Your ability to respond in appropriate ways to pinpoint circumstances where business rules are breached – automatically and independently of processes – provides the mechanism you need to support very smart, very friendly business systems. Normally we think about breaches occurring for behavioral rules, where a breach means a violation has occurred. Can breaches occur for decision rules too? The answer is yes and no. Read on!
A breach occurs for a business rule when the business rule isn’t satisfied upon being applied to some set of circumstances (state of affairs). Normally we think about breaches occurring for behavioral rules, where a breach means a violation has occurred (e.g., you violated the posted speed limit).
The potential for violations of behavioral rules raises several important questions that business analysts should answer in advance of deployment for each behavioral rule:
1. What level of enforcement should be applied.
2. What special response to a violation is appropriate, if any.
3. What special message, if any, should be returned to some worker(s) upon a violation.
Unlike behavioral rules, no definitional rule can ever be violated. Literally, things must be correct under such rules by definition.
Let’s take an example. Suppose somebody asserts “2+2=5”. According to the rules of mathematics, we know the correct answer is 4. The answer “5” is deemed irrevocably wrong. But is the asserted answer ever allowed to stand?
If the rule is defined as a decision rule, the asserted answer is never allowed to stand. More precisely, the assertion would never be recognized to have happened in the first place. If someone asserts “2+2” the answer “4” is concluded immediately. Period. No breach, no opportunity for error.
If defined as a behavioral rule (one that is not strictly enforced), the asserted answer is allowed to stand, but a violation is recognized. How might that capability be useful? Suppose the error were made by a student in grade school. It might be quite useful for the student and/or a tutor to know about it immediately and automatically. Specifying an appropriate violation response can make such notification happen.
In business, of course, definitional rules can be far more complex. Nonetheless, your ability to respond in appropriate ways to the pinpoint circumstances where certain rule-related events occur – automatically and independently of processes – provides exactly the mechanism you need to support very smart, very friendly operational business decision systems.
Decision Rules and Breaches
Decision rules are a special kind of definitional rule involving implications (e.g., A implies B). They support inferences and determinations – identifying an appropriate outcome from among a set of alternatives.
Like all decision rules, definitional rules cannot be violated. They are simply deemed true by definition.
Purely from a business perspective, however, some assertions of fact(s) may make it appear that a breach-like event has occurred. I take pains to emphasize any such perception is purely from the business perspective, not from the perspective of logic. You perceive a breach of a decision rule simply because it’s useful to do so, not because any true violation has occurred.
In evaluating some particular case (situation, set of circumstances, or matter of concern), for example, things might not follow the ‘happy path’. Think of a breach of a decision rule as a bump in the road – a gap along the happy path.
Let’s return to the three questions listed earlier. Although the first question about enforcement level obviously doesn’t apply to decision rules, adjusted versions of questions 2 and 3 remain in play.
Consider the following simple business example. Suppose a bank has this decision rule:
A credit application must be considered discrepancy-free with respect to a credit report for the applicant if all the following are the same:
date of birth
Social Security Number
Let’s suppose that an applicant uses just the initial for her middle name on her credit application. If the credit report shows her full middle name, then the names are not the same and the credit application will not be considered discrepancy-free.
Note carefully the rule hasn’t been violated; it did its ‘work’ correctly and it did reach the proper conclusion (not discrepancy-free). But a gap – a breach – for her case has been identified from a business perspective because the rule failed on one of the conditions. We should be able to take advantage of that breach to take appropriate action – selectively, automatically and in real time.
For example, the desired response to the breach might be to insert the following to-do item in the work queue of the responsible staff member: “Review discrepancy and manually ok if appropriate”. (The to-do item should naturally also provide ready access to the related documents.) The breach of the rule causes this action to occur automatically.
Think about how many decision rules might exist for determining credit-worthiness, and how many selective conditions they might have. Could you build a responsive system by incorporating the selective responses needed into the related process model(s)? Not a chance – that approach won’t scale. Instead, the selective responses need to be specified based on the business-rule side of things.
Kinds of Breach Specifications for Decision Rules
Breach specifications for a decision rule can be of the following two kinds.Breach Response. A breach response can be an action of virtually any kind. For example, a breach action might be to:
Add some task(s) to a (non-redundant) to-do list in some appropriate work queue.
Add some documentation items to a (non-redundant) not-yet-received list.
