Skip to main content

Tag: Requirements

The Incredible Expanding Requirement

Written by Karl Wiegers on . Posted in Articles.

The Incredible Expanding Requirement

A simple requirement statement might conceal much detail that eventually must be discovered and addressed.

Image by kjpargeter on Freepik

Some requirements are like icebergs: The portion that you see initially is only a small fraction of the whole thing. Whether it’s represented as text—such as a single functional or nonfunctional requirement statement, a feature summary description, or a user story—or visually in the form of an analysis model, there could be far more to it than first appears. Requirements analysis involves digging below the surface of a presented requirement to understand its full scope, complexity, and implications.

Let’s consider a simple, common nonfunctional requirement: “Only authorized users may access system services.” That security requirement could have originated from a company policy, government regulation, or other business rule. Can you just hand that requirement to a developer, or maybe write it in the form of a user story and add it to the product backlog? I don’t think so. Peeling away the layers shows that that one requirement statement can expand enormously, raising many questions and spawning many child requirements along the way.

This raises the question of how much detail to document for an unrefined requirement versus leaving it in the hands of the developer to process as they see fit. In other words, who do you want to make all the decisions associated with a complex requirement, and when? Considering that question will help you manage the transition from requirements to design.

If you want an initial high-level requirement implemented in a specific way, the business analyst should elaborate it into the appropriate level of detail and precision. That elaboration could impose design constraints on the developer, albeit for good and thoughtful reasons. On the other hand, if you’re okay with the developer having the final say on the functionality and user experience details (preferably with feedback from others on design documentation, prototypes, or screen sketches), then just pass the higher-level requirement along for implementation.

Looking Below the Surface

Consider some of the questions you’d have to answer if you were the developer asked to implement our one-sentence security requirement. It’s unlikely that you’d have all the answers yourself. As you study the requirement, you’d have to make up those answers, research policy standards, or consult with others to agree on how to resolve each issue. That’s what business analysis is all about. Let’s see how quickly an exploration of this single requirement statement expands into many detailed requirements.

First, we’ll need a clear definition of exactly what an “authorized user” is and just what system services cannot be accessed unless a user is authorized. Do different parts of the system require different privilege levels or access credentials?

How should each user be uniquely identified? With a login name, an email address, using a third-party account (like Google, Apple, Facebook, or X), or something else? Will the user ID be assigned by a sys admin or user-selected? What are the rules for the user ID: minimum and maximum length, allowed characters, and case sensitivity? What happens if the user selects a user ID that’s already in use?

Next, what is the primary user authentication mechanism? We have numerous choices, including password, passkey, PIN, and biometrics of various kinds. Let’s just think about the venerable password for now. Here are some questions that come to mind regarding passwords:

  • What are the rules for the password: minimum and maximum number of characters; allowed, prohibited, and required; characters, case sensitivity; pattern restrictions (such as no more than two instances of the same character in sequence); required patterns (such as at least one each of upper- and lowercase letters, numbers, and symbols)?
  • Must the user re-enter the same password in a separate field during creation to verify it? If so, what happens if the two entered passwords don’t match?
  • Can the user toggle the visibility of the entered password on and off, either during creation or during logins?
  • How is the password masked in the entry field? With asterisks or dots? One symbol per entered character or a random number of symbols to conceal the password length from an onlooker?
  • What feedback will the system provide if a login attempt fails?
  • Is the user blocked after too many unsuccessful login attempts? If so, how many tries do they get?
  • If the user’s account is locked after too many failed login attempts, how long does the account remain locked? How can the user unlock it?
  • What happens if the user forgets their login ID or password? What recovery method is used? I can’t get into my original YouTube account because I’ve long since forgotten the password, and the phone number on the account cannot receive texts. Google offers me no other identity verification options.
  • Must the user change their password periodically? If so, how often? Are there restrictions on what the new password can be, such as not reusing any of the previous N passwords?
  • Can the user define a personal identification number (PIN) as a shortcut for the password, as on a Windows PC? If so, what are the allowable characters and the minimum and maximum length of the PIN?

