Breaking the Rules: Breach Questions

Ronald G.  Ross
Ronald G. Ross Co-Founder & Principal, Business Rule Solutions, LLC , Executive Editor, Business Rules Journal and Co-Chair, Building Business Capability (BBC) Read Author Bio       || Read All Articles by Ronald G. Ross
Sourced from Building Business Solutions:  Business Analysis with Business Rules, by Ronald G. Ross with Gladys S.W. Lam, An IIBA® Sponsored Handbook, Business Rule Solutions, LLC, October 2011, 304 pp.  URL:

Fundamental to business analysis with business rules is the assumption that breaches of business rules can be detected.  If you can't detect breaches, how can you run the business?!  To say it differently, if you can't detect breaches of a business rule, but you can still run the business, perhaps you don't need the business rule at all(!).

What should happen when a breach of a business rule is detected?  Business Analysts need to answer three basic questions in that regard:

  1. How strictly should the business rule be enforced?

  2. What message is appropriate?

  3. What response is needed?

Simple defaults can be assumed for these three questions (see Table 1), but these answers will never be adequate for all business rules.  Developing a friendly, secure business solution requires more selective answers for many business rules.  It should also be possible to easily change or evolve the answers (including defaults) after deployment of the business rules, thus permitting the business capability to become incrementally smarter.

Table 1.  Defaults for the Breach Questions.

Breach Question


enforcement level

strictly enforced

guidance message

the business rule statement itself

breach response


Breach Question 1.  Enforcement Level

How strictly should a behavioral rule[1] be enforced?

Example …

Business Rule:  A service representative must not be assigned to good customers in more than 3 states or provinces.

Ask:  How strictly should this business rule be enforced?

Enforcement Level:  Override by pre-authorized actor

Table 2 lists the most common enforcement levels for behavioral rules.[2] 

Table 2.  Common Enforcement Levels for Behavioral Rules.

Enforcement Level


strictly enforced

Violations are disallowed in all cases — achieving some new state successfully is always prevented.

override by pre-authorized actor

The behavioral rule is enforced, but an actor with proper before-the-fact authorization may override it.

override with explanation

The behavioral rule may be overridden simply by providing an explanation.


Suggested, but not enforced.

Be sure not to overlook the last enforcement level in Table 2.  A business rule that is actively evaluated, but not enforced, is (literally) a guideline.  Guidelines are business rules too!

Breach Question 2.  Guidance Message

What message should be returned when a breach of a business rule occurs?

When a business rule is breached, somebody, often a business actor directly engaged in a business process, needs to know about it.  The breach means the work being conducted has strayed outside the boundaries of what the business deems acceptable or desirable.  From a business perspective an error has been made, so some error message should go out.  What should that error message say?

As a default, we like to say that the business rule statement is the error message.  From a business point of view, that equivalence must always be true — what else are business rules about?!  Rather than saying 'error message' (which sounds technical) or 'violation message' (which sounds harsh, especially for guidelines), we say guidance message.

Generally, guidance messages should be as friendly and as helpful as possible.  For example, guidance messages can be written in a more personal, informative style.  More explanation or suggestions can be appended or substituted as desired.  Perhaps a link to other media (e.g., a how-to video) can be provided.  Sometimes the best guidance message takes the form of some icon or signal (e.g., a warning light turning to yellow or red). 

Guidance messages frequently need to be specific to the circumstances in which a breach occurs (e.g., what role or user produced it).  In all cases, guidance messages should be made available only to people who are qualified and capable.

Breach Question 3.  Breach Response

Does the breach response for a business rule need to be more selective, rigorous, or comprehensive than simply a message?

Example …

Business Rule:  A cursory review of a received engineering design must be conducted within 5 business days from the date received.

Ask:  What breach response is appropriate for this business rule?

Breach Response:  The received engineering design must be brought to the attention of the manager of the department by the morning of the next business day.

Breach responses can take any of the following forms:

  • business rule (as illustrated above), or set of business rules

  • processes or procedures

  • sanctions or penalties

  • operational business decisions

  • special notifications, displays or instructions

Multiple breach responses might be desirable for a business rule.  They might also need to be specific to the circumstances in which a breach occurs (e.g., what particular part of a process is being performed).  Usually, breach responses serve to increase user-friendliness.  In cases of potential fraud or malicious business behavior, however, breach responses should be much more aggressive.


[1]  This breach question applies only to behavioral rules.  Since definitional rules must always be true, they are in essence strictly enforced. return to article

[2]  Table 12-1 in the 2013 4th edition of Business Rule Concepts:  Getting to the Point of Knowledge discusses additional enforcement levels.  It also provides tips for designing procedures with business rules. return to article

# # #

Standard citation for this article:

citations icon
Ronald G. Ross, "Breaking the Rules: Breach Questions" Business Rules Journal, Vol. 14, No. 2, (Feb. 2013)

About our Contributor:

Ronald  G. Ross
Ronald G. Ross Co-Founder & Principal, Business Rule Solutions, LLC , Executive Editor, Business Rules Journal and Co-Chair, Building Business Capability (BBC)

Ronald G. Ross is Principal and Co-Founder of Business Rule Solutions, LLC, where he actively develops and applies the BRS Methodology including RuleSpeak®, DecisionSpeak and TableSpeak.

Ron is recognized internationally as the "father of business rules." He is the author of ten professional books including the groundbreaking first book on business rules The Business Rule Book in 1994. His newest are:

Ron serves as Executive Editor of and its flagship publication, Business Rules Journal. He is a sought-after speaker at conferences world-wide. More than 50,000 people have heard him speak; many more have attended his seminars and read his books.

Ron has served as Chair of the annual International Business Rules & Decisions Forum conference since 1997, now part of the Building Business Capability (BBC) conference where he serves as Co-Chair. He was a charter member of the Business Rules Group (BRG) in the 1980s, and an editor of its Business Motivation Model (BMM) standard and the Business Rules Manifesto. He is active in OMG standards development, with core involvement in SBVR.

Ron holds a BA from Rice University and an MS in information science from Illinois Institute of Technology. Find Ron's blog on For more information about Ron visit Tweets: @Ronald_G_Ross

Read All Articles by Ronald G. Ross
Subscribe to the eBRJ Newsletter
In The Spotlight
 Ronald G. Ross
 Silvie  Spreeuwenberg

Online Interactive Training Series

In response to a great many requests, Business Rule Solutions now offers at-a-distance learning options. No travel, no backlogs, no hassles. Same great instructors, but with schedules, content and pricing designed to meet the special needs of busy professionals.