Seven Best Practices to Support Regulatory Compliance
Teams developing software in regulated environments face the significant challenge of defining comprehensive, high-quality software requirements for regulatory compliance. Faulty compliance requirements not only put a project at risk, but they can put the organization itself at legal and financial risk. A recent survey of 400 U.S. CEOs revealed that the regulatory environment tops the list of issues that can have the most impact on a company.
For software development teams at companies in regulated industries to succeed, they must develop an understanding of their complex regulatory environments, the skills needed to interpret rapidly changing regulations and the ability to develop clear, complete compliance requirements. Below is a list of seven best practices to reach those goals.
1. Identify Regulatory Stakeholders and Engage Them Effectively
Who is involved in governance, risk management and compliance in your organization? These are the stakeholders who will be the busiest – and thus the most difficult to set up meetings with, so identify them early on and plan up-front for the most efficient ways to engage them. Get on calendars early, do your research and develop laser-focused interview questions – ideally chosen from a pre-defined repository of compliance-related questions. A business analyst doesn’t need to know everything about compliance, but it’s important that he know the right people to talk to in order to capture a complete, accurate set of compliance requirements.
2. Get to Know Your Organization’s Regulatory Environment
Understanding the concepts of GRC and the relationships between those concepts gives product owners and business analysts a framework to help identify the right stakeholders and understand relevant business processes. Read up on these capabilities and identify the groups within your organization responsible for them. Research regulations that impact your industry and your region. Talk to the experts and ask questions. Understanding the business of managing compliance in your organization provides clarity for better analysis.
3. Mine Existing Documentation for Foundational Understanding
Obviously, one of the best ways to understand regulatory requirements is to read and understand the most recent relevant regulations and guidelines. Stay up to date on regulatory change by subscribing to relevant government and industry websites. And don’t overlook requirements from prior projects as a source of information. Review and consolidate them to begin developing a reference library.
4. Model Business Processes to Improve Understanding
The software development industry has seen a significant increase in the use of visual models, because it helps project teams and stakeholders have deeper conversations that lead to better requirements. Business process models in particular improve understanding and help teams comprehend the impact of regulatory change. Develop business process models for the key processes in your environment, as well as the processes related to governance, risk management and compliance to improve the quality of your compliance requirements and your ability to analyze them.
5. Build a Repository of Common Compliance Requirements
Because compliance requirements frequently affect multiple projects and systems, they are prime candidates for reuse. This includes requirements related to concepts like access security, data confidentiality, data availability, authentication, logging and auditability, to name a few. Centralizing compliance requirements and the visual models associated with them will provide support for multiple teams as they define user stories and functional requirements. Other artifacts—like risk definitions and stakeholder lists—can be centralized as well. Think about both external regulatory requirements and those needed to support internal governance needs. By developing a shared repository of these critical non-functional requirements, an organization can define them in one place and teams can reference them as needed, eliminating unnecessary work and improving requirements quality.
6. Document Traceability from Regulations to Requirements
Establishing traceability between compliance requirements and related artifacts like business value, process steps, risks, stakeholders, other requirements and the original regulation itself gives teams a powerful analysis tool. It helps them define stronger requirements and assess the impact of regulatory change. It also gives them a compliance plan to illustrate to auditors how the team is working to develop compliance. Robust analysis is the best way to enable compliance; traceability is an important technique to support that analysis.
7. Don’t Short-Change Analysis
The regulatory environment is complex and changing, so product owners and business analysts need to spend time analyzing the impact of regulatory change. Particularly in Agile environments—where up-front analysis is shunned—teams need to understand that there will need to be some pre-work to understand compliance and governance processes before they start executing on sprints. Don’t get stuck in “analysis paralysis,” but do allow enough time to analyze the environment, regulatory information, business processes and other visual models to gain a strong understanding of compliance requirements.
Because regulatory issues have become increasingly important to organizational leaders, product owners and business analysts have to get compliance requirements right. They need to be able to analyze the full impact of regulatory change and define compliance requirements such that developers and testers interpret them accurately. And with business accelerating its pace, they must do it as quickly and efficiently as possible. Following industry best practices will help organizations ensure that they have a thorough process to create fully compliant products.
About the Author
Ruth is a metrics-driven marketing strategist who has worked for two decades serving B2B clients in the technology, healthcare and financial services industries. At Blueprint, Ruth is responsible for product marketing, analyst relations, branding, demand generation and inside sales initiatives.
Edited by Peter Bernstein