A control objective with no controls would lead to what outcome regarding Policy Exceptions?

When a control objective lacks associated controls, it suggests that there are no mechanisms in place to meet the objective's requirements or to mitigate the identified risks. In this scenario, stakeholders that evaluate the associated policy exceptions will likely view the absence of controls as a significant gap in risk management.

If no controls are established to manage the risks that prompted the control objective, it would typically result in the denial of any requests for policy exceptions. This is because granting an exception would effectively allow an organization to operate without sufficient safeguards, increasing its vulnerability to risks that the control objective was designed to address. Therefore, in the context of policy governance, the responsible parties would deny the policy exception to uphold risk management standards and ensure compliance with the overarching policies.

In contrast, other options imply different actions that do not align with the principle of maintaining effective control and risk management. For instance, postponing or approving an exception would indicate a willingness to overlook the risks associated with the absence of controls, which is generally not advisable in risk management practices.