These are some of the issues associated with specifying a security requirement for just a simple password mechanism. You can see how the answers to those questions lead to more and more functional requirements to satisfy the nonfunctional security requirement. But the expansion can get much worse.

The Many Modes of MFA

If your project’s decision makers want better security than a password provides, you’ll explore multifactor authentication (MFA) options. You’ll need to choose from numerous options for both MFA techniques and their implementation details. Start by deciding what types of MFA the system should enable to provide the desired security level. Options include:

  • Sending a one-time code that the user must enter to verify their identity
  • Sending an email containing a one-time login link
  • Biometrics, such as fingerprint, facial recognition, voice ID, and iris or retinal scan
  • A physical security token
  • Using an authenticator app, perhaps on a second device

Here are a few more general questions:

  • How many of these MFA options should you make available to the user?
  • If more than one, can the user select their default preference to use initially for each login attempt? Can they change that default?
  • How will the user enable and disable MFA on their account?
  • If for some reason the user can’t employ their initial method (such as not having access to the device with the authenticator app), can they select another method for that session?
  • Will there be some other backup action, such as contacting customer support, in case none of these MFA methods work for the user?

Let’s take a closer look at just the technique of sending the user a one-time code. Contemplate these questions:

  • What options will you provide for sending the code: text message, e-mail, or phone call? Will the user have more than one option available?
  • If text message or phone call, can the user save more than one phone number in their application’s profile? Can they specify the default and select the number to use for each session? Can they change or delete a saved number or change which is the default?
  • How many characters are in the one-time code and what are the valid characters?
  • How long is the one-time code good for? If it’s limited, should the application display a countdown timer? Can the user request to have the code re-sent? If so, is the same code sent again or a new code? What happens if the user enters the one-time code after the time-out period?
  • What happens if this secondary authentication attempt fails? Is the entire login session terminated, or can they try the MFA again? How many tries does the user get at the MFA action? If it’s limited, do attempts using different methods all count toward the limit?
  • Can the user opt to have their authenticated device and login recognized for some period of time so they won’t have to re-authenticate for each session? If so, how long is that period? Where should that information be stored? I use some apps that recognize my device even if I restart my browser, while others lose my remember-me setting whenever I clear the browser cookies.

I’m sure there’s even more to it than this, but you get the picture. Drilling into the particulars of an initial, concise requirement statement often opens a sizeable can of worms. The answers to the resultant questions lead to an explosion into more and more requirements. This fact is true whether the exploration is performed by a business analyst during requirements specification or by a developer who’s been tasked to write the user authentication code. The original requirement isn’t actually growing, so this process isn’t changing the project’s scope. It’s merely revealing the true scope.

The good news is that if you can craft a well-thought-out set of requirements for a complex function like user authentication, you can likely reuse them in multiple applications. At the least, they should provide an excellent starting point.

Beware the Blast

I’ve used a common nonfunctional requirement to illustrate how much complexity can hide beneath the tip of that requirement iceberg. The same can apply to functional requirements and product features, of course.

One of my consulting clients held a large workshop to gather requirement ideas for a new flagship product. One of the requirements stated, “The product shall respond to editing directives entered by voice.” This was at a time before speech recognition capabilities were built into all of our devices. That one simple requirement statement looked to be no bigger or smaller than all of the many others in the set. However, you can guess how large the requirements explosion would be when someone looked into everything involved with the details of that speech recognition feature.

Understanding the true scope of a requirement so your team can estimate and plan for its design and implementation often requires a fair amount of exploration. During that exploration, you can set the priorities of the various child requirements, perhaps deferring some functionality to later development iterations and maybe never implementing others. That thinking process is less painful than encountering one additional, unexpected need after another and continually revising the product.

======

Karl Wiegers is the author of Software Requirements Essentials (with Candase Hokanson), Software Requirements (with Joy Beatty), Software Development Pearls, The Thoughtless Design of Everyday Things, Successful Business Analysis Consulting, and numerous other books.

 

BATimes_Sep18_2024

Transition Requirements – The Key To Adoption

Written by Tiffany Wiley on . Posted in Articles.

