What should happen when a business rule is broken[1]? As discussed in this post, Business Analysts should answer three questions:
How strictly should the business rule be enforced?
What message is appropriate?
What response is needed?
Developing a friendly, secure business solution requires overt answers to these questions for at least a subset of business rules. (As explained later, defaults can be assumed for the others.) It should also be possible to easily change or evolve the answers (including defaults) after deployment of the business rules, thus permitting the business capability to become incrementally smarter.The goal is context-dependent, pinpoint reaction to breaches in real-time. Addressing breaches intelligently is key to creating friendly, agile, secure business solutions, ones that can evolve rapidly in day-to-day operation.Breach Question 1. Enforcement LevelHow strictly should a behavioral rule[2] be enforced?Example …
Business Rule: A service representative must not be assigned to good customers in more than 3 states or provinces.
Ask: How strictly should this business rule be enforced?
Enforcement Level: Override by pre-authorized actor
Table 1 lists the most common enforcement levels for behavioral rules.[3]
Table 1. Common Enforcement Levels for Behavioral Rules
Enforcement Level
Description
strictly enforced
Violations are disallowed in all cases – achieving some newstate successfully is always prevented.
override by pre-authorized actor
The behavioral rule is enforced, but an actor with proper before-the-fact authorization may override it.
override with explanation
The behavioral rule may be overridden simply by providing an explanation.
guideline
Suggested, but not enforced.
Be sure not to overlook the last enforcement level Table 1. A business rule that is actively evaluated, but not enforced, is (literally) a guideline. Guidelines are business rules too!
Breach Question 2. Guidance MessageWhat message should be returned when a breach of a business rule occurs?When a business rule is breached, somebody, often a business actor directly engaged in a business process, needs to know about it. The breach means the work being conducted has strayed outside the boundaries of what the business deems acceptable or desirable. From a business perspective an error has been made, so some error message should go out. What should that error message say?As a default, we like to say that the business rule statement is the error message. From a business point of view, that equivalence must always be true – what else are business rules about?! Rather than saying ‘error message’ (which sounds technical) or ‘violation message’ (which sounds harsh, especially for guidelines), we say guidance message.Generally, guidance messages should be as friendly and as helpful as possible. For example, guidance messages can be written in a more personal, informative style. More explanation or suggestions can be appended or substituted as desired. Perhaps a link to other media (e.g., a how-to video) can be provided. Sometimes the best guidance message takes the form of some icon or signal (e.g., a warning light turning to yellow or red). Guidance messages frequently need to be specific to the circumstances in which a breach occurs (e.g., what role or user produced it). In all cases, guidance messages should be made available only to people who are qualified and capable.Breach Question 3. Breach ResponseDoes the breach response for a business rule need to be more selective, rigorous, or comprehensive than simply a message?Example …
Business Rule: A cursory review of a received engineering design must be conducted within 5 business days of the date received.
Ask: What breach response is appropriate for this business rule?
Breach Response: The received engineering design must be brought to the attention of the manager of the department by the morning of the next business day.
Breach responses can take any of the following forms:
business rule (as illustrated above), or set of business rules
processes or procedures
sanctions or penalties
operational business decisions
special notifications, displays or instructions
Multiple breach responses might be desirable for a business rule. They might also need to be specific to the circumstances in which a breach occurs (e.g., what particular part of a process is being performed). Usually, breach responses serve to increase user-friendliness. In cases of potential fraud or malicious business behavior, however, breach responses should be much more aggressive.DefaultsNatural defaults for the three breach questions are listed in Table 2.
Table 2.Defaults for the Breach Questions
Breach
Question
Default
enforcement level
strictly enforced
guidance message
the business rule statement itself
breach response
none
[1]Fundamental to business analysis with business rules is the assumption that breaches of business rules can be detected. If you can’t detect breaches, how can you run the business?! To say it differently, if you can’t detect breaches of a business rule, but you can still run the business, perhaps you don’t need the business rule at all(!).
[2]This breach question applies only to behavioral rules. Since definitional rules must always be true, they are in essence strictly enforced.
[3]Table 12-1 of Business Rule Concepts, 3rd Ed. (Chapter 12) discusses additional enforcement levels. It also provides tips for designing procedures with business rules.
Ron Ross, Principal and Co-Founder of Business Rules Solutions, LLC, is internationally acknowledged as the “father of business rules.” Recognizing early on the importance of independently managed business rules for business operations and architecture, he has pioneered innovative techniques and standards since the mid-1980s. He wrote the industry’s first book on business rules in 1994.
