Business ArchitectureStakeholder Management

Requirements That Actually Work: Atomic, Not Chaotic

OL
Oscar van der Leij
14 min read
Requirements That Actually Work: Atomic, Not Chaotic

I once sat in a project retrospective where the development team and the business stakeholders couldn't agree on what had gone wrong. The developers had built exactly what the requirements document said. The business got exactly what they'd signed off on. And yet the system was being scrapped after eighteen months of work and well over a million euros spent. I remember reading through that document afterward, trying to find where it had gone wrong. Requirement after requirement looked plausible on the surface. "Users shall be able to manage their accounts." "The system shall support reporting functionality." "Performance shall meet business needs." Every sentence had a signature next to it. Everyone had agreed. Nobody had built the same thing in their head.

That experience changed how I approach requirements entirely. We had followed a process that felt rigorous but produced requirements that were fundamentally untestable, ambiguous, and disconnected from the outcomes the business actually cared about. A requirement like "The system should be fast" tells a developer nothing actionable. Fast compared to what? For which users? Under what load? Meanwhile, stakeholders wonder why the delivered system doesn't match their expectations, and architects spend their days translating misaligned assumptions rather than solving real problems.

Understanding Good Requirements

Think of a requirement as a contract between business and technology. Not the 200-page legal contract nobody reads, but the kind where both parties know exactly what they're getting. A good requirement is like a well-written recipe: it tells you what you're making (the outcome), why you're making it (the value), what ingredients you need (constraints), and how you'll know when it's done (acceptance criteria).

Poor requirements are like telling someone to "make dinner." Good requirements specify "prepare a vegetarian lasagna serving 6 people, ready by 7 PM, using ingredients costing under $30, suitable for one guest with a gluten intolerance."

The difference? Atomic precision. Testable outcomes. Clear value.

Eight Things Your Requirements Are Probably Missing

Good requirements share a consistent anatomy. Each of the eight pillars below addresses a specific failure mode, the kind that produces signed-off documents nobody can actually build from. Work through them in order when writing a requirement, and you will catch most ambiguity before it reaches a developer.

1. The Requirement Itself: Atomic and Outcome-Driven

An atomic requirement cannot be broken down further without losing meaning. It describes ONE thing, clearly.

Poor Example: "The system shall provide user management functionality with security features."

What's wrong? This is actually 10+ requirements hiding in a trench coat. User management could mean creation, deletion, role assignment, profile editing, password resets, and more. Security features? That's another rabbit hole.

Good Example: "The system shall allow administrators to deactivate a user account within 5 seconds of initiating the action, preventing that user from accessing the system immediately."

Notice the difference? One clear action, one actor, one outcome, one measurable criterion.

Another Good Example: "The checkout process shall calculate and display the total order amount including applicable taxes within 2 seconds of the user clicking 'Review Order.'"

This is atomic (one calculation), outcome-driven (displays total with taxes), and includes a performance constraint.

2. Measurable and Testable: The "How Will We Know?" Test

If you can't test it, you can't verify it. If you can't verify it, you can't accept it.

Poor Example: "The application should be user-friendly and perform well under load."

How do you test "user-friendly"? What's "well"? What's "load"?

Good Example: "The login page shall authenticate valid credentials and display the user dashboard within 3 seconds for 95% of requests when 1,000 concurrent users are active."

Now we have specific metrics: 3 seconds, 95% success rate, 1,000 concurrent users. A QA engineer can write test cases. A developer knows the target. A business stakeholder understands the commitment.

Aspect Measurable Criterion
Performance Response time < 3 seconds
Reliability 95% success rate
Load 1,000 concurrent users
Outcome Dashboard displayed

3. Rationale: The "Why Does This Exist?" Question

Every requirement needs a reason. This prevents requirements from becoming zombie features that nobody remembers requesting.

Poor Example: Rationale: "Because users need it."

Good Example: Rationale: "Customer support receives 200+ calls per month from users locked out of their accounts. Manual password resets take 15 minutes per incident, consuming 50 hours of support time monthly. Self-service password reset will reduce support load and improve user satisfaction."

The good rationale connects to real pain, quantifies the problem, and explains the solution's purpose.

4. Business Goal and Driver: Connecting to Strategy

Requirements don't exist in a vacuum. They support business objectives.

Poor Example: Business Goal: "Improve the system."

Good Example: Business Goal: "Reduce customer churn by 15% in Q2 by improving user account recovery experience."

Driver: "Customer analytics show that 23% of users who experience login issues never return to the platform. The average customer lifetime value is $1,200. Each percentage point of churn represents $180,000 in annual recurring revenue."

Now executives understand why this requirement matters and can prioritize accordingly.

5. Business Value: The ROI Story

Value translates requirements into money, time, or risk reduction.

Poor Example: Business Value: "Makes users happy."

