When laying out data policies and data standards within a data governance program one the most important input is the business rules that exist within your organization.
I have often found that it is useful to divide business rules into two different types:
- External business rules, which are rules based on laws, regulations within industries and other rules imposed from outside your organization.
- Internal business rules, which are rules made up within your organization in order to make you do business more competitive than colleagues in your industry do.
External imposed business rules are most often different from country to country (or group of countries like the EU). Internal business rules may be that too but tend to be rules that apply worldwide within an organization.
The scope of external business rules tend to be fairly fixed and so does the deadline for implementing the derived data policy and standard. With internal business rules you may minimize and maximize the scope and be flexible about the timetable for bringing them into force and formalizing the data governance around the rules. It is often a matter of prioritizing against other short term business objectives.
The distinctions between these two kinds of business rules may not be so important in the first implementation of a data governance program but comes very much into play in the ongoing management of data policies and data standards.
I can understand why you talk about internal and external and external business rules. However, the fact is that there are only internal business rules.
There are always external drivers (be they legislative of commercial) that will influence these rules but it is the expert interpretation of these drivers that finally shapes and defines the rules, rather than the drivers themselves.
One major error that enterprises often make is failing to realise that business rules can only be implemented by making them an integral part of a valid enterprise business function (a core activity); they cannot simply be defined and left hanging in a vacuum. It is only through the execution of this function that the rules can act on data.
Thanks Henrik – thought provoking as ever.
John makes a similar and complementary point to the one that I was going to make – that the issue of interpretation is crucial. Data rules do not exist in and of themselves, regardless of whether they are internally generated or externally imposed through legislation.
In most scenarios, any defined rule will be subject to semantic subtlety, received opinion, choice, and even ulterior motive. It then becomes a case of how you respond to that stimulus, refine the interpretation and take action as a consequence.
Let’s face it, this is the stock in trade from which lawyers make their living! (As do we…)
As always, I continuously pick up great insight. I have been wondering how other organizations ‘absorb’ the external changes that lead to the external business rule classification. Right now I feel like the Very Large Array, but I am not sure what signals I should be looking for. Is there such a thing as GRC universal change control?
Thanks John, Alan and Steph for commenting. Interesting perspectives and questions indeed.
Well said. I agree. Too many times there is too much focus on just external rules imho