What if an organization has an extensive corpus of business rules, or “mandatory requirements”, but for the most part they are not enforced or even monitored? What enforcement occurs is through process, e.g., IT project branch will enforce project gating rules because it has to review business cases and present them for approval, or procurement branch will enforce procurement rules because, similarly, it takes procurements forward for approval. But if a rule set does not have this kind of support, for instance information management rules, then should they be explicitly recognized as guidance statements (“should”), instead of mandatory requirements (“must”). Or, is it appropriate simply to say that your rule sets, though not actively enforced, are expected to be followed and that failure to do so may result in sanction or disciplinary action? Is this enough for a “must”.
What a business rule means is simply a different question than how strictly it is to be enforced. It’s best overall not to mix the two things into the expression of the business rule itself. So in RuleSpeak, we always use “must” or “only” as rule keywords. See http://www.RuleSpeak.com (free).
A lot of thought has been given to different levels of enforcement. Refer to Business Rule Concepts (4th ed), p.135.
General comment: It shouldn’t be up to processes (or databases) to enforce business rules. There such be a separate ‘watcher’ (automated), like a referee in a football game or the traffic cop with his radar gun. This is the missing ingredient in most organizations’ architecture today. Huge black hole … one that sucks in unreasonable and probably unsustainable amounts of resources. (P.S. Today’s generation of rule engines / BRMS / Decision Management Platforms come nowhere close to providing adequate capability for this area.)
“We actively use the BRS business-side techniques and train our business analysts in the approach. The techniques bring clarity between our BAs & customers, plus more robust requirements for our development teams. We’ve seen tremendous value.”
Jeanine Bradley – Railinc
“A great class that explains the importance of business rules in today’s work place.”
Christopher – McKesson
“You did a wonderful job!! The material was organized and valuable.”
Janell – Texas State University
“Your work has been one of the foundations of my success in our shared passion for data integration. It has had a huge impact on innumerable people!”
“Sessions flow together well and build upon the concepts for the series which makes the learning easy and better retention.
The instructor is knowledgeable and very attentive to the audience given the range of attendees skill and knowledge of the subject at hand. I enjoy her training sessions.”
Deborah – American Family Insurance
“I found the course interesting and will be helpful.
I like the pragmatic reality you discuss, while a rule tool would be great, recognizing many people will use Word/Excel to capture them helps. We can’t jump from crazy to perfect in one leap!
Use of the polls is also great. Helps see how everyone else is doing (we are not alone), and helps us think about our current state.”
Trevor – Investors Group
“Instructors were very knowledgeable and could clearly explain concepts and convey importance of strategy and architecture.
It was a more comprehensive, holistic approach to the subject than other training. Emphasis on understanding the business prior to technology considerations was reassuring to business stakeholders.”
James De Monte
| #
What if an organization has an extensive corpus of business rules, or “mandatory requirements”, but for the most part they are not enforced or even monitored? What enforcement occurs is through process, e.g., IT project branch will enforce project gating rules because it has to review business cases and present them for approval, or procurement branch will enforce procurement rules because, similarly, it takes procurements forward for approval. But if a rule set does not have this kind of support, for instance information management rules, then should they be explicitly recognized as guidance statements (“should”), instead of mandatory requirements (“must”). Or, is it appropriate simply to say that your rule sets, though not actively enforced, are expected to be followed and that failure to do so may result in sanction or disciplinary action? Is this enough for a “must”.
Ronald G. Ross
| #
What a business rule means is simply a different question than how strictly it is to be enforced. It’s best overall not to mix the two things into the expression of the business rule itself. So in RuleSpeak, we always use “must” or “only” as rule keywords. See http://www.RuleSpeak.com (free).
A lot of thought has been given to different levels of enforcement. Refer to Business Rule Concepts (4th ed), p.135.
General comment: It shouldn’t be up to processes (or databases) to enforce business rules. There such be a separate ‘watcher’ (automated), like a referee in a football game or the traffic cop with his radar gun. This is the missing ingredient in most organizations’ architecture today. Huge black hole … one that sucks in unreasonable and probably unsustainable amounts of resources. (P.S. Today’s generation of rule engines / BRMS / Decision Management Platforms come nowhere close to providing adequate capability for this area.)
How to Make Your Business Rules Context-Sensitive — Ron Ross on Business Rules
| #
[…] I discuss breach responses in the post: http://www.brsolutions.com/2012/06/03/breaking-the-rules-breach-questions/ […]