It is often stated that today’s society is characterized by a high degree of turbulence and uncertainty, in which changes occur frequently and in rapid succession [ 1 ]. Global and interconnected forces such as globalization, shifting demographics, demanding consumer markets, environmental concerns and political activism are driving these changes [ 2 ]. Governments of the OECD countries have stepped in with regulations to contain some of the uncertainty and prevent corporate, political and environmental scandals. These regulations increasingly demand that organizations can prove having a clear insight into their operations and ensure compliance with applicable laws [ 3 ]. Well-known examples are the Sarbanes-Oxley Act in the U.S. and the Basel II framework.

This has led to challenges for organizations balancing their internal concerns from strategy formulation to execution and IT support with external demands on compliance from supervisory, regulatory and enforcement authorities. As both market conditions and legislation are subject to more and rapidly changing regulations, the cost of compliance rises [ 4 ]. This draws valuable time and resources away from the core business processes and pursuing new opportunities for competitive advantage. There appears to be a conflict in the demand for a stable governance framework that supports transparency and accountability, and the ability to make quick changes to this framework, possibly harming its integrity. This organizational conflict between stability and change has also been referred to as the paradox of flexibility [ 43 ]. The ability of an organization to change quickly in response to external influences will be referred to here as agility [ 5 ].

It is argued in this paper that the approaches of enterprise architecture (EA) and business rule management (BRM) offer complimentary positions concerning corporate governance1 in light of the conflicting demands of stability and agility. When deployed together in an organization, these approaches may facilitate a synthesis where stability and agility do not conflict, but rather co-exist and complement each other in attaining successful governance. This contention is supported by the goal-oriented analysis of EA and BRM [ 6 ], which identified governance and flexibility as major areas of synergy.

In related work on business rules in the context of EA, particular attention has thus far gone out to the role of rules in architecting the enterprise [ 7 ] and documenting and modeling them [ 8 ][ 9 ][ 10 ]. This includes the positioning of business rules in enterprise architecture design and development methods and frameworks [ 11 ], such as the Zachman framework [ 12 ]. With so much emphasis on the architecting and design aspects, the deployment aspect has so far been largely neglected. Deployment in this context refers to the integration and application in the organization – in other words, actually using EA and BRM in order to realize their implied benefits.

This paper specifically concerns the deployment of BRM in conjunction with an enterprise architecture, rather than the development and design of the architecture and the business system. By focusing on deployment, it aims to address the significant knowledge gap that currently exists in this field. In particular, the consequences and benefits of deploying BRM and EA for the practice of corporate governance are identified. Besides contributing to the academic body of knowledge on these young disciplines, this is relevant for organizations dealing with complex governance issues, as well as those offering services or products related to EA or BRM.

First the aspects of EA and BRM that relate to their contribution to corporate governance will be discussed separately, during the course of the next two sections. In the fourth section, the synthesis between them is introduced and explicated. Finally some general conclusions and suggestions for further research will be given. 1 The definition of corporate governance adopted in this paper is the inclusive definition given by Turnbull: “Corporate governance describes all the influences affecting the institutional processes, including those for appointing the controllers and/or regulators, involved in organizing the production and sale of goods and services.” [ 13 ].

The field of architecture is filled with different interpretations and applications of the term, which has resulted in a wide variety of definitions in the literature today. There are also a large number of frameworks, tools, descriptive languages, models and supporting methods in existence that can be applied widely to architectures at different levels of aggregation [ 14 ][ 15 ][ 16 ].

This paper considers EA to be the architecture that prescribes and describes an organization at its highest level, and at its most holistic. It is about the entire organization and all of its elements; not specific sub systems such as IT or particular business units. This is appropriate in the context of corporate governance, because here too, the organization has to be considered as an inclusive whole. For this purpose the following definition of EA is adopted from [ 3 ]: Enterprise Architecture. A coherent whole of principles, methods, and models that are used in the design and realisation of an enterprise’s organisational structure, business processes, information systems, and infrastructure.

Furthermore, EA itself is viewed on a meta-level of abstraction, which means that the properties of EA discussed in this paper are as independent as possible from specific approaches and implementations. Both guiding architectural principles that are used in architecting the enterprise, as well as more detailed models and visualizations of the architecture, are considered. This is of course done from the deployment perspective.

As systems become more and more complex, many organizations lack the required cohesion between different systems for them to be effectively maintained and controlled. This can be caused by historical mishaps such as integrating business processes by connecting originally separate systems and choosing the fastest and easiest solution to a particular need in an isolated area [ 17 ]. The result is a heterogeneous mix of systems spread throughout the organization, without a common structure, which is nearly impossible to oversee and maintain due to its complexity and size. This problem was the original driver for EA as conceived by Zachman [ 18 ], and is still recognized as an important issue today, but now includes the integration and alignment of business and IT [ 3 ]. As IT is becoming more embedded and integrated into organizations, the governance of IT from the enterprise perspective becomes increasingly important [ 19 ].