The key to adoption. Don’t forget the obvious.

 

As a Business Analyst at heart, requirements play a part in my everyday life. Much to the annoyance of those closest to me, I’m wired to think of everyday activities in terms of requirements 😊

However, transition requirements are sometimes elusive, even to those of us with a couple of decades of experience. But – they are the key to adoption!

A quick little story time…

When my daughter went to her first school, we spent weeks preparing; we got her a backpack and matching lunchbox, new school clothes, new shoes, and a sleeping mat, and we even planned a lunch and snack menu! I even read the school handbook, multiple times! At 3.5 years old; she’s spent her entire life with just the three of us. She never went to a daycare, so this was her first school-like experience, and we were ALL excited! Nevertheless, in all that preparation, we neglected a key piece of information – WE would not stay with her at school.

As we unbuckled her, with excitement beaming from her eyes, she stated “Mommy, we are all going to have so much fun today!”. At that moment, I knew I missed a key piece of information that was going to completely change how the rest of the day went. Oops! And it did…she was distraught! Then I was too!

In all my functional preparation, I neglected to operationalize her new school experience. I completely missed considering my key stakeholder’s transition!

Even with over 18 years of requirements management experience, I forgot the obvious. This is your call to action – don’t forget the obvious!

 

What are transition requirements?

Transition Requirements (or Transitional Requirements) are like NFRs (Non-Functional Requirements), in that they are often missed in the design and development processes.

As the name suggests, these are the requirements that will ensure a successful transition from the current to the future state.

 

Why are they important?

Without a plan to transition from the current state to the future state, adoption will surely slow if not stop entirely. You as the Product/Project Manager may be excited about this change, but excitement alone doesn’t cross the finish line!

A transition (or migration) will likely impact other business units and processes. For example, a customer may need to upgrade a current licensing agreement to transition to a new solution. Do you wait to transition them? What is the impact of waiting? Are there legal implications? Is additional training required?

Additionally, on the softer side of a transition, is understanding the change curve. Especially when it comes to process or culture-related changes, transitions can be very difficult. People are creatures of comfort – i.e., creatures of familiarity. And change is unfamiliar….it is uncomfortable. Having a good understanding of change management can help ensure there aren’t gaps in the transition plan and requirements.

 

How does that tie into overall value?

Value is realized when the solution is adopted. A single transition requirement alone does not generally provide quantitative value. However, the overall plan and requirements’ existence provides a qualitative value by ensuring a successful transition can happen – leading to better adoption and ultimate solution value realization.

 

Advertisement

 

Technique for gathering Transition Requirements?

Transition requirements should only be defined once the final solution is known. It doesn’t need to be fully implemented, but it must be known.

Unlike functional (or stakeholder) requirements, these are typically not willingly disclosed or stated by the business or users. Because of this, my favorite technique to start with is questions; to elicit information to then derive the transition requirements from that information. It is important to have a listing of questions to start with, but also being present in the discussion will help uncover additional questions to minimize gaps and assumptions.

Some sample questions and follow-up questions are noted below:

  • Are there any user skill gaps that need to be filled to operationalize the new solution?
    • Is this a training we can provide, or do we need outside help?
    • What is the cost of this effort?
    • What type of internal messaging is required?
  • Is there any data that needs to be migrated from the current to the future system?
    • If so, how can that be done?
    • Migrate all data? Only some data?
    • Does data need to be transformed?
    • How long to prep? Migrate? Validate?
    • Are there any regulatory requirements for transmitting the data?
    • What are the ideal timelines?
  • What is required to retire the current solution?
    • Can it just be turned off/eliminated?
      • Do user accounts need to be deactivated?
    • Is there a cost associated with terminating (or ending early)?
    • Will data need to be deleted? Can it (contractually) be deleted?
  • What processes need to change to implement the new solution?
    • How/when will this process change happen?
    • How/when will it be communicated?

 

Additionally, think about the differences between the two solutions/states. Then identify some questions, even if they seem silly, to help elicit information. Listed below are a couple of sample projects with a few starting questions:

 

Set your launch up for success by not forgetting the obvious – Transition Requirements.

