Building your requirements list: 30 mission-critical questions for your stakeholders

IRM project planning questions

A smooth, successful IRM deployment starts with two key ingredients: one, selecting the right stakeholders; and two, documented requirements and expected outcomes. We wrote about building a strong stakeholder group in this LinkedIn article, Once your stakeholder group has been formed, your next step is to have each stakeholder submit their requirements and anticipated outcomes. When you compile them, you’ll have a document that represents the needs and wishes of each department that has a stake in the IRM solution. This document is your multitool and can be used for the project scope of work, as well as establishing roles and reporting.

To help you develop your requirements and outcomes document, here are 30 questions to ask your stakeholder group, broken down into disciplines typically involved in an IRM solution deployment.

Business resiliency & continuity

  • What types of documents will you incorporate into the new risk management solution?
  • Will a formal content review process be implemented?
  • What notifications need to be set up?
  • Will business continuity planning and disaster recovery testing or a crisis event process be implemented?
  • What reports would you like incorporated into your Business Continuity Management solution?


Audit management

  • Would you like to track project time sheets and expenses for your audit staff?
  • Which audit procedures and reports will be imported into your risk management solution?
  • Would you like to incorporate an exception request workflow to for non-remediated findings?
  • Do your audit project managers complete a Quality Assurance Review Checklist prior to closing each project? If not, would you benefit from one?
  • Do your audit project managers complete an Audit Customer Survey prior to closing each project? If not, would a checklist be useful.


IT security & risk management

  • How many risk questionnaires would you like to implement in the risk management solution?
  • Are your questions pre-mapped to any industry regulations or best practices?
  • Would you like to incorporate an exception request workflow to for non-remediated findings?
  • Would you like to perform annual or quarterly risk reviews against each risk scenario?
  • What reports would you like incorporated into your risk management solution?


Policy & compliance management

  • Is your control testing process specific to SOX or more of an integrated control testing process?
  • How many control procedures will be imported? Do these need to be mapped to your internal standards, policies, or external regulations?
  • What is your current control testing process?
  • Would you like to incorporate an exception request workflow for non-remediated findings?
  • Would you like to include a SOX 302 certification process?
  • What types of documents will you incorporate into the Archer policy management solution?
  • What type of policies will be implemented?
  • Will a formal content review process be implemented? What is the workflow?
  • Are there additional authoritative sources that need to be included outside of Archer’s out-of-box content library?
  • What reports would you like incorporated into your policy management solution?


Enterprise & operational risk management

  • What assets (e.g., organizational chart, facilities, applications, business processes) need to be included in the enterprise management solution that will need to be referenced by other solution areas? How are these assets stored and tracked today?
  • Which assets are managed in a change management database (CMDB)?
  • Would you like to keep the assets synchronized in Archer? If yes, how can this data be extracted from your CMDB?
  • Do you want to incorporate a risk/threat/compliance scoring methodology across the entire asset hierarchy?
  • What reports would you like incorporated into your enterprise management solution?


Public sector

  • What types of documents will you incorporate into the Archer Policy Management solution?
  • What type of policies will be implemented?
  • Are there additional authoritative sources that need to be included
    outside of the out-of-box content library?
  • Will a formal content review process be implemented? What is the workflow process?
  • Do you have documented corporate objectives that should be migrated?


These questions will likely spark others, which is great. It’s worth investing time in this exercise because it can save you from time-consuming, costly backtracking and scope creep later in the project. In your document, be sure to record the name of the author/stakeholder of each requirement and outcome. This helps to ensure consistency should there be a turnover of any stakeholders, or at a management level.

Let's Talk