These developments have also affected the public sector and the field of egovernment, where it is argued by Bellman and Rausch that it is crucial to adopt a holistic view encompassing both IT and business [ 20 ]. The thorough insight into the structure and processes of the organization along with its IT that is provided by having EA in place makes it easier to ensure regulatory compliance and report on the internal situation to the required authorities. This allows crucial management decisions to be made more rapidly and securely. EA thus guides the translation of corporate goals into concrete actions that are in line with both regulatory demands and internal policies [ 21 ].

It has been said that EA functions as a map for the boardroom, which has the purpose of positioning decisions and overseeing their consequences in the broader context of the enterprise [ 17 ]. In other words, it serves the governance of the enterprise. There are four main ways in which EA contributes directly to corporate governance:

First, the EA facilitates comprehensive decision making by providing a holistic overview of the enterprise, which yields the insights necessary for understanding the ramifications of these decisions [ 22 ].

Second, the framework provided by EA is a solid basis for planning and setting goals and targets for various organizational units, as well as keeping track of who can be held accountable for them.

Third, EA enables the management and introduction of common standards and practices that are used and agreed upon. This may include standards regarding ways of working, policies, guidelines, IT and communication standards, and even best practices [ 23 ].

Fourth, EA supports the identification of risks throughout the enterprise, which is a boon to risk management. This overview created by an EA can be used to help identify and keep track of the responsibilities and owners with respect to various processes and risk-sensitive systems and areas.

An important area of application for enterprise architecture that borders the domain of corporate governance is the directing of organizational change. This can be seen from two perspectives; the stable situation which is only changed occasionally and in revolutionary bursts, and more evolutionary changes that take place within a defined context and framework.

EA often deals with the migration from a state before the architecture (IST) to a more desirable new state that is prescribed by the architecture (SOLL). Considering the definition of EA given earlier: it guides the design of the business system. Once the migration to the desired state is complete, the architecture is preserved for a longer period of time, typically at least a few years. This is good because it allows the stable governance structures and procedures outlined in the previous section to be realized and put into practice. Having some measure of stability is a necessity for many of EA’s contributions to corporate governance, such as a shared reference framework, agreed upon standards and insight into responsibilities and risks.

However, all enterprises invariably move through a life cycle from their initial concept in the mind of an entrepreneur through a series of stages or phases, just as their products and service offerings do [ 24 ]. The enterprise architecture by definition needs to change as the enterprise it governs moves from one stage in its life cycle to the next. Weick and Quinn refer to this kind of change as episodic change [ 25 ], but the term revolutionary change is also used e.g. by [ 26 ]. Weick and Quinn state that these episodes of change undergo a trajectory consisting of three phases: unfreeze – transition – refreeze.

A major part of managing such revolutionary organizational change is often dealing with cultural and psychological factors regarding different stakeholders, in order to overcome resistance to change. This process is referred to as unfreezing. EA aids this process by reducing the resistance to change by offering a framework in which all the enterprise’s objectives are positioned and the rationale for pursuing any of them at any particular time can be seen by everyone [ 27 ]. In the transition phase, the new or evolved EA guides the design and realization of the new enterprise from the IST to the SOLL state. The EA is then deployed in the refreeze phase, where it will remain stable until the next episode of change in the life cycle of the enterprise.

Even though EA is characterized by stability and only occasional episodes of great change, this does not mean it opposes or contradicts smaller, more evolutionary changes from happening. The stable framework of EA is also a valuable tool for facilitating changes in the organization that fall within the space prescribed by the architecture. In this manner the EA serves as a guiding framework through which the change efforts can be directed. What EA does generally not do however, is provide the means to make these changes as such.

Business rules are essentially all the rules that exist in an enterprise environment and are under the jurisdiction of the business. Organizations typically have thousands of such rules governing the business operations [ 28 ]. Various experts define business rules in a slightly different way, but all agree on their importance and that their main concern is that they should correlate directly to the business [ 29 ]. In this paper, the definition of the Business Rules Group will be adopted, because it is a widely accepted definition with a sufficiently thorough basis that is specific enough to be practically useful [ 30 ].

Business Rule. A statement that defines or constrains some aspect of the business. It is intended to assert business structure or to control or influence the behavior of the business.

There are many different types of business rules according to various identification schemes and classifications; an overview can be found in [ 10 ]. They exist on two different levels: the business level and the information system level. In this view, business rules at the information system level are specified in a way understandable by machines, so that their processing can be automated. This does not mean that rules are essentially different on each level, but merely that they are represented in a different way. Some business rules are only present on the business level, but do not need to be implemented in a solution at the information systems level, and are for example enforced through human efforts. Business rules always exist on the business level however, since the focus of BRM is on business and not technology.