By these means very selective follow-up processing/handling (“what to do next”) can be organized pertaining to any specific issue (breach) for a given case. Such selectivity is made possible by the granularity of the rules.
Breach Message. A specially-worded breach message can be forwarded to any involved party either inside or outside the company. A breach message generally explains one or both of the following at any level of detail desired:
Why the rule or condition failed. (The rule or condition statement already indicates very precisely what the issue is, but the breach message can explain in a more friendly manner.)
What should be done to address the issue.
More Complex Example
Breach specifications apply selectively and specifically to a decision rule and/or any of its conditions. A breach specification applies if and only if that decision rule and/or condition fails (is not true) in evaluating some specific case (e.g., a specific credit application). An example of a decision rule with condition-specific breach specifications is illustrated in Table 1.
Table 1. Example of More Complex Decision Rule with Condition-Specific Breach Specifications
A fluctuating income must be considered eligible if all the following are true:
Conditions of the
the applicant has a 3-year proven track record of consistent income
the applicant is likely to have comparable income in the future
Add to-do item for that credit application: “Contact employer to verify applicant has reasonable opportunity for future income.”
the income is validated
Add required documentation items not yet received to a pending list for the credit application.
To applicant: “[date] Here’s a list of documentation items related to your income we have not yet received. [pending list].”
Using Breach Specifications
Breach specifications can be:
General for an entire decision rule including all its conditions. (The example in Table 1 doesn’t include any whole-rule specifications. If the rule did they would appear in the first row.)
Specific to a given condition.
Specific to collections of conditions (none shown for the example).
A breach is detected only if the conclusion of the rule as a whole, or some particular condition within it, evaluates to not true. Things being true should be viewed as moving the case along the desired path (i.e., no breach has occurred). Decision rules (and breach specifications) should be expressed carefully so as to preserve this positive orientation.
Generally, breach actions should be specified only if something can be done to overcome a failure (of a rule or condition). The goal is to move things forward in the case. In the example above, for instance, if nothing whatsoever can be done to correct an issue, the credit application should simply be declined. A behavioral rule to that effect should be specified.
In hierarchies of decisions (e.g., as in Q-Charts) and decision rules (e.g., as based on series of logical dependencies), breach specifications should generally be made only at the lowest level of rule reduction/decomposition. A rule at a higher level in a logical hierarchy only evaluates to not true if some rule(s) below it evaluate to not true. Define breach specifications at the lowest level of granularity.
Although rules can be specified in violation specifications for behavioral rules (e.g., to express some sanction or penalty), they should never be specified within breach specifications for a decision rule. Such ‘nesting’ of rules, especially on the basis of ‘not true’, is inappropriate.
Otherwise the advantages of overall declarative specification can be forfeited.
By default, breach specifications for a decision rule apply only the first time it is evaluated for each case. The assumption is that all business rules, including decision rules, are evaluated on a continuous basis. Re-application of any breach specification for a case therefore requires additional timing and iteration criteria. Whether a case is evaluated iteratively on the same set of decision rules based on timing criteria applied by or for some external process or platform is outside the scope of this discussion. No matter what the scheme of evaluation, the expression of the decision rules – as for all business rules – should be completely unaware of it.
Want context-sensitive business rules? It doesn’t necessarily work the way you think it might. Let’s take an example: A client must have a physical address. That’s the rule; it just says what it says.
Separately from the rule itself, several things can be specified:
How strictly the rule is to be enforced. Such specification might be: ‘strictly enforced’, ‘override with prior authorization’, ‘override with explanation’, ‘guideline’, etc.
What response and/or message is appropriate when the rule is violated.
Both things can be specified to be context-dependent. Back to the example:
Suppose the rule is violated in signing up as a member of a website. The enforcement level might be “guideline” and the response might be “We encourage you to provide this information so that we may serve you better in the future.”
Suppose the rule is violated in placing an order. The enforcement level might be “strictly enforced” and the response might be “We’re sorry. But we need your address to send you this order.”
Excerpted from Business Rule Concepts: Getting to the Point of Knowledge (4th ed, 2013), by Ronald G. Ross, 162 pp,http://www.brsolutions.com/b_concepts.phpLet me use an example to sketch the workings of business rules in smart architecture based on points of knowledge. Refer to the Figure to visualize how the system works.
Aside: I have been using this same slide since 1994(!).
