Compliance is critical, but it is often difficult. A survey by KMPG of 400 U.S. CEOs found that respondents were most worried about the regulatory environment in terms of company impact. Software developers operating in regulated environments have a particularly challenging job: they must define comprehensive, high-quality software requirements to ensure compliance. Failing in this area can jeopardize the project as well as the organization itself, both legally and financially.
For companies in regulated industries to succeed, software development teams must develop an understanding of their complex regulatory environments, the skills needed to interpret rapidly changing regulations and the ability to develop clear, complete compliance requirements. Below is a list of eight best practices to reach those goals.
1. Identify Regulatory Stakeholders and Engage Them Effectively
Use the three pillars of GRC to identify relevant stakeholders. Who is involved in governance, risk management and compliance in your organization? These are the stakeholders who will be the busiest – and thus the most difficult to set up meetings with, so it’s important to identify them early and plan up front for the most efficient ways to engage them. Get on calendars early, do your research and develop laser-focused interview questions – ideally selected from a predefined repository of compliance-related questions. A business analyst doesn’t need to know everything about compliance, but it’s important that he knows the right people to talk to in order to capture a complete, accurate set of compliance requirements.
2. Get to Know Your Organization’s Regulatory Environment
Understanding the concepts of GRC and the relationships between those concepts gives product owners and business analysts a framework to help identify the right stakeholders and understand relevant business processes. Read up on these capabilities and identify the groups within your organization responsible for them. Research regulations that impact your industry and your region. Talk to the experts and ask questions. Understanding the business of managing compliance in your organization provides clarity for better analysis.
3. Mine Existing Documentation for Foundational Understanding
Obviously, one of the best ways to understand regulatory requirements is to read and understand the most recent relevant regulations and guidelines. Stay up to date on regulatory change by subscribing to relevant government and industry websites. And don’t overlook requirements from prior projects as a source of information. Review and consolidate them to begin developing a reference library.
4. Model Business Processes to Improve Understanding
The software development industry has seen a significant increase in the use of visual models because it helps project teams and stakeholders have deeper conversations, leading to better requirements. Business process models in particular improve understanding and help teams understand the impact of regulatory change. Develop business process models for the key processes in your environment, as well as the processes related to governance, risk management and compliance to improve the quality of your compliance requirements and your ability to analyze them robustly.
5. Build a Repository of Common Compliance Requirements
Because compliance requirements frequently affect multiple projects and systems, they are prime candidates for reuse. This includes requirements related to concepts like access security, data confidentiality, data availability, authentication, logging and auditability, to name a few. Centralizing compliance requirements and the visual models associated with them will provide support for multiple teams as they define user stories and functional requirements. Other artifacts—like risk definitions and stakeholder lists—can be centralized as well. Think about both external regulatory requirements and those needed to support internal governance needs. By developing a shared repository of these critical nonfunctional requirements, an organization can define them in one place and teams can reference them as needed, eliminating unnecessary work and improving requirements quality.
6. Document Traceability from Regulations to Requirements
Establishing traceability between compliance requirements and related artifacts like business value, process steps, risks, stakeholders, other requirements and the original regulation itself provides teams with a powerful analysis tool. It helps them define stronger requirements and assess the impact of regulatory change. It also provides them with a compliance plan to illustrate to auditors how the team is working to develop compliance. Robust analysis is the best way to enable compliance; traceability is an important technique to support that analysis.
7. Don’t Shortchange Analysis
The regulatory environment is complex and changing, so product owners and business analysts need to spend time analyzing to understand the impact of regulatory change. Particularly in Agile environments—where upfront analysis is shunned—teams need to understand that there will need to be some pre-work done in order to understand compliance and governance processes before they start executing on sprints. Don’t get stuck in “analysis paralysis,” but do allow enough time to analyze the environment, regulatory information, business processes and other visual models to gain a strong understanding of compliance requirements.
8. Invest In a Tool to Support Analysis and Manage Requirements
You can improve your ability to control complex compliance requirements by developing people and process, but a purpose-built requirements management tool provides the higher level of support needed in the complex world of regulatory compliance. Select a tool that supports the creation of new object types and visual models, complex traceability between artifacts and reuse through a centralized repository. These capabilities will accelerate the elicitation of requirements and reduce duplication of efforts, leading to higher-quality requirements and lower risk to software success.
Because regulatory issues have become increasingly important to organizational leaders, product owners and business analysts have to get compliance requirements right. They need to be able to analyze the full impact of regulatory change and define compliance requirements in a way that developers and testers interpret them accurately. And with business accelerating its pace, they must do it as quickly and efficiently as possible. Following industry best practices will help organizations ensure that they have a thorough process to create fully compliant products.