BRM is in fact a mechanism for governing and controlling aspects of an organization, using business rules. A good working definition of BRM is given by von Halle [ 31 ].

Business Rule Management. A formal way of managing and automating an organization’s business rules so that the business behaves and evolves as its leaders intend.

A thorough and comprehensive methodology for BRM can be found in [ 32 ]. It stresses the importance of modeling and deploying business rules in relation to enterprise models and business goals as well as information systems design. BRM is typically aided by sophisticated tools that manage large repositories of rules and provide support for the elicitation and authoring of the rules themselves, known as business rule management systems or suites (BRMS). Where formal execution and enforcement of the rules are automated at the level of the information systems, a business rule engine (BRE) is deployed. Such an engine makes use of reasoning algorithm technology to compute the applicable rules in a given situation and whether they are being complied with [ 33 ].

Business rules tend to focus on what needs to be done, leaving the how open to specific situations, implementation choices and the personal freedom of those following the rules [ 34 ]. Business rules therefore set boundaries for acceptable and desired behavior, allowing some room for creativity while maintaining a sense of fairness and consistency of output. This is a property of the way business rules are deployed, that distinguishes them from other rule-bound ways to regulate behavior such as strict formalization and fully specified instructions.

Perhaps the most important contribution of BRM to the organization is that the business rules can be changed relatively quickly. This allows the organization to respond more quickly to new risks and threats, increasing the capacity for agility. This added agility makes business rules suitable for guiding and controlling parts of an organization that are highly susceptible to change, both from within and from the environment. This is relevant in the primary processes of the organization, which implement the strategy set out by the organization in order to meet its business goals, but also in supporting and controlling processes which ensure compliance and are naturally rich in rules.

This has profound potential for corporate governance. Even though an organization may be too complex to capture everything in rules, the aim is to capture the right aspects that are crucial for efficient and responsive control. When the compliance demands from external regulatory influences change, this translates into changing business rules for the affected organization. BRM supports these rapid changes of the rules as well as their deployment and enforcement. If the currently applicable rules are immediately known at all times, this response time is further shortened [ 35 ].

BRM also provides insight into the rules that govern the enterprise. This goes for any given situation at which it needs to be clear which rules apply and should be satisfied. Deploying BRM forces organizations to make their policies and rules explicit. This enables them to always be available to the right persons; the ones who need to comply with them. Edwards states that business rules are “core to establishing and maintaining a compliance competent organization” [ 36 ]. Dissemination of knowledge of the applicable rules is therefore an important contribution made by BRM to compliance.

Also important is knowledge regarding the consequences of any violation of the rules and the likelihood of this happening. This touches upon the area of risk management. By having access to the rules, insight is gained into the risks, making it possible to assess them with greater accuracy. Business rule technology also offers possibilities for simulating different scenarios based on simulated changes in the rules. This helps to identify potential compliance risks in future situations, for example when new laws are about to go into effect.

In contrast to EA, BRM is all about providing the means to make rapid changes to the way the business is run. Because the business rules are separated from the processes, activities and information systems of the organization, they can be more easily managed and changed [ 37 ]. This allows the organization to respond to changes in the environment. The detection of such changes is often considered to be in the domain of environmental scanning and business intelligence [ 38 ]. In the context of corporate governance, BRM clearly allows for more sense-and-respond agility towards the marketplace and regulatory bodies demanding compliance.

The changes that BRM facilitates are often short term, isolated in specific areas and not deeply rooted in the organization’s culture and values. These characteristics on the dimensions of time, complexity and culture are typical of what Weick and Quinn refer to as continuous change [ 25 ]. This kind of organizational change is also known as incremental or evolutionary change [ 26 ]. Such changes are cyclic and without a clear end state, as opposed to episodic change which is linear (from IST to SOLL) and between stable states. This is where the agility offered by BRM is evident, the rules can always be changed to reflect the current demands and the set of rules is never constrained by a long term end state. Weick and Quinn state that continuous change consists of an enduring cycle of the three phases freeze – rebalance – unfreeze.

A change intervention made by BRM is a good example of what happens in the freeze phase. The rules and patterns governing the current state are made visible and tangible so that they can be changed. BRM yields insights into the rules that are relevant in the light of new circumstances, and which need to be altered. It also gives the organization the means to rebalance the situation. In this phase, the situation is reevaluated and the rules changed in such a way that the organization is compliant in the new state. Finally, there is the phase of unfreezing, in which the rules are once again interpreted and applied by individuals. It is crucial that this leaves these individuals the appropriate degrees of freedom to improvise and learn, which is possible because the rules specify the what and not the how.

