Business Rule Fields
1. Description
-
What it’s for: The rule statement — a clear, specific description of the constraint or policy the solution must enforce.
-
What to include:
- Write as a specific, testable constraint: state the condition and the required behaviour.
- Avoid vague language like “users should not be able to misuse the system” — instead: “A user may not approve a transaction raised by themselves.”
- One rule per record — if a statement contains multiple constraints joined by “and”, consider splitting into separate rules.
- Focus on what must be enforced, not how the solution enforces it — implementation detail belongs in design decisions, not the rule statement.
-
Examples:
"Invoices over £10,000 require approval from two Finance Managers before payment is released.""Customer personal data must not be stored or processed outside the United Kingdom.""A purchase order may not be raised and approved by the same individual."
2. Source
-
What it’s for: The authority for this rule — the document, regulation, policy, or person that is the origin of the constraint.
-
What to include:
- Reference the specific document and section where possible (e.g. “Finance Policy FP-14, Section 3”).
- If the rule was agreed verbally or in a workshop, record who agreed it and when (e.g. “Agreed with CFO in requirements workshop, 12 March 2025”).
- For regulatory rules, cite the specific regulation and article (e.g. “GDPR Article 44 — Transfers to third countries”).
- Leave blank if the source is not yet known — and consider raising an assumption or issue to track the need to establish it.
-
Examples:
"Finance Policy FP-14","GDPR Article 44","Section 3.2 of the Master Services Agreement","Confirmed by Head of Compliance in workshop 7 Feb 2025"
Relationships
| Relationship | What to link |
|---|---|
| Has Acceptance Criteria | Business-level acceptance criteria that define how the business will verify this rule is being enforced correctly |
| Has Implementation Acceptance Criteria | Technical acceptance criteria that define how the delivery team will verify this rule has been implemented correctly |
| Uses Business Information | Business Information items that this rule applies to or governs (e.g. a data residency rule linked to the relevant customer data information item) |
| Has Business Requirement | Business Requirements that are derived from or driven by this rule — the capabilities the solution needs in order to comply |
| Supports Design Decision | Design Decisions that are constrained or influenced by this rule; records the traceability between a rule and the design choices it shapes |
| Has Risk | Risks associated with this rule — risk of non-compliance, ambiguity in interpretation, delivery risk |
| Has Assumption | Assumptions made in interpreting or applying this rule (e.g. assumed scope, assumed authority of source) |
| Has Issue | Known problems with the definition, interpretation, or delivery of this rule |
| Has FAQ | Frequently asked questions about this rule and its application |
| Has Task | Tasks assigned to this rule — clarification, stakeholder sign-off, verification activities |
| Implements Business Reference | The policy, standard, regulation, or reference document that this rule is derived from or must comply with |
Last updated on