Suppose you have a process or procedure that can be performed to take a customer order.
An order is received. Some kind of event occurs in the system. It doesn’t really matter too much what kind of event this is; let’s just say the system becomes aware of the new order.
The event is a flash point — one or more business rules pertain to it. One is: A customer that has placed an order must have an assigned agent.
We want real-time compliance with business policy, so this business rule is evaluated immediately for the order. Again, it doesn’t much matter what component in the system does this evaluation; let’s just say some component, service, or platform can do it.
Suppose the customer placing the order does not have an assigned agent. The system should detect a fault, a violation of the business rule. In other words, the system should become aware that the business rule is not satisfied by this new state of affairs.
The system should respond immediately to the fault. In lieu of any smarter response, at the very least it should respond with an appropriate message to someone, perhaps to the order-taker (assuming that worker is authorized and capable).
What exactly should the error message say?Obviously, the message can include all sorts of ‘help’. But the most important thing it should say is what kind of fault has occurred from the business perspective. So it could start off by literally saying, “A customer that has placed an order must have an assigned agent.” We say the business rule statement is an error message (or better, a guidance message). That’s a system putting on a smart face, a knowledge-friendly face, at the very point of knowledge. But it’s a two-way street. By flashing business rules in real-time, you have an environment perfectly suited to rapidly identifying opportunities to evolve and improve business practices. The know-how gets meaningful mindshare. That’s a ticket to continuous improvement and true business agility.
Smarter and Smarter Responses
Is it enough for the system simply to return a guidance message and stop there? Can’t it do more? Of course.For the order-taking scenario, a friendly system would immediately offer the user a means to correct the fault (again assuming the user is authorized and capable). Specifically, the system should offer the user another procedure, pulled up instantaneously, to assign an appropriate agent. If successful, the user could then move on with processing the order.This smart approach knits procedures together just-in-time based on the flash points of business rules. It dynamically supports highly-variable patterns of work, always giving pinpoint responses to business events (not system events). In short, it’s exactly the right approach for process models any time that applying know-how is key — which these days, is just about always!The Business Rules Manifesto (http://www.businessrulesgroup.org/brmanifesto.htm) says this: “Rules define the boundary between acceptable and unacceptable business activity.” If you want dynamic processes, you must know exactly where that boundary lies, and how to respond to breaches (at flash points) in real time. Is that as smart as processes can get? Not yet. Over time, the business rules for assigning appropriate agents might become well enough understood to be captured and made available to the system. Then when a fault occurs, the system can evaluate the business rules to assign an agent automatically. At that point, all this decision-making gets tucked very neatly under the covers. Even if the business rules you can capture are sufficient for only routine assignments, you’re still way ahead in the game.Smart architecture based on business rules is unsurpassed for incremental design, where improvement:
Focuses on real business know-how, not just better GUIs or dialogs.
Continues vigorously after deployment, not just during development.
Occurs at a natural business pace, not constrained to software release cycles.
The Manifesto says it this way: “An effective system can be based on a small number of rules. Additional, more discriminating rules can be subsequently added, so that over time the system becomes smarter.” That’s exactly what you need for knowledge retention, as well as to move pragmatically toward the knowledge economy. Business rules give you true agility.
A person close to the DMN (Decision Model Notation) standard recently wrote:
In DMN a decision is deliberately defined very broadly …
“a decision is the act of determining an output value (the chosen option), from a number of input values, using decision logic defining how the output is determined from the inputs”.
Decisions in DMN can be automatic, they can be used for detection, the logic they use can concern the violation of constraints; I see no problem with any of this.
A motorist goes thundering down the motorway, well over the speed limit. A radar gun detects it. What “decision” was made? Would a business person ever say the radar gun “decided” the motorist was speeding? … “Determined” maybe; “decided” no.
A company has the (behavioral) business rule:
A customer that has placed an order must have an assigned agent.
An agent servicing customers who have placed orders retires and moves to Florida (this last part irrelevant). What “decision” is it that says, hey, now have some unrepresented customers and somebody ought to do something about it ASAP?? What “decided” there are now violations?? … “Detection yes”, “decision” no.
P.S. That definition of decision seems a bit circular. To know what a “decision” is I need to know what “decision logic” means. But since “decision logic” says “decision”, seems like I need to know what “decision” means. Hmmm.