While BRM typically supports continuous, evolutionary change, this does not imply that it prevents revolutionary change from happening. BRM has been suggested as a powerful tool in business restructuring and re-engineering efforts [ 39 ], which are revolutionary in nature. However, the core of the agility in governance offered by BRM is due to the fact that it enables continuous change that benefits the compliance of the organization. What BRM may lack due to its malleable nature is a consistent and stable framework providing overview, in order to keep track of changes and support more complex revolutionary changes when they become necessary.

The complimentary position of BRM and EA is made clear by the comparative goal analysis of their normative organizational goals [ 6 ]. This analysis has identified 35 unique goals of both BRM and EA, for a total of 70 goals. These goals have been structured and modeled in the form of hierarchical goal trees, which revealed areas of similarity as well as differences. The leaf goals of the different goal trees were then analyzed for their compatibility, which resulted in the network of goal relationships shown in fig. 1. Some clusters representing common or mutually compatible goals can clearly be seen. Main goals that emerged from the goal analysis have been included in the text of this paper as relevant. For details on the goal analysis, see [ 6 ].

One of the areas where the goals of EA and BRM complement each other is that of corporate governance [ 6 ]. The different ways in which these two approaches support governance and compliance have been outlined in the previous two sections of this paper. These complimentary contributions may offer benefits regarding the flexibility, reliability and effectiveness of corporate governance. There are also some differences however that need to be reconciled in order to realize the potential benefits of the joint deployment of EA and BRM.

These differences concern the approach to change and stability. EA puts the most emphasis on preserving a stable state and using it to direct the business, only occasionally engaging in episodes of revolutionary change. BRM on the other hand is focused on enabling rapid changes to fine-tune the business and respond to environmental influences, in a way that is continuous and evolutionary. It is the assertion of this paper that both of these approaches, in the form of stability and agility, contribute to successful governance.

In order to benefit the most from the joint deployment of BRM and EA, a synthesis must be reached which incorporates both a stable governance framework and sufficient agility to cope with rapidly changing demands. In such a synthesis, BRM makes the EA more flexible, while EA provides the missing governance overview to the BRM. Here it is useful to make a distinction between higher order governing of business design and strategy execution, which is likely to be more constant, and the day-to-day operations of the business, which may have a higher degree of liquidity.

A possible weakness of EA is that because it focuses on a high level of abstraction, it becomes too hierarchically structured, prescriptive and one-size-fits-all. When only major episodes of change are facilitated, it becomes constraining in terms of innovation and struggles to adapt to a turbulent environment. The combination with BRM gives an organization the means to make continuous changes. These changes should take place within the overall boundaries of the EA and are concentrated in the business operations that need to adapt to changing demands regarding for example compliance.

The swift and easy changes in the rules increase the adaptability of individual processes and services, but they should be managed at a higher level, where the necessary overview of the enterprise as a whole exists. This is where EA provides the insight and overview necessary to guide the lower level agility in the right overall direction. This concept of operational agility built upon a solid base of business values and insight for higher level guidance is particularly suitable for surviving and competing in turbulent environments [ 41 ].

Particularly with compliance in mind it is crucial to not only have an overview of the risks and responsibility structure within the organization, but also to have certain elements of this structure firmly in place. The demands from regulatory organizations are such that they require an orderly framework for clear-cut procedures to deal with legislation and governmental standards. Such a framework should be somewhat stable in order to accommodate the meeting of all compliance requirements. This is typically done at the EA level, affecting all units of the organization. The Business Motivation Model [ 42 ] provides a model for positioning business rules in an organizational context, but lacks the prescriptive power needed to guide organizational change. When the governance framework is no longer viable, it needs to be reconstructed by means of an episodic change process guided by architecture.

What BRM advocates is an agile approach in which rules can be easily changed in order to meet changing requirements for compliance, often eliminating the need for revolutionary change. This becomes necessary when changes occur so quickly that the sluggish overall framework of governance is not able to keep up, and going through episodes of major upheaval for every change would be too costly. The redesign process is therefore sometimes better carried out in an evolutionary way [ 44 ]. While changes are frequent, they usually do not occur across the entire range of regulations at the same time, but tend to focus in specific areas. Therefore, both a stable overall framework and the ability to quickly change specific compliance measures are needed.

This is where BRM can enrich the EA framework for governance and compliance, by separating the rules and making them easily accessible and changeable within the boundaries laid out by the architecture. This reduces the complexity and waiting times involved in making changes required in response to specific external regulations, while also maintaining an enterprise wide overview and governance framework. If only BRM were to be used, this overview could be lost because critical parts of the business are expressed in a multitude of atomic rules.

These findings are in line with an emerging body of literature that argues that organizations combine evolutionary and radical change harmoniously [ 44 ]. Tushman and O’Reilly refer to organizations that control both revolutionary and evolutionary change as being ambidextrous [ 26 ]. This is the key to the synthesis between stability and agility in corporate governance, which can be achieved by deploying both EA and BRM.