Visual Paradigm Desktop VP Online

The Engine of Change: A Deep Dive into TOGAF 10 Requirements Management

Introduction

In the traditional view of the TOGAF Architecture Development Method (ADM), Requirements Management is often depicted as a central hub surrounded by the eight phases (Preliminary through H). However, it is not merely a phase; it is a continuous process that permeates every stage of the architecture lifecycle.

While other phases produce structural designs (Business, Data, Application, Technology), Requirements Management ensures that these designs remain aligned with stakeholder needs. It acts as the "quality control" and "scope management" engine of the ADM.

TOGAF 10 Requirement Management: The Engine of Change

This guide zooms in exclusively on the Requirements Management process, detailing its two primary deliverables: Changed Requirements and the Requirements Impact Assessment. We will explore how these deliverables are created, what they contain, and how they trigger iterations across the ADM.


The Role of Requirements Management in TOGAF 10

Why It Is Central

Requirements are rarely static. They evolve due to:

  1. External Factors: Regulatory changes, market shifts, or new technologies.
  2. Internal Factors: Budget cuts, strategic pivots, or technical constraints discovered during implementation.
  3. Stakeholder Feedback: New insights gained during workshops or prototypes.

The Requirements Management process ensures that:

  • Requirements are captured consistently.
  • Changes are evaluated for impact before approval.
  • The architecture remains traceable to business goals.

Key Concepts

  • Requirement: A statement of need that must be met by the architecture.
  • Traceability: The ability to link a requirement to specific architecture components (Building Blocks) and vice versa.
  • Iteration Trigger: A significant change in requirements may force the architect to revisit earlier phases (e.g., a new security requirement may require revisiting Phase D: Technology Architecture).

Deliverable 1: Changed Requirements

Definition

Changed Requirements are formal records of modifications to the original set of architecture requirements. These can be additions, deletions, or modifications to functional or non-functional requirements.

When Is It Produced?

  • Continuously throughout all ADM phases.
  • Specifically triggered during stakeholder reviews, compliance assessments (Phase G), or change management activities (Phase H).

Detailed Components

A robust "Changed Requirement" record should include:

Component Description Example
Requirement ID Unique identifier for tracking. REQ-SEC-004
Original Requirement The initial statement. "All user data must be encrypted at rest."
Changed Requirement The updated statement. "All user data must be encrypted at rest using AES-256, and keys must be managed by an external HSM."
Reason for Change Justification for the modification. "New regulatory mandate from Financial Conduct Authority (FCA) regarding key management."
Source Who requested the change? Compliance Officer, Legal Team
Priority Critical, High, Medium, Low. Critical
Status Draft, Approved, Rejected, Implemented. Approved
Date of Change Timestamp for audit trails. 2026-06-15

Practical Example: GlobalFin Corp

During Phase G (Implementation Governance), the security team discovers that the current encryption standard does not meet new industry best practices.

Changed Requirement Record:

  • ID: REQ-DATA-012
  • Original: "Customer PII must be encrypted in the database."
  • Changed: "Customer PII must be encrypted using field-level encryption with rotating keys every 90 days."
  • Reason: Mitigation of recent ransomware threats targeting financial institutions.
  • Impact: Requires updates to Database Schema (Phase C) and Key Management Service (Phase D).

Deliverable 2: Requirements Impact Assessment

Definition

The Requirements Impact Assessment is a analytical document that evaluates the consequences of a changed requirement. It answers the question: "If we accept this change, what else breaks, costs money, or takes time?"

When Is It Produced?

  • Immediately after a "Changed Requirement" is proposed.
  • Before the change is approved by the Architecture Board or Steering Committee.

Detailed Components

A comprehensive Impact Assessment includes:

Component Description Example
Affected ADM Phases Which phases need revisiting? Phase C (Data), Phase D (Technology)
Affected Building Blocks Which ABBs/SBBs are impacted? Customer Database ABB, Encryption Module SBB
Cost Implication Estimated additional budget. $50,000 for new HSM hardware and licensing.
Schedule Implication Delay in timeline. 3-week delay in Phase G completion.
Resource Implication Additional staff/skills needed. Need 1 Security Engineer for 2 weeks.
Risk Assessment New risks introduced. Risk of performance degradation due to encryption overhead.
Benefit Analysis Value gained from the change. Reduced risk of regulatory fines ($1M+ potential savings).
Recommendation Approve, Reject, or Defer. Approve with mitigation plan for performance.

Practical Example: GlobalFin Corp

Following the encryption change above, the Enterprise Architect performs an impact assessment.

