Vendors promise to put business staff in charge of rules, but do you really want users messing with mission-critical apps? Here's how four firms are balancing responsibilities for rules.

The concepts underlying business rules aren't new. If-then-else logic has been at the heart of computer processing since the first program was written, and the expert systems and artificial intelligence of the late 1990s are progenitors of today's business rules management systems (BRMSs). Despite the evolutionary connection, today's rules technology is remarkably different from yesterday's systems. Nowhere is that difference more marked than in the ability of business staff to control rules that can potentially affect processes, workflows and even mission-critical systems.

"In the old days of artificial intelligence, the idea that regular business folks could maintain or write rules was just ridiculous. You needed to be a very skilled programmer," explains vice president at Forrester Research John Rymer. "Today you see tools for business users that let them maintain rules and in some cases even build rules. You also see good business rules [change] management features and improved integration between rules engines and the major development platforms."

Do you want business users controlling business rules — tweaking and possibly breaking mission-critical applications and system interactions? Companies are coming to grips with the realities of hands-on rules management, and some firms are keeping IT in charge. In other cases, business users can easily make rules changes in the effort to gain a competitive edge. Here's how a mortgage lender, a database publisher, an investment management firm and a statewide health insurer are balancing rules control between business and IT.

Change Rules Without Coding

Freddie Mac and LexisNexis are on the leading edge of the business-control trend, according to Rymer. In 2001, Freddie Mac, which purchases mortgages from primary mortgage lenders, began a multiyear replacement of legacy B2B systems it used to connect to lenders. Freddie Mac developed a new Web-based system using J2EE and ILog's JRules BRMS.

The objective was not only to make it easier for customers to do business with Freddie Mac by eliminating multiple systems and interfaces, but also shorten the time it took to purchase mortgages and develop new programs. "Our goal was 'any loan, any customer in a day,'" explains Freddie Mac's enterprise rules steward Brian Stucky.

Freddie Mac's IT staff coded a "seed" set of about 5,000 rules to start, but then turned responsibility over to the business analysts on its rules maintenance team. Freddie Mac has been "moving more and more heavily toward business control, so people who know the business logic can make the rules changes," Stucky says.

Freddie Mac operated its legacy systems and the new rules-based system in parallel during the incremental rollout, so it could compare the launch of a new set of 30-year mortgage programs and about 200 subsequent business rules changes. Business analysts made the changes on the new systems while IT performed conventional coding on the legacy side. Not only were the changes made three times faster in the rules-based environment, but it also required only 20% of the labor, according to Stucky. "Rather than doing four major [new programs] per year, it's now possible to do one a month with far fewer people," he adds.

Business staff drove the decision to deploy a user-friendly rules system at information services provider LexisNexis. "The fulfillment organization came to [IT] saying, 'It's our responsibility, we'd like to manage it,'" says senior software engineer Chuck Carter. "We needed a tool that business analysts could use to write the same rules that we had previously [coded]."

In 2004 the company added Corticon's BRMS to its legacy customer order management system to automate formerly manual processes such as subscription validation, order routing and fulfillment. By moving to rules-based decision-making and automating routing between legacy account management, user management and entitlement applications, LexisNexis shortened three- to seven-day fulfillment processes down to as little as 30 minutes, says Carter.

Balance Responsibilities

As rules management systems have become more intuitive — with friendly GUIs, features presented in familiar spreadsheet formats and natural-language rules logic — companies have begun to question how much to let business users control rules that affect the way processes work and systems interact. "By giving business analysts the ability to change rules on the fly, they effectively own an API ... and can break the automation," says Carter.

A good BRMS should come with change management controls (the expected development, test, staging and production task sequence) as well as role-based access to the rules repository, rules version control, checks against rules redundancy or conflicts, and reporting capabilities. Rymer says Fair Isaac, Pegasystems and ILog currently offer the strongest control capabilities among BRMS vendors.

"One of the first things we did [with the ILog JRules system] was to add security pieces to control system access. We then assigned capabilities and roles," says Stucky.