BATimes_Sep11_2024

The Mirage of AI as a Cure-All: How to Ground Executive Enthusiasm in Realistic Outcomes

Written by Joel Frenette on . Posted in Articles.

In today’s fast-paced business environment, artificial intelligence (AI) is often heralded as a panacea for a wide range of organizational challenges. Whether it’s optimizing supply chains, improving customer service, or enhancing decision-making processes, AI promises to revolutionize how businesses operate. However, as any seasoned project manager or business analyst knows, the reality is far more nuanced.

Many executives, driven by the latest headlines or industry trends—often referred to as “managing-by-magazine”—may come to you with the next “big idea” for an AI project. While their enthusiasm is commendable, it can also lead to unrealistic expectations and poorly defined projects that fail to deliver the promised results.

 

The Problem with AI Hype

The marketing surrounding AI often paints it as a silver bullet capable of solving any business problem. This can create a disconnect between what executives expect and what AI can realistically achieve. Without a clear understanding of AI’s limitations and the specific problems it can solve, organizations risk investing in projects that deliver little to no return on investment (ROI).

As a project manager or business analyst, your role is to bridge the gap between executive enthusiasm and practical outcomes. This involves not only understanding AI technology but also being able to communicate its potential and limitations in a way that resonates with decision-makers.

 

Start with the Use Case

The first step in any AI project should be to thoroughly discuss the potential use cases. What specific problem is the AI solution intended to solve? How will success be measured? By framing the conversation around use cases, you can help executives focus on the practical applications of AI rather than getting swept up in the hype.

For example, if an executive is excited about using AI to improve customer service, you might start by discussing how AI could be used to automate routine inquiries, allowing human agents to focus on more complex issues. From there, you can explore the potential ROI, such as reduced call times or improved customer satisfaction scores.

 

Identify Specific Deliverables

Once the use case is clear, the next step is to identify specific deliverables. What tangible outcomes will the project produce? These could be anything from a working prototype of an AI-powered chatbot to a detailed report on how AI can be integrated into existing workflows.

By focusing on specific deliverables, you can help manage executive expectations and ensure that the project remains grounded in reality. This also makes it easier to track progress and measure success, as you will have clear milestones to work towards.

 

ROI: The Bottom Line

One of the most critical aspects of any AI project is identifying the potential ROI. This involves not only estimating the financial return but also considering the broader impact on the organization. Will the AI solution improve efficiency? Reduce costs? Enhance the customer experience?

ROI calculations should be revisited regularly throughout the project lifecycle. As new information becomes available, it’s important to reassess the potential benefits and adjust the project scope as needed. This iterative approach ensures that the project remains aligned with organizational goals and delivers real value.

 

Refine Through Requirements Gathering

Even with a clear use case, specific deliverables, and a well-defined ROI, it’s essential to continually refine the project scope through requirements gathering sessions. These sessions allow you to gather input from various stakeholders, identify potential challenges, and ensure that the project remains on track.

During these sessions, it’s important to ask probing questions to get to the heart of the matter. What are the underlying business needs? How will the AI solution integrate with existing systems? What data will be required, and how will it be managed? By addressing these questions early on, you can prevent scope creep and ensure that the project stays focused on its core objectives.

 

Advertisement

 

The Power of Business Process Mapping (BPM)

One highly effective tool for refining project scope and ensuring alignment with business objectives is Business Process Mapping (BPM). BPM is a visual representation of an organization’s workflows and processes, and it can be instrumental in highlighting inefficiencies, redundancies, and gaps within current operations.

Before diving into an AI implementation, BPM can help you and your stakeholders gain a clear understanding of how work is currently being done. By mapping out existing processes, you can identify where AI might be most beneficial, as well as areas that may need improvement before AI can be effectively integrated.

For instance, if a process map reveals that a significant amount of time is spent on manual data entry, this could be a prime area for AI automation. Conversely, if a process is already highly optimized, it might not be the best candidate for AI enhancement, helping you avoid misallocation of resources.