What should happen when a business rule is broken? As discussed in this post, Business Analysts should answer three questions:
How strictly should the business rule be enforced?
What message is appropriate?
What response is needed?
Developing a friendly, secure business solution requires overt answers to these questions for at least a subset of business rules. (As explained later, defaults can be assumed for the others.) It should also be possible to easily change or evolve the answers (including defaults) after deployment of the business rules, thus permitting the business capability to become incrementally smarter.The goal is context-dependent, pinpoint reaction to breaches in real-time. Addressing breaches intelligently is key to creating friendly, agile, secure business solutions, ones that can evolve rapidly in day-to-day operation.Breach Question 1. Enforcement LevelHow strictly should a behavioral rule be enforced?Example …
Business Rule: A service representative must not be assigned to good customers in more than 3 states or provinces.
Ask: How strictly should this business rule be enforced?
Enforcement Level: Override by pre-authorized actor
Table 1 lists the most common enforcement levels for behavioral rules.
Table 1. Common Enforcement Levels for Behavioral Rules
Violations are disallowed in all cases – achieving some newstate successfully is always prevented.
override by pre-authorized actor
The behavioral rule is enforced, but an actor with proper before-the-fact authorization may override it.
override with explanation
The behavioral rule may be overridden simply by providing an explanation.
Suggested, but not enforced.
Be sure not to overlook the last enforcement level Table 1. A business rule that is actively evaluated, but not enforced, is (literally) a guideline. Guidelines are business rules too!
Breach Question 2. Guidance MessageWhat message should be returned when a breach of a business rule occurs?When a business rule is breached, somebody, often a business actor directly engaged in a business process, needs to know about it. The breach means the work being conducted has strayed outside the boundaries of what the business deems acceptable or desirable. From a business perspective an error has been made, so some error message should go out. What should that error message say?As a default, we like to say that the business rule statement is the error message. From a business point of view, that equivalence must always be true – what else are business rules about?! Rather than saying ‘error message’ (which sounds technical) or ‘violation message’ (which sounds harsh, especially for guidelines), we say guidance message.Generally, guidance messages should be as friendly and as helpful as possible. For example, guidance messages can be written in a more personal, informative style. More explanation or suggestions can be appended or substituted as desired. Perhaps a link to other media (e.g., a how-to video) can be provided. Sometimes the best guidance message takes the form of some icon or signal (e.g., a warning light turning to yellow or red). Guidance messages frequently need to be specific to the circumstances in which a breach occurs (e.g., what role or user produced it). In all cases, guidance messages should be made available only to people who are qualified and capable.Breach Question 3. Breach ResponseDoes the breach response for a business rule need to be more selective, rigorous, or comprehensive than simply a message?Example …
Business Rule: A cursory review of a received engineering design must be conducted within 5 business days of the date received.
Ask: What breach response is appropriate for this business rule?
Breach Response: The received engineering design must be brought to the attention of the manager of the department by the morning of the next business day.
Breach responses can take any of the following forms:
business rule (as illustrated above), or set of business rules
processes or procedures
sanctions or penalties
operational business decisions
special notifications, displays or instructions
Multiple breach responses might be desirable for a business rule. They might also need to be specific to the circumstances in which a breach occurs (e.g., what particular part of a process is being performed). Usually, breach responses serve to increase user-friendliness. In cases of potential fraud or malicious business behavior, however, breach responses should be much more aggressive.DefaultsNatural defaults for the three breach questions are listed in Table 2.
Table 2.Defaults for the Breach Questions
the business rule statement itself
Fundamental to business analysis with business rules is the assumption that breaches of business rules can be detected. If you can’t detect breaches, how can you run the business?! To say it differently, if you can’t detect breaches of a business rule, but you can still run the business, perhaps you don’t need the business rule at all(!).
This breach question applies only to behavioral rules. Since definitional rules must always be true, they are in essence strictly enforced.
Table 12-1 of Business Rule Concepts, 3rd Ed. (Chapter 12) discusses additional enforcement levels. It also provides tips for designing procedures with business rules.
