Although it is good to fix all the vulnerabilities before making any system live in production, exceptions do occur. Business is always a priority and information security must always align and support with business objectives. So there might be a scenario where, due to some urgent business priorities, a system is made live in production with security exceptions. It then becomes extremely critical to keep a track of such exceptions and make sure they get fixed as per the plan. The number of exceptions granted metric helps track the number of vulnerabilities that have not been remediated and granted exceptions. Tracking this metric is important from audit perspectives. Data for this metric can be published and compared on a quarterly basis, with the value for every quarter ideally lesser than the previous one.