Rules in Risk Analysis and Remediation are logical constructions composed of a circumstance or condition, and the appropriate response to that condition.
This construction is commonly represented as an If-Then pair.
If an employee in my company has permission to both create a vendor and also authorize payment to a vendor, Then the employee has been granted conflicting roles that pose a high risk.
The previous example is a Segregation of Duties (SoD) risk. You must define the risk. Risk Analysis and Remediation generates the rules to identify it.