Requirements Impact Assessment Report:

  • Change ID: REQ-DATA-012
  • Affected Phases:
    • Phase C: Update Data Architecture diagrams to show field-level encryption.
    • Phase D: Select and integrate Hardware Security Module (HSM).
  • Cost: $50k CAPEX + $10k OPEX/year.
  • Schedule: Delay launch by 3 weeks to allow for testing.
  • Performance Risk: Latency may increase by 5ms. Mitigation: Implement caching layer.
  • RecommendationApprove. The regulatory risk outweighs the cost and schedule delay.

The Workflow: From Change to Action

How do these two deliverables interact with the ADM cycle?

Step 1: Identification

A stakeholder or architect identifies a need for change.

  • Input: Stakeholder feedback, regulatory update, technical debt.

Step 2: Documentation (Changed Requirements)

The change is formally recorded in the Requirements Repository.

  • OutputChanged Requirement record.

Step 3: Analysis (Requirements Impact Assessment)

The architecture team analyzes the ripple effects.

  • OutputRequirements Impact Assessment document.

Step 4: Decision

The Architecture Board reviews the assessment.

  • Decision: Approve, Reject, or Defer.

Step 5: Iteration

If approved, the ADM cycles back to the relevant phase(s).

  • Action:
    • If it affects business processes → Return to Phase B.
    • If it affects data/apps → Return to Phase C.
    • If it affects infrastructure → Return to Phase D.
    • If it affects implementation → Return to Phase E/F/G.

Step 6: Update

Deliverables in the affected phases are updated (e.g., Architecture Definition Document, Roadmap).


Best Practices for Requirements Management

1. Use a Requirements Repository

Do not manage requirements in spreadsheets alone. Use specialized tools (e.g., Jira, Confluence, IBM DOORS, Sparx EA) that support:

  • Traceability links between requirements and architecture artifacts.
  • Version control for changes.
  • Automated impact analysis where possible.

2. Prioritize Rigorously

Not all requirements are equal. Use the MoSCoW method:

  • Must have: Critical for success.
  • Should have: Important but not vital.
  • Could have: Desirable but not necessary.
  • Won't have: Agreed to exclude for now.

3. Maintain Traceability

Ensure every requirement can be traced to:

  • A business goal (Why are we doing this?)
  • An architecture component (How is it implemented?)
  • A test case (How do we verify it?)

4. Engage Stakeholders Early

Regularly review requirements with stakeholders to avoid late-stage surprises. Use prototypes and visualizations to validate understanding.

5. Document Rationale

Always record why a requirement was changed or rejected. This provides an audit trail and helps future architects understand historical decisions.


Case Study Continuation: GlobalFin Corp

Scenario: Mid-Project Regulatory Change

Six months into the project, during Phase F (Migration Planning), a new data privacy law is passed requiring customer data deletion within 48 hours of request.

Step 1: Changed Requirement

REQ-PRIV-007: "System must support automated deletion of all customer data across all databases and backups within 48 hours of a 'Right to be Forgotten' request."

Step 2: Impact Assessment

Analysis:

  • Phase C Impact: Data model must include deletion flags and cascade delete rules.
  • Phase D Impact: Backup systems must support granular restoration/deletion.
  • Cost: $30k for development and testing.
  • Schedule: 2-week delay.
  • Risk: Accidental deletion of linked transactional data.

Step 3: Decision & Iteration

Decision: Approved.
Action:

  • Return to Phase C to update the Data Architecture Definition Document.
  • Update the Architecture Roadmap to reflect the 2-week delay.
  • Update the Implementation Plan in Phase F to include new testing scenarios.

Conclusion

Requirements Management is the heartbeat of the TOGAF ADM. Without it, architecture becomes a rigid, outdated blueprint that fails to address real-world needs. By rigorously managing Changed Requirements and conducting thorough Requirements Impact Assessments, organizations can:

  1. Maintain Agility: Respond quickly to market and regulatory changes.
  2. Control Costs: Understand the financial implications of changes before committing.
  3. Ensure Quality: Keep the architecture aligned with business goals throughout the lifecycle.
  4. Facilitate Communication: Provide clear, documented rationale for decisions to stakeholders.

In essence, Requirements Management transforms the ADM from a linear process into a dynamic, responsive framework capable of delivering true business value in a complex, changing environment.

Turn every software project into a successful one.

We use cookies to offer you a better experience. By visiting our website, you agree to the use of cookies as described in our Cookie Policy.

OK