Episode 42: Issue, Finding, and Exception Management

Welcome to The Bare Metal Cyber CRISC Prepcast. This series helps you prepare for the exam with focused explanations and practical context.
In risk management, the terms issue, finding, and exception refer to specific types of deviations from expectations. In other words, they each indicate that something is not going as planned. An issue is a deviation from expected control performance that is usually identified internally. In other words, someone inside the organization noticed something was not working correctly. A finding is a formally documented issue that is identified through an audit or structured review. In other words, an outsider or independent team reported a problem and made it official. An exception is different—it refers to a formally approved deviation from policy or standard, usually granted for a limited time. In other words, it is a known and approved gap. All three—issues, findings, and exceptions—must be tracked, assigned to responsible owners, and monitored by governance. In other words, they cannot be left unmanaged or forgotten. CRISC professionals must ensure that these are visible and handled, not buried, ignored, or dismissed. In other words, exam scenarios will often test whether you’ve recognized when oversight has failed.
Issues can be identified in several ways. In other words, they may surface from different kinds of monitoring. Control testing, internal reviews, and audits often reveal issues. In other words, structured checks can spot when things are broken. Incidents in production, key risk indicators that exceed thresholds, or recurring process failures can also point to issues. In other words, problems become visible when results deviate from expected behavior. Each issue must be documented clearly, including a description, relevant context, and the potential business impact. In other words, vague reports are not acceptable. They should be logged in an issue tracker or governance system to ensure follow-up. In other words, visibility comes from recording the problem in the right place. On the exam, if you see a statement like “the control failed repeatedly without action,” that signals a missed issue escalation. In other words, someone failed to recognize or respond to a known problem.
Issues follow a defined lifecycle. In other words, they are handled through a step-by-step process. First is identification—someone discovers a problem. In other words, awareness begins the process. Second is documentation, which captures the details of the issue. In other words, the problem is recorded in a formal way. Third is analysis and categorization, where severity, impacted assets, and risk areas are defined. In other words, not all issues are equal. Fourth is root cause analysis, which looks beyond symptoms to find why the issue happened. In other words, you solve the problem, not just patch the result. Fifth is the action plan, where you decide what to do and assign tasks. In other words, the response is made real. Sixth is tracking, where progress is monitored over time. In other words, you make sure it does not stall. Seventh is closure, which requires evidence and verification that the issue is resolved. In other words, you do not just mark it complete—you prove it.
Findings are formal statements of control failure or policy non-compliance. In other words, they are official observations made through audits. They are typically raised by internal auditors, external examiners, or other review functions. In other words, they come from outside your day-to-day operations. A finding may indicate weak governance, failed controls, or processes that do not meet policy requirements. In other words, it points to something that must change. Each finding must have a documented response plan, including milestones and ownership. In other words, someone must fix it and report on progress. Findings are often reviewed by audit committees or regulators. In other words, external visibility requires formal follow-up. In CRISC scenarios, if a finding is not addressed, it signals a serious governance breakdown. In other words, failure to act on findings shows lack of oversight.
Exceptions are approved deviations from standard policies. In other words, they are exceptions—not violations. An exception may be granted when compliance with a control is temporarily not possible. In other words, it is a deliberate and documented gap. The exception must include justification, defined scope, risk evaluation, and an expiration date. In other words, it must be time-limited and justified. All exceptions require formal governance approval—they cannot be self-authorized. In other words, individuals cannot excuse themselves from compliance. Often, exceptions come with requirements for mitigating controls. In other words, you must compensate for the missing safeguard. On the exam, phrases like “the policy was bypassed without approval” signal unauthorized exceptions. In other words, someone skipped the process.
Tracking issues, findings, and exceptions requires dedicated systems. In other words, spreadsheets are not enough. GRC tools or integrated platforms can provide modules to manage and monitor each type of deviation. In other words, use purpose-built software when possible. These tools should capture status, due dates, assigned owners, and action plans. In other words, they make sure nothing gets lost. You should set alerts for upcoming exception expirations or delayed action plans. In other words, reminders help prevent silent failures. Audit logs should record all changes, approvals, or status updates. In other words, traceability proves the process was followed. In CRISC scenarios, the best answers will include documentation, transparency, and system-based visibility.
Every issue, finding, or exception must have an assigned owner. In other words, someone must be responsible. Ownership is usually based on the process or control that was affected. In other words, the closest responsible party should manage the response. There should be defined escalation paths if deadlines are missed or risk increases. In other words, problems cannot sit unresolved. Both risk owners and control owners may be involved depending on the nature of the deviation. In other words, coordination ensures the response is appropriate. Governance teams must be able to view all unresolved or overdue items. In other words, lack of visibility is itself a risk. On the exam, questions will often ask who is responsible at a specific point. In other words, timing and ownership are key decision factors.
Monitoring open issues helps governance understand the current risk posture. In other words, visibility leads to action. Dashboards or reports should display how long issues have remained open, how quickly they are being resolved, and what risk remains. In other words, age, velocity, and impact. High-impact or overdue issues should be escalated to senior leadership or boards. In other words, they must not be hidden. Trends in issue types can show underlying problems in systems or processes. In other words, repeated failures suggest something structural is wrong. Reporting must support both transparency and accountability. In other words, it helps ensure that issues are not ignored or delayed.
An issue should only be closed after the corrective action is complete and verified. In other words, closure requires proof. This may include retesting the control, doing a process walkthrough, or reviewing new documentation. In other words, verification depends on the nature of the fix. Governance groups should periodically review closed items for accuracy and to identify lessons learned. In other words, use closure as a way to improve. Self-attestation without evidence should never be accepted. In other words, people cannot just say the issue is resolved. In exam scenarios, if a problem recurs after closure, it usually means the validation was weak or skipped. In other words, confirmation was inadequate.
CRISC exam questions on issues and exceptions often involve identifying a missing step or weak control. In other words, they test process completeness. If the scenario says “a control failure was identified but not assigned,” the answer involves missed ownership. In other words, action needs an owner. If you are asked how to manage an exception, look for approval, justification, expiration, and mitigation. In other words, follow the policy framework. If a finding stays open for a long period with no update, governance has likely failed. In other words, unresolved findings signal breakdowns in oversight. Correct answers will reflect visibility, documentation, and a complete resolution cycle. In other words, they show the full governance process from start to finish.
Thanks for joining us for this episode of The Bare Metal Cyber CRISC Prepcast. For more episodes, tools, and study support, visit us at Baremetalcyber.com.

Episode 42: Issue, Finding, and Exception Management
Broadcast by