Tag Archives: Risk & Compliance

Extending Requirements Management for Business Planning

I’ve used SysML to model requirements and traceability for impact analysis, coverage, etc. for a fair amount of time; and across more domains than the typical use of CASE tools.  I’ve found them to be useful as methods to model governance and compliance requirements from regulatory, contract, and corporate policy, and have even used requirements models to model my own priorities as an easy load into traditional project management software (e.g. MS Project).  To date my applications of choice have always been based on the Eclipse Requirements Modeling Framework (RMF) as incorporated in the TopCased Model Based Systems Engineering (MBSE) tool-chain.  This project is now being migrated to PolarSys, though the requirements part appears to have been incorporated as a standalone component by ProR.

In traditional Microsoft fashion, a good set of tools based on Collaborative Systems Requirements Modelling Language (CSRML), A goal-oriented markup for requirements modelling, has recently come to my attention.

If there’s anything that you’d need a formal requirements model for, but without the overhead of a full MBSE approach – it’s certainly worth looking into.  Questions regarding the point of modeling non-engineering activities are relatively predictable, and I’d like to address a couple of the more common asked by those represented in the Venn diagram below.

Actors in Enterprise Compliance


“What’s wrong with traditional BPM, CASE, RM, or other IDE type of tools?”

Unfortunately, Papyrus, TopCased, and many other similar applications are (a) less than user friendly for those without a background and understanding in UML (b) limited in scope of representation and access for collaboration.  From that perspective I wanted to think of alternative approaches, and the explosion in collaborative IDEs for software development leaves me hoping for a similar capability for modeling.

There are certainly no shortage of collaborative applications, and I’ll follow with some other shortcomings in the current SaaS market in a separate post. A prime example, however, of a promising entry are the IDEs that can provide tangible value to teams such as Cloud9 (use Chrome or FF).  This SaaS modeled IDE provides real-time visibility between members working on a project and is an incredibly efficient tool I use to work with remote developers when performing interviews & skills assessments.  While I’m of a firm belief that nothing quite replaces a face-to-face interview, being able to work through a real-world project allows me insight into the thought processes, and fit into the team dynamic they are being interviewed for … saving on travel costs, or the expense of a poor hiring decision.  Alternately something as simple as providing training, guidance, and leadership support to a remote employee who needs assistance with a concept is facilitated through such tools. Of course we’ve got many options for this, from simple screen-sharing and chat applications to full office suites such as: Office365, Google Docs, or Office 2010 (when backed by SharePoint) which all support real-time, multi-user, collaborative editors.  Extending the IDE as an asset into this domain solves two intermediate problems to having our requirements & models generate value for the organization.

  1. Since, enterprise architecture (EA) is often seen by personnel to be an esoteric representation of the organization and its processes.  Without open-access and visibility, ease of manipulation & methods of sharing EA data … it often ends up gathering dust in the corner, instead of being used to drive change. By enabling a collaborative and data-driven view of the enterprise (whether it be business process or IT architectures), the uses of data are opened up to creative possibilities & transparency can assist in the maintenance of information – preserving the original investment in investigation.
  2. Addressing requirements and developing plans for compliance within the enterprise is noble, but is only touching on the underlying need for traceability. With a more collaborative and diverse audience, the ability to trace requirements, their precedence & the source of those while mapping them against each other would only serve to bring a degree of transparency into the areas of Governance, Compliance & Risk (the subject of my next article).

“Why do I need to model my compliance needs? What’s wrong with using ABC?”

Some might accuse me of overcomplicating what is, on the surface, a relatively straightforward activity & question along the lines of “What are our compliance requirements, what policies & processes do we have to cover them, and how do we ensure our due diligence in validating adherence to those policies?”.  These might include topics in subcontractor management, ANSI EVM controls, IA Control requirements for PCI, or any other myriad set of complementary frameworks. In the typical firm, however, the necessary perspective to answer this line of questioning is rarely found in one person, or group, and without collaborative ideation … it’s incredibly likely that either (a) something will be missed or (b) that information isn’t effectively communicated to personnel.  In either instance, a failure of due diligence may leave a firm at risk.

Often I’ll see this documented as spreadsheets with a matrix of tabs, but this fails the traceability test & doesn’t lend itself to automation in case of audit.  Furthermore, it fails to offer extensibility at scale, doesn’t afford the organization an efficient method of communicating the requirements to program/project managers or their staff, dramatically increases overhead required to train and validate program execution, and increases the amount of rework or discovery needed by personnel who have a need of that data.

Blame it on my firm belief in the value of quantitative measurement and management as not only a “best practice”, but as a “required practice” for high-performing teams & organizations; or perhaps, my firm belief in transparent leadership and governance.  Enough people have heard my argument against the use of spreadsheets as a form of enterprise knowledge management, to understand my perspective as to why this is a bad idea & why the way the typical firm handles this today needs something different. That something needs to be easy-to-use for the small to mid-sized firm, needs to be able to tie into ERP and audit systems, and needs to be a collaborative method treating EA & Governance as reusable, transparent, and executable enterprise assets.

Though I say it jokingly to my colleagues, there is truth when I note that I’ll need to consider an MBA after I complete my PhD, and in all likelihood should follow that with a JD … there’s a niche opportunity for systems, and people that have a deep understanding between areas of business, law & technology.

“So what can we do about it?”

While I’m often accused of having big ideas … being a person capable of developing solutions to most of them is a core strength I rely on to demonstrate value through prototypes.  To that end, and based on my research/papers on the overall extent to which regulatory, contract, and corporate governance can cross organizational disciplines; I’ve begun modeling a SaaS solution for publication control mapping and compliance methods.  I’m through the generic model of compliance, and have a number of concepts on how to carry it forward, but am leaning towards a community-driven site and application that could tie to my parallel efforts in using predictive analytics for effort & cost estimation.  As each gets a bit more polished I’ll publish them under an open license; but in the meantime I certainly appreciate any insight, critique, or commentary on the subject.

So jump on in and share your thoughts.  Do you see this as a problem, or is it a niche need? How do you manage the myriad set of policies, procedures, and alignment to the governance frameworks in your industry? Any particular tools that you use, and how do you ensure that those processes are executable by staff? Do you have an orchestrated set of executable workflows, or is it tribal knowledge and lots of training (for hopefully compliant programs)?

Leave a comment

Posted by on January 5, 2014 in Business, Information Technology


Tags: , , , , , , , , ,

%d bloggers like this: