation.

Quick knowledge check

1) Who owns remediation of an identified issue?

A. Internal audit
B. Risk management
C. Business process owner
D. External regulator

Answer & reasoning

Correct: C

Business owns remediation accountability.

2) What is MOST critical when granting a policy exception?

A. Informal approval
B. Permanent waiver
C. Defined expiration and review
D. Immediate mitigation

Answer & reasoning

Correct: C

Exceptions must be time-bound and reviewed.

3) What is required before closing an issue?

A. Mitigation initiated
B. Owner reassigned
C. Control effectiveness validation
D. Audit approval

Answer & reasoning

Correct: C

Closure requires validation of remediation effectiveness.

Final takeaway

Issue management requires:

  • Documentation
  • Ownership
  • Root cause correction
  • Escalation discipline
  • Closure validation

Exception management requires:

  • Formal approval
  • Defined scope
  • Time limits
  • Review cycles
  • Risk register documentation

CRISC rewards candidates who preserve governance discipline — even when operational pressure exists.

Next Module Module 26: Management of Emerging Risk