BPM also serves as a communication tool, providing a common language for discussing process improvements. It enables all stakeholders to visualize where changes will occur, what the expected outcomes are, and how the AI solution will fit into the broader organizational landscape. This transparency can help prevent misunderstandings and ensure that everyone is on the same page regarding the project’s goals and expectations.

 

Conclusion: Turning AI Hype into Real Results

AI has the potential to transform businesses, but it’s not a one-size-fits-all solution. By taking a thoughtful, measured approach to AI projects, you can help your organization avoid the pitfalls of “managing-by-magazine” and achieve real, tangible results.

The key to success lies in grounding executive enthusiasm in practical outcomes. This involves thoroughly discussing use cases, identifying specific deliverables, calculating potential ROI, and continually refining the project scope through requirements gathering sessions. Additionally, leveraging tools like Business Process Mapping can provide valuable insights into existing workflows, highlighting areas where AI can be most effective and ensuring that the project delivers real value.

By following this process, you can ensure that your AI projects are not only aligned with organizational goals but also contribute to the long-term success of your organization.

BATimes_Aug15_2024

The Deadline Dilemma: Unpacking the Reality of Arbitrary Timelines

Written by Adrian Reed on . Posted in Articles.

Perhaps I’ve been doing this job so long that I’ve become a little cynical, but I have a theory. I suspect that 80% (or more) of deadlines that are given are completely arbitrary. They are either based on ‘finger in the air’ guesstimates of when something is needed, or (in some cases) they are just plucked out of thin air. What is particularly difficult is when the person setting the deadline has no real idea of what the work is or how long the work will take.

 

An Example: The Deadline That Creeps Up

In a previous role, a long time ago, I was working on what I believed to be a very time critical deliverable. Once it was complete a senior executive would be using it, and I was told that the deadline was non-negotiable. The project manager was very clear: the work has to be completed, there can be no slippage. Initially, it looked just about achievable, so I set off doing my work.

 

As is so often the case, the work turned out to be more complex than anyone had realized. I escalated, and explained things were likely to take longer than anyone had assumed, and was told that there’s no chance of extending the deadline. Since I was enjoying the work and the deadline seemed so important I was happy to put in some late nights. Towards the end, I worked some weekends too, and just about got it over the line in time. I was tired, but it felt good as I uploaded the final version and emailed the senior stakeholder.

 

However, that feel-good factor soon faded when I immediately got a response: an automated ‘out of office’ explaining that the stakeholder was on vacation for a week. Investigating further, I find that yes, this person is on vacation, and this had been planned for a long time (they hadn’t taken emergency leave at short notice).

 

The deliverable wouldn’t be utilized for a week. There was actually a week of ‘slack’ built into the plan, but nobody told me. I could have slept more and I needn’t have worked the weekend…

 

My Bad: Not Asking “What Is The Implication Of This…”

It would be easy to blame the project manager or senior stakeholder in this story, but I don’t. In fact, it taught me something really important about deadlines. When a deadline is tight, it’s important to ask questions to understand how ‘hard’ and constrained it is. Ultimately here, we’re testing the constraints. Questions include:

 

 

There are many other questions too, and the intention here is to understand what is a real, immovable constraint and what isn’t.

 

Being Clear on Estimates

Equally, alongside asking questions, it is important to drive analysis deadlines on analysis estimates, rather than accepting arbitrary deadlines. There is often uncertainty, and if it is necessary to have a detailed plan up front, then the schedule ought to be based on a practitioner’s assessment of how long the work will take. If a deadline is found to be arbitrary or malleable, then planning forward and explaining what is possible in a particular timeframe can be a useful approach. Whatever approach is taken, getting regular feedback, updating estimates and pivoting accordingly is important, as is managing expectations.

 

In summary: understanding what is a real constraint and what isn’t is crucial. This can be achieved by asking provocative but important questions.

 

 

BATimes_Aug08_2024

Beyond the Buzzword: A New Era of Collaboration or Competition?

Written by Aman Fogat on . Posted in Articles.

