Security policies are directive documents that are mandatory to follow. However, there might be instances where, for a stipulated period, a security policy exception needs to be invoked. Out of the following, which item is NOT normally included in a request for exception?

a. Proposed updates to the policy
b. Description of the risk associated with the exception
c. Description of a compensating control
d. Business justification for the exception