Teams developing software in regulated environments face a major critical challenge: defining comprehensive, high-quality software requirements for regulatory compliance.
Faulty compliance requirements not only put a project at risk, they can put the organization itself in a dangerous position legally and financially. Today’s CEOs recognize this: a recent survey of 400 U.S. CEOs across industries revealed that the regulatory environment tops the list of issues that can have the most impact on a company. As a result, 34% of those CEOs are spending more time with and/or thinking about government officials and regulators.
Regulatory issues become increasingly important to organizational leaders, product owners, and business analysts because they have to get compliance requirements right. They need to be able to analyze the full impact of regulatory change and define compliance requirements in a way that developers and testers interpret them accurately. Additionally, with business accelerating its pace, they must do it as quickly and efficiently as possible, which is easier said than done.
Getting software requirements right in any environment is tough. In a regulated environment, however, product owners and business analysts face unique challenges, complicating the capture of those all-important compliance requirements. Below are eight best practices for companies supporting regulatory compliance.
1. Identify Regulatory Stakeholders and Engage Them Effectively
Use the three pillars of GRC – governance, risk management, and compliance - to identify relevant stakeholders. Who is involved in GRC in your organization? These are the stakeholders who will be the busiest – and thus the most difficult to set meetings, so it’s important to identify them early and plan up-front for the most efficient ways to engage them. Get on calendars early, do your research, and develop laser-focused interview questions – ideally selected from a pre-defined repository of compliance-related questions. A business analyst doesn’t need to know everything about compliance, but it’s important to know the right people to talk to in order to capture a complete, accurate set of compliance requirements.
2. Get to Know Your Organization’s Regulatory Environment
Understanding the concepts of GRC and the relationships between those concepts gives product owners and business analysts a framework to help identify the right stakeholders and understand relevant business processes. Read up on these capabilities and identify the groups within your organization responsible. You need to research regulations that impact your industry and your region. Talk to the experts and ask questions. Understanding the business of managing compliance in your organization provides clarity for better analysis.
3. Mine Existing Documentation for Foundational Understanding
Obviously, one of the best ways to understand regulatory requirements is to read and understand the most recent relevant regulations and guidelines. Stay up-to-date on regulatory change by subscribing to relevant government and industry websites. It’s important not to overlook requirements from prior projects as a source of information, but to review and consolidate to begin developing a reference library.
4. Model Business Processes to Improve Understanding
The software development industry has seen a significant increase in the use of visual models, because it helps project teams and stakeholders have deeper conversations leading to better requirements. Business process models in particular improve understanding and help teams understand the impact of regulatory change. Develop business process models for the key processes in your environment as well as the processes related to governance, risk management, and compliance to improve the quality of your compliance requirements and your ability to analyze them robustly.
5. Build a Repository of Common Compliance Requirements
Compliance requirements frequently affect multiple projects and systems because they’re prime candidates for reuse. This includes requirements related to concepts like access security, data confidentiality, data availability, authentication, logging, and auditability, to name a few. Centralizing compliance requirements and the visual models associated with them will provide support for multiple teams as they define user stories and functional requirements. Other artifacts – like risk definitions and stakeholder lists – can be centralized as well. Think about both external regulatory requirements and those needed to support internal governance needs. By developing a shared repository of these critical non-functional requirements, an organization can define them in one place and teams can reference them as needed, eliminating unnecessary work and improving requirements quality.
6. Document Traceability between Regulations and Requirements
Establishing traceability between compliance requirements and related artifacts like business value, process steps, risks, stakeholders, other requirements, and the original regulation itself provides teams with a powerful analysis tool. It helps them define stronger requirements and assess the impact of regulatory change. It also provides them with a compliance plan to illustrate to auditors how the team is working to develop compliance. Robust analysis is the best way to enable compliance; traceability is an important technique to support that analysis.
7. Don’t Short-Change Analysis
The regulatory environment is complex and changing, so product owners and business analysts need to spend time analyzing the impact of regulatory change. Particularly in agile environments where up-front analysis is shunned, teams need to understand that there will need to be some pre-work to understand compliance and governance processes before they start executing on sprints. Don’t get stuck in “analysis paralysis,” but do allow enough time to analyze the environment, regulatory information, business processes, and other visual models to gain a strong understanding of compliance requirements.
8. Have Tooling that Supports Requirements Analysis & Management
You can improve your ability to control complex compliance requirements by developing people and process, but purpose-built requirements management tooling provides the higher level of support needed in the complex world of regulatory compliance. Select tooling that supports the creation of new object types and visual models, complex traceability between artifacts, and reuse through a centralized repository. These capabilities will accelerate the elicitation of requirements and reduce duplication of efforts, leading to higher quality requirements and lower risk to software success.