• United States



by Judith Hurwitz

Turning Strategy into Software

Aug 08, 20035 mins
CSO and CISOData and Information Security

When CIO Tricia Trebino took over at Tufts Health Plan, a $2 billion health care system, she noticed a serious problem. Business policies and rules were implemented in various places in line-of-business systems.

However, these rules were typically not enforced at an operational level. There was simply no connection between rules placed within software and the way operational personnel implemented policy decisions. For example, although a rule was hard coded into a system indicating the lifetime maximum for a medical procedure, personnel who were charged with enforcing that rule handled client inquiries and requests for service manually. To make matters worse, no one in the organization had detected that policies approved by management werent being enforced. In addition, when a policy change was made, there was a disconnect. One individual in one department might call and request that IT make a change in a rule in a system of record; two days later someone from another department would call and demand that the change be reversed.

Trebino immediately understood the impact of this disconnect between business rules and business policy and acted quickly to remedy the situation by first analyzing the connections between business policies, the process flows within the organizations, and the connections between the business and IT. She established a business implementation group to coordinate changes between business policy and systems based business rules. This insured that there was central coordination between IT and the business policy.

At this time when Trebino started at Tufts it had about 300,000 members compared to more than 900,000 members today. It would have been extremely difficult for this health care system to scale without a new approach to linking strategy and business policy with a systems based approach to rules.

The Tufts Healthcare experience is not unique. Many organizations do not have a plan in place that links the rules buried in their systems with business policy. There is typically a wide disparity between business planning and IT planning. However, it is becoming increasingly clear that in a dynamic response world, business policy and strategy must be translated into the information infrastructure.

If organizations are going to be able to respond in real-time to opportunities or threats, they need to be able to implement business policies in systems so that critical policies that need to be rigorously enforced can be enforced without intervention. For example, there may be rules or business policies that dictate special pricing for significant purchases from preferred customers. It is much more efficient to implement these rules in software than to spend endless hours instructing personnel on all of the permutations of pricing strategy and changes.

So, where are we today with synchronizing business policy and rules with a dynamic response infrastructure? The good news is that there is significant technology available on the market focused creating an abstracted environment for managing rules and linking them to the right business systems. The bad news is that many organizations have older systems where rules are hard coded into SQL statements in databases or coded directly into business applications. Therefore, it is often difficult to discover not only what business policies are hard coded into systems but where those rules are. Even when organizations have successfully created an environment where system-based rules are directly linked to business policy there can be problems. If there is not a rigorous process of insuring that business rules are implemented in a timely manner, there could be serious business consequences. For example, if the price of a product is increased and that change is not made to the system of record, expected revenue may never reach the bottom line.

Therefore, what should CIOs do to ensure that their organizations are prepared to link business rules to business policy? I recommend the following steps:

  1. Conduct an audit of your systems to determine what rules are implemented in which systems. Determine if there are contradictory rules and how easy it will be to change rules already implemented.
  2. Begin the process of decoupling business rules from the systems they are linked to. Rules should be consolidated and abstracted from underlying applications so they can be reviewed, analyzed and updated dynamically.
  3. Ensure that human factors are considered. Who controls the updating of business policy in systems? How do you know if critical updates happen in a timely manner? Are the individuals on the front lines who deal with customers and partners well trained in the use of systems that enforce business policy? Typically, the best designed systems can be crippled by lack of communications and training.

While there is a considerable investment of time and money in ensuring that rules and policy are linked, the rewards will be great. Organizations who have made the investment have found that there is significant value both in terms of revenue and ability to respond to changing business conditions. Keep in mind that if a company added a $1 charge to 1 million items it sold over a year, the revenue change would be $1 million. If that rule was not implemented in a billing system, that revenue would never make it to the bottom line. This one small example demonstrates the potential power of business rules well implemented.