Requirements management in times of insurance supervisory requirements for IT (VAIT)

In its Circular 10/2018, the Federal Financial Supervisory Authority (BaFin) defined the insurance supervisory requirements for IT (VAIT). With immediate effect, these guidelines provide guidelines according to which insurers must organize their IT development and IT operations.

With regard to “requirements management” (also known as “requirements engineering” or “business analysis”), there are a number of special requirements that differ in part from the current practice of many insurers.

In this article we would therefore like to name some of the relevant guidelines from VAIT and motivate the need for professional tool support in this respect.

Important VAIT requirements

The Requirement Process

In Point 49, VAIT calls for the definition of appropriate processes for application development, which include “requirements for requirements determination”.

This requirement is concretized in point 50: “Both requirements for the functionality of the application and non-functional requirements must be properly collected, evaluated and documented. The responsibility for the collection and evaluation of the requirements lies with the specialist departments.”

Essentially, this means for an insurer that it has to question all its processes around requirements management in order to design them VAIT-compliant. The main focus is on questions such as

  • How do business and IT (application development) communicate with each other?
  • What input channels are available for requirements?
  • Is the communication interface clear and standardized?
  • Are (all) requirements systematically documented? How are requirements described?
  • Who describes requirements and where are these recorded (tools)?
  • Is it comprehensible who has set, described and approved requirements?
  • Is the documentation of the requirements audit-proof and comprehensible?
  • How is the evaluation and impact analysis of incoming requirements carried out? Are decisions and acceptances comprehensibly documented?
  • How are the requirements managed over the life cycle?

In this respect, point 10, which states that all employees must have the necessary knowledge and experience, and point 11, which states that the absence or departure of employees must not lead to lasting disruptions of operational processes, are particularly relevant.

Consequently, the process must be implemented in a repeatable manner and as independent as possible, which places high demands on the training and day-to-day work support of the persons responsible for requirements management.

The Application Documentation

In addition to the aforementioned requirement for the appropriate collection and documentation of the requirements within the framework of an IT project, VAIT also demands in guideline 53 “clear and comprehensible documentation for expert third parties” for developed applications, which also includes important design decisions beyond the requirement.

For an insurer, this means that for all applications that may not be currently documented, an application documentation must be drawn up, which may involve a great deal of effort.

Further documentation obligations

In the section “Information Risk Management”, VAIT continues to require the documentation of certain facts which are also of importance within the framework of internal requirements management.

For example, Directive 20 requires that a company always “has an up-to-date overview of the components of the defined information network”, including “business-relevant information, business processes, IT systems and network and building infrastructures”, which are frequently modified as part of application development.

In Guideline 22, VAIT also requires that, in addition to project-specific IT requirements, requirements “for the implementation of protection objectives in the protection requirement categories” be documented in the form of a catalogue of target measures. Even if these requirements are not directly understood as requirements for an application development project, they can and should also be addressed with proven methods and procedures of requirements management.

Why tool support is essential

In order to adequately address the implications of VAIT with regard to “requirements management”, adequate tool support is essential. Dedicated tools for requirements management (so-called Rquirements Management Tools or RM Tools), which provide perfect support for such challenges by their very nature, have so far only been used by a few insurers, however, mostly for reasons of complex and costly handling.

For many insurers, requirements are still documented and managed in simple Office products such as Word and Excel or, for some years now, increasingly in in-house wikis such as Confluence.

However, these tools quickly reach their limits when it comes to mapping a consistent, comprehensible requirements process, in which all changes, decisions and acceptances are documented in an audit-proof and quality-assured manner and in which the life cycle of a requirement can be traced completely.

Consequently, despite their basic suitability for requirements documentation, these tools are not suitable for VAIT due to their lack of support for further tasks.

Therefore, insurers should be aware that a rethinking away from previous behaviours and tools towards professional requirement processes and professional requirement management software is necessary – also and especially with regard to agilisation and digitisation.

“Become a Compliant” with ReqSuite®

ReqSuite® RM, the professional requirements management software of the latest generation, offers all functionalities required for a VAIT-compliant requirements process. In contrast to more traditional RM tools, ReqSuite® RM stands out due to its ease of use, intelligent assistance and high flexibility, which also significantly simplifies the work of specialist departments in requirements analysis.

The idea for ReqSuite® is based on the experiences of three consultants, who have accompanied numerous projects for the implementation and execution of requirements management in the insurance industry over the past years and have been confronted with the same challenges with regard to efficiency and compliance again and again.

ReqSuite® has therefore implemented a set of useful functions to enable insurers in particular, for whom IT development is enormously important, but not day-to-day business, to carry out requirements processes effectively, efficiently and comprehensibly.

ReqSuite® can be used to map a VAIT-compliant requirements process in which departments and IT departments can work together to develop requirements and document them in an audit-proof manner.

In particular, the role of the business unit as the requester and approver of requirements can be strengthened by the intelligent assistance and automatic quality assurance of ReqSuite®. As required by VAIT in number 42, a materiality analysis and impact analysis can also be carried out directly and semi-automatically.

When using ReqSuite® RM, insurers do not have to resort to a predefined standard process – ReqSuite® offers the possibility to completely adapt the requirements process to the needs of the company with the help of the integrated designer.

Release steps, requirement types and description templates can be individually defined. In this way, VAIT’s requirement from number 50, which describes the collection and documentation of different types of requirements, such as functional and non-functional requirements, can also be met. In addition, the other documentation obligations, which go beyond pure requirements management, can be mapped by suitable configuration with ReqSuite®.

Thanks to our many years of expertise in the insurance sector, we are always available to provide insurers with advice and practical support in order to implement the complex issue of requirements management in ReqSuite® in compliance with VAIT.

Talk to us and don’t hesitate any longer, because supervision is already in the starting blocks!

Avatar photo
Sebastian Adam

Dr. Sebastian Adam is Managing Director of OSSENO Software GmbH and responsible for product innovation and marketing. Before joining OSSENO, he worked for 10 years as a consultant, scientist and team leader for requirements engineering at the Fraunhofer Institute for Experimental Software Engineering (IESE). Dr. Adam has assisted several dozen companies and has best practices in the introduction and implementation of requirements engineering across all industries.