Which term refers to a risk that is created due to an exemption being granted or failure to comply with corporate policy?

When policy controls are bypassed or allowed to be bypassed, the organization introduces a specific risk tied to that deviation. This is described as a risk exception: the residual risk that exists because an exemption was granted or someone did not follow the policy. Documenting a risk exception helps teams recognize the weakened control, assign ownership, and implement mitigations or a time-bound plan to reassess the exemption. It focuses on the concrete risk created by deviating from established policy and the need to manage it.

In contrast, risk appetite is about how much risk the organization is willing to tolerate overall, not about a particular deviation. Risk exposure is the current level of risk across the environment, a broader state rather than the specific cause. A policy gap refers to missing or incomplete policy content or controls, rather than the risk arising from applying an exemption or non-compliance with existing policy.