In football, when a referee throws a flag, the results of the most recent transform (play) are undone. In effect, by enforcing a rule, the referee prevents or negates the new state (yardline and sometimes the down) and enforces some other state. That’s the way behavioral business rules work. Speed through a school zone and see if your desired state isn’t modified if some policeman happens to be watching.The relationship between behavioral rules and business processes is an indirect one, through state. Business tasks try to produce new states; behavioral rules step in to modify or prevent the new state if a violation occurs … just like the policeman parked in the school zone with a radar gun.More precisely, business tasks precipitate events that try to change state (the outputs, final or interim), and behavioral rules ‘watch’ for the particular events that produce violations. A violation produces a response, which can be another process – e.g., the referee jumping in to whistle the play dead or the policeman putting down his doughnut and chasing you.Yes, it’s important know which business tasks can violate which behavioral rules, but their relationship more complexly networked than you might think. In general, every behavioral rule expressed declaratively can be analyzed to produce two or more events (I call them flash points) where it can be violated and needs to be evaluated. I can provide endless examples. (Refer to http://www.brcommunity.com/b623.php?zoom_highlight=flash+point or to Chapter 8 of Business Rule Concepts, 3rd ed.) These events are likely to be in different business processes (or procedures or use cases) … and sometimes a given process may not have been modeled at all (or the event occurs ‘spontaneously’). The fact that each behavioral business rule can be violated at two or more flash points is a fundamental insight of the business rule approach. It’s precisely where current platforms, tools and methodologies fall short, and why consistency and compliance are so difficult to achieve. In other words, it’s an essential idea in really ‘getting’ business rules.
 In SBVR, there are two kinds of business rules; the second kind is definitional rules. As their name suggests, definitional business rules shape concepts and provide criteria for making decisions.
If you’ve never been to India or Latin America, take a look at the following short video. Is what you’re seeing the absence of rules … or something else?
In my travels in Latin America, I long ago perceived that there are two fundamental kinds of driving and traffic:
1. Obedient. In this style, drivers usually follow the official rules, or some approximation thereof. Accidents occur when road conditions are bad, drivers aren’t paying attention, or somebody thinks the rules don’t apply to them (chooses to violate the rules).
2. Positional. In this style, nobody pays much attention to the official rules. Instead, a driver is generally allowed to proceed in the direction he/she wants if the driver’s vehicle has better physical position (or is significantly larger in size) in relation to other nearby vehicles. Accidents occur when road conditions are bad, or drivers aren’t paying attention.
Why aren’t there continuous accidents in the positional style of driving? It’s not because there are no rules. There are – the rules of ‘position’. You’re not really looking at anarchy or chaos – i.e., the absence of rules. If you were, everyone you see would be running into everyone else all the time.
A good analogy is a flock of birds or school of fish. How do they all suddenly seem to turn in the same direction? The rules of position. Each bird or fish must always maintain its distance from his neighbors.
Is the positional style of driving/traffic safer than the obedient style? Theoretically, I suppose you could argue it is. All drivers know the rules of position apply to them and that the sanction for violating those rules can be immediate and injurious.
In practice, I wouldn’t bet on it. Flocking birds and schooling fish are probably equipped genetically for positional maneuvering. They’re been at it for millions of years. Humans have been driving for what – maybe a 100?!
Acks to Roger Tregear, Leonardo Consulting, Australiawho sent me a link to the video post.
“Instructors were very knowledgeable and could clearly explain concepts and convey importance of strategy and architecture.
It was a more comprehensive, holistic approach to the subject than other training. Emphasis on understanding the business prior to technology considerations was reassuring to business stakeholders.”
Bernard – Government of Canada
“Sessions flow together well and build upon the concepts for the series which makes the learning easy and better retention.
The instructor is knowledgeable and very attentive to the audience given the range of attendees skill and knowledge of the subject at hand. I enjoy her training sessions.”
Deborah – American Family Insurance
“You did a wonderful job!! The material was organized and valuable.”
Janell – Texas State University
“I found the course interesting and will be helpful.
I like the pragmatic reality you discuss, while a rule tool would be great, recognizing many people will use Word/Excel to capture them helps. We can’t jump from crazy to perfect in one leap!
Use of the polls is also great. Helps see how everyone else is doing (we are not alone), and helps us think about our current state.”
Trevor – Investors Group
“We actively use the BRS business-side techniques and train our business analysts in the approach. The techniques bring clarity between our BAs & customers, plus more robust requirements for our development teams. We’ve seen tremendous value.”
Jeanine Bradley – Railinc
“Your work has been one of the foundations of my success in our shared passion for data integration. It has had a huge impact on innumerable people!”