During a recent project, I found myself in the midst of a significant breakthrough. Our team was tasked with producing a comprehensive set of artifacts and documentation—a process typically spanning an entire week. This time, we decided to harness the power of AI to expedite the process. Remarkably, what usually took us seven days was accomplished in a single day.

As we marveled at the efficiency of our AI tools, my Senior Business Analyst turned to me with a thoughtful expression. “Do you think our jobs are at risk?” they asked, a hint of concern in their voice. “AI has done in one day what we usually do in a week. Are we becoming obsolete?”

I was momentarily taken aback. The question lingered in my mind as I pondered the implications of this technological leap. It was clear that AI was reshaping the way we worked, but what did this mean for the future of our roles as business analysts? Would we become redundant, or would AI simply redefine our responsibilities?

 

Understanding AI and Its Limitations

AI refers to the simulation of human intelligence in machines designed to perform tasks that typically require human cognitive functions. These tasks include reasoning, problem-solving, and learning from data. While AI excels at automating repetitive processes, analyzing large datasets, and generating insights, it has inherent limitations. AI lacks the ability to fully comprehend contextual nuances, emotional subtleties, and complex decision-making scenarios that require human judgment.

The Core Responsibilities of Business Analysts

Business analysts play a vital role in organizations by identifying business needs, proposing solutions, and facilitating communication between stakeholders. Their responsibilities include analyzing and improving business processes, managing stakeholder expectations, and guiding organizational change. These tasks involve a deep understanding of human behavior, organizational dynamics, and ethical considerations—areas where AI currently falls short.

Stakeholder Management and Negotiation: One of the critical aspects of the BA role involves managing relationships with various stakeholders and negotiating between differing interests. These activities require a level of empathy, negotiation skills, and cultural understanding that AI struggles to replicate. AI may analyze data and automate tasks, but it cannot navigate the complexities of human interaction and build consensus among diverse groups.

 

Advertisement

 

The Impact of AI on Business Analysis

Ethical Decision-Making: Business analysts often face decisions with significant ethical and practical consequences. AI systems, despite their advanced capabilities, cannot replicate human ethical reasoning or take responsibility for decisions. The ability to navigate complex ethical dilemmas remains a critical aspect of the BA role.

Human Interaction: The role of a business analyst involves extensive human interaction, such as negotiating between stakeholders, translating business needs into technical solutions, and managing change. These interactions require empathy, negotiation skills, and an understanding of organizational culture—skills that are challenging for AI to mimic.

Strategic Decision-Making: Business analysts are tasked with making decisions that impact various aspects of an organization. AI can assist by providing data-driven insights, but the responsibility for interpreting these insights and making strategic decisions will continue to rest with human analysts. The ability to balance data with human judgment is essential for effective decision-making.

 

AI as an Enhancement Tool

Rather than replacing business analysts, AI is poised to enhance their capabilities. By automating routine tasks and analyzing large volumes of data, AI can support BAs in their work, allowing them to focus on more strategic and value-added activities.

Increased Efficiency: AI can streamline data analysis and automate repetitive tasks, freeing up business analysts to concentrate on high-value activities such as strategy development, problem-solving, and stakeholder engagement. This shift enables BAs to leverage their expertise in areas where human insight is indispensable.

Collaboration with AI: Embracing AI as a collaborative tool will be key for business analysts. By integrating AI technologies into their workflows, BAs can enhance their productivity and effectiveness. Continuous learning and adaptation will be essential for BAs to stay ahead in an evolving landscape.

 

The Future of Business Analysis

The role of business analysts is not on the brink of extinction; instead, it is evolving in response to technological advancements. AI will not replace business analysts but will transform how they work. The future will see BAs leveraging AI to handle routine tasks, analyze data, and generate insights, while they continue to focus on strategic activities that require human creativity and judgment.

In conclusion, AI is reshaping the business analysis profession by augmenting the role of business analysts rather than rendering it obsolete. As AI tools become more integrated into business processes, BAs will find new opportunities to enhance their impact and contribute to organizational success. Embracing this change and adapting to new technologies will ensure that business analysts remain valuable assets in the evolving business landscape.