How would you categorize a risk created by an exemption from a standard policy?

A risk created by an exemption from a standard policy is referred to as a risk exception. This term is used to describe a unique situation where an organization decides not to apply a specific control or standard due to various factors, such as resource constraints or practical considerations. By allowing an exemption, the organization acknowledges that there is an associated risk but also understands the reasoning behind deviating from the standard practice.

In contrast, accepted risk typically refers to the risk that an organization chooses to acknowledge and tolerate without implementing further controls. Residual risk indicates the remaining risk after controls have been applied, while inherent risk represents the level of risk that exists in the absence of any controls. While all these terms relate to risk management, risk exception specifically denotes the scenario where a standard policy is not fully applied due to a deliberate decision.