Question: Do business rules derive from strategy? Answer: In our experience only about 2-3% of a company’s business rules derive directly from strategy (goals and objectives). Needless to say, those are a critical 2-3%. The rest of a company’s business rules concerning behavior derive from regulations, contracts, agreements, business policies, warranties, deals, certifications, etc. Let’s call all those obligations. Every business has a choice of whether to comply with its obligations. Generally speaking, the risks of not doing so will be high in a good many (though not all) cases. So there’s certainly something to be said for being a good corporate citizen in a free enterprise system. The key is to make sure all business rules align with strategy, even if most don’t derive directly from it.

Guest Post by Kenneth Watman Deputy Director, Systems Analysis Office of Director of National Intelligence Washington D.C. ~~~~~~~~~~~~~~~~~ Like so many people, I was fascinated and exasperated by Taleb’s book. But, when the book is summed up, I do not believe Taleb has defined “Black Swan” as anything special or remarkable. Near as I can tell, a “Black Swan” is an especially rare event, perhaps completely unanticipated with very large consequences. Well, had we discussed this question before 9/11 and the financial crash, I think we would have said, “Of, course.” If there are 100-year hurricanes, there probably are 500-year hurricanes. A relatively small asteroid has a 1-in-250 chance of hitting earth over some time period with unprecedented effects. So, if you want to label those “Black Swans,” why not? There are two issues of consequence that Taleb doesn’t or cannot answer.

1. First, is there a systematic reason to believe we are underestimating risk and or consequences? That’s a matter of data and analytical methods, and there are lots of people trying to find out. We know that when disaster models are misused, like the financial models, they will tell us garbage with results that may shock us. Again, where’s the news in that. Don’t misuse the models and put into place precautions against doing so.

2. Second, even if the data suggest we need fatter tails (long-standing procedures exist to do that), there’s a policy/greed question. Will finance and insurance companies put enough in their reserves to reflect the risks they face? Or, as a matter of policy, lack of regulation, competitive market pressures, and self-deception, will they simply close their eyes, cross their fingers, and discount cognitively what low risk means, e.g. non-zero risk?

Reminding us of rare, high consequence events is fine. Calling them “Black Swans” doesn’t add anything substantively, although it’s an effective metaphor. But the greatest contribution is in answering the latter two questions I’ve posed. ~~~~~~~~~~~~~~~ Have a look at my recent posts on Black Swans, strategy, and business rules … Search on “Black Swans”  

Let me re-clarify what I am, and am not, saying about business rules and black swans. There’s been some confusion. I did not say that preparing for or responding to black swans is all about business rules. (I’m not that naive!) I did say, however, that business rules “… build robustness to negative [black swans] that occur and being able to exploit positive ones” [Taleb’s words]. My main point is this: If you don’t have ready access to your current business rules (i.e., know what they are in depth), then when a black swan occurs you can’t immediately undertake to respond to negative ones, and exploit positive ones. (See: http://goo.gl/Ny2Cn) A colleague wrote: “For example, Taleb cites 9/11 as an example of a black swan. What business rules would prevent or allow successful response to that?” I make no suggestions about prevention. Hindsight is 20-20. But successful response? You need to quickly review what your current business practices (business rules) are …

• Permissible carry-ons. Box-cutter knives? Immediately banned. Any other sharp items including silverware for meals, banned.
• Access to the cockpit. Special barriers (food cart, steward(ess)) put in a blocking position when a pilot exits the cockpit to use the lavatory. Doors locks reinforced.

We learn as we go. Amounts of liquid over a certain threshold, banned. Shoes must be removed at security. Souvenir ‘blizzard’ globes, banned. You want to roll out these new business rules fast(!). If you don’t know what business rules you already have in place, you simply can’t respond as fast you need to. Make no mistake, most businesses today sadly don’t really know what their current business rules are. That’s what I’m saying!

I’ve gotten a lot of excellent response to yesterday’s post on black swans. Let me summarize yesterday’s points and continue the line of thought.

a. Business rules cannot be used to help protect against unforeseeable events that have not already happened. b. Business analysts can assess unforeseeable events (black swans) and develop business rules to cater for their potential recurrence.

c. If you don’t have ready access to your current business rules (i.e., know what they are in depth), then when a black swan occurs you can’t immediately undertake point b.

Point c is actually where my emphasis lies. The result is that the organization remains vulnerable for recurrence (and copycat malicious attacks) for a much longer period than necessary (or desirable). How long extra? At least days, more likely weeks, sometimes months. What most organizations don’t realize today is that they don’t actually know what their business rules are. Before they can even begin to rethink business practices in-depth they have to send out ‘scouts’ (business analysts and IT professionals) to discover their current business rules (from people’s heads, source code, procedure manuals, documentation, etc., etc.). When the scouts do find the current business practices (business rules), they have to sort through redundancy, inconsistency, gaps and conflicts. That’s simply no way to run a business! There’s no single-sourcing of business rules, no official, authoritative ‘rulebook’, no structured corporate memory. The result is huge loss of time and energy. The problem is so big it’s hard to see. We simply have to face up to the fact that current methodologies produce a crippled business governance process. And yes, the situation *is* that bad! ~~~~~~~~~~~~~~~~~ P.S. To single-source business rules and retain corporate memory about them, we recommend a ‘general rulebook system’. See http://www.brcommunity.com/BBSGlossary.pdf (page 30) for quick explanation.

We preach (and practice) strategy as a key element of business analysis. A key element of strategy is identifying significant business risks. We address such risks in the deliverable we call a Policy Charter. See http://www.brcommunity.com/BBSGlossary.pdf (page 39). Appropriate business policies are developed to protect the company. Sometimes we hear the argument that it’s impossible to determine the risk of some future unknown event. And what’s a rational definition of risk anyway? By “risk” we simply mean what the dictionary (Merriam-Webster Unabridged) means: 1: the possibility of loss, injury, disadvantage, or destruction : CONTINGENCY, DANGER, PERIL, THREAT Yes, the following statement is correct: “It is impossible to determine the risk of some future unknown event.” The operative word in that is unknown. How could anyone argue with that? The implicit reference is to black swans … unpredictable outliers. The only thing business analysts can do to help protect the business against black swans is “… build robustness to negative ones that occur and being able to exploit positive ones.” (Wikipedia on Taleb’s book The Black Swan: The Impact of the Highly Improbable). I maintain that business solutions based on business rules do exactly that. To respond successfully to unforeseen circumstances you must know what your business practices (business rules) are in the first place(!). On the other hand, business people generally do have a good understanding of known business risks. We think it’s crucial to factor that understanding into business analysis. Now who could argue with that?!