The business rules life cycle — from staging, testing and approval to system test, final approval and production — must also be enforced. You must have control steps so one person can't come in, hit a button and send it off to production, says Stucky. Even with technology controls in place, putting business users in charge of rules demands a new way of thinking. "[Sometimes] the business staff freaks out — they don't think they have the skills to meet their responsibilities," Rymer says. "If we want users to maintain business rules ... learning, organizational adjustment and skills development must take place."

LexisNexis required business staff to undergo training to understand application development principles before authorizing them to make rules changes. Staff also consult with the IT development team as needed. Business users at LexisNexis currently create, modify and manage about 80% of rules, with IT responsible for the rest. This kind of balance is common, says Gartner research director Michael James Melenovsky. "Not all rules are created equally," he explains. "The IT department is still typically involved in rules management, sorting through which rules have the greatest ramifications on systems and processes and modeling those that need different approval processes."

If IT has been responsible for rules in the past, how do you move to shared responsibility? "Organizations that go down this path revisit governance and in some cases even create formal agreements to outline who's responsible for what, and how IT is going to support end users," says Forrester's Rymer.

Organizational challenges have led some companies to keep business rules control within IT regardless of the BRMS's capabilities. STW Fixed Income Management, for instance, began using Corticon's rules system in 2001 to ensure compliance with client-specific guidelines regarding investment types and other criteria. The company later expanded the rules system to calculation-intensive processes, including after-tax performance and derivatives-specific accounting. It's currently working on revamping its billing system to include the engine.

While account managers can change client-specific rule parameters in the compliance system, STW lets IT handle rule creation and maintenance in every application. "It's not the kind of thing [business staff] wants to get into," says STW principal and head of investment technology Tony Plasil. Plasil adds that the small firm doesn't have a problem throwing change requests over the wall to IT.

Beyond 'Finger Pointing'

You can find BRMS deployments in many industries, but the biggest upswing has been in financial services, with a particular emphasis on the insurance industry. "We're starting to see some interesting things in insurance," says Gartner's Melenovsky, pointing to "everything from making decisions regarding how a particular claim gets processed, to determining who's eligible [for coverage] and who's not, to [policy] rating."

At Blue Cross Blue Shield of Arizona (BCBSAZ), rules deployment has focused on the insurer's individual and group health underwriting eligibility and plan-rating processes. The insurer wanted to use rules to extract rating logic embedded in a legacy rating engine and automate manual underwriting steps, thereby reducing the time it took to quote plans from days to hours. BCBSAZ also wanted to create a Web-based rating platform for brokers and internal staff to eliminate quote discrepancies caused by out-of-date rate tables.

The legacy rating application demanded "a lot of IT interaction, with rate changes at various times of the year," says BCBSAZ director of e-business technologies Chris Matthieu. The company rebuilt the rating engine using Resolution EBS's Interactive Rules platform (Resolution iR), deploying it for individual plans in early 2004 and group plans in June 2005. Resolution iR is Java-based, but the vendor built a services layer that enables the insurer's .Net-based plan application front end to call rules and receive responses.

Once the vendor developed the first cut of rules, BCBSAZ quickly moved maintenance responsibility to subject-matter experts in the underwriting and actuarial departments. "We're in a highly competitive marketplace, and business users know best what changes are required to be competitive," says Matthieu. "It enhances our speed to market ... and allows IT to focus on pure non-rules-related development."

Shifting rules management to the underwriting staff stops fingerpointing, according to BCBSAZ director of group underwriting Louis Montoya. Although the company hasn't calculated the ROI, Montoya says that in the first three months of deployment in the group division, productivity went up 20%.

Decouple the Rules

Interest in business rules systems will continue to grow, fueled not only by the appeal of becoming more agile and flexible, but also by the opportunity to support concurrent technology initiatives. For instance, companies beginning process automation projects can use dedicated business rules systems to add more robust automated decisioning features than those built into rules capabilities provided in BPM systems. Service-oriented architecture (SOA) initiatives also encourage companies to decouple rules logic from applications.

At one time I was skeptical that sticking the word 'business' in front of 'rules' represented a substantial change," Rymer says, "[but] the term 'business rules' is for real."

Michael P. Voelker is principal of Equinox Communications Inc. Write to him at mvoelker@goequinox.com.