Good Example: Business Value: "Reduces customer support costs by $7,500 monthly (50 hours × $150/hour). Decreases account abandonment by 8%, retaining approximately $115,000 in annual revenue. Payback period: 4 months based on $30,000 implementation cost."

When you quantify value, you give stakeholders the ammunition they need to defend the budget.

6. Stakeholders and Concerns: The People Factor

Every requirement affects multiple people. Identify them early and surface their concerns before they become blockers.

Poor Example: Stakeholders: "Business users."

Good Example:

Stakeholder Role Primary Concern Power/Interest
Sarah Chen VP Customer Success Support cost reduction High/High
Marcus Johnson CISO Security of password reset flow High/Medium
Development Team Implementation Technical feasibility, maintenance Medium/High
End Users Consumers Ease of use, privacy Low/High
Legal/Compliance Risk Management GDPR compliance for data access Medium/Medium

Surfacing Concerns Early:

Marcus (CISO) is concerned about security. His specific worry: "Password reset links sent via email could be intercepted. We need multi-factor authentication and link expiration."

Sarah (VP) is concerned about support costs. Her worry: "If the self-service flow is confusing, we'll get more calls, not fewer."

Development Team is concerned about maintenance: "We need to use our existing identity provider's API rather than building custom authentication logic."

By documenting these concerns upfront, you avoid the scenario where Security vetoes your design in week 8 of a 10-week project.

The Power-Interest Matrix in Action

Listing stakeholders is only half the work. The matrix gives you a prioritisation model: it tells you who needs deep engagement, who needs reassurance, and who can wait for a monthly update. Once you have placed everyone on it, you have a communication plan. If you want to go deeper on this, I wrote a full article on how architects navigate stakeholder power and interest dynamics.

Plot your stakeholders to determine engagement strategy:

High Power, High Interest (Manage Closely):

  • Sarah Chen (VP Customer Success): Weekly updates, involved in acceptance testing
  • Marcus Johnson (CISO): Security review at design phase, sign-off required

High Power, Low Interest (Keep Satisfied):

  • CFO: Monthly budget updates, ROI reporting

Low Power, High Interest (Keep Informed):

  • Development Team: Daily standups, technical documentation
  • End Users: Beta testing program, feedback surveys

Low Power, Low Interest (Monitor):

  • Marketing Team: Quarterly updates

This matrix tells you who needs what level of communication and when to escalate concerns.

7. Constraints: The Boundaries of Reality

Constraints define what you can't do. They're the guardrails that keep requirements achievable.

Technical Constraints: "Must integrate with existing Active Directory instance (version 2019). Cannot require database schema changes to the production Orders table due to dependencies on 12 legacy systems."

Budget Constraints: "Total implementation cost cannot exceed $50,000. Third-party service costs limited to $200/month ongoing."

Time Constraints: "Must be deployed before Black Friday (November 24). Code freeze begins November 17, allowing 7 days for testing."

Organizational Constraints: "Deployment requires change approval from Architecture Review Board (3-week lead time). Must use approved technology stack: .NET 8, SQL Server 2022, Azure App Services."

Regulatory and Security Constraints: "Must comply with GDPR Article 32 (security of processing). Password reset tokens must expire within 15 minutes. Must maintain audit log of all password changes for 7 years per SOX requirements."

Operational Constraints: "Deployment window limited to Saturday 2 AM to 6 AM EST. Must include rollback plan executable within 30 minutes. Support team available for monitoring but cannot perform technical troubleshooting."

Poor Example: Constraints: "Must be secure and scalable."

Good Example: Constraints:

  • Technical: Must use company's standard identity provider (Okta) via SAML 2.0 integration
  • Budget: Implementation $45,000, ongoing operational cost $150/month maximum
  • Time: Production deployment by October 15, requiring UAT completion by October 1
  • Organizational: Requires security review (2-week process), change control approval (1-week process)
  • Regulatory: Must comply with SOC 2 Type II controls, maintain audit trail per retention policy
  • Operational: Zero-downtime deployment required, must support 24/7 operations

8. Acceptance Criteria: The Definition of Done

Acceptance criteria are the checklist that determines whether the requirement is satisfied. They should be binary: pass or fail.

Poor Example: "The password reset feature works correctly."

Good Example:

Acceptance Criteria for Password Reset Feature:

Functional:

  • User receives password reset email within 60 seconds of requesting reset
  • Reset link expires exactly 15 minutes after generation
  • User can set new password meeting complexity requirements (12+ characters, uppercase, lowercase, number, special character)
  • System prevents reuse of previous 5 passwords
  • User receives confirmation email after successful password change
  • Failed reset attempts are logged with timestamp and IP address

Non-Functional:

  • Password reset flow completes in under 3 seconds (95th percentile)
  • System handles 100 concurrent password reset requests without degradation
  • Reset tokens are cryptographically secure (256-bit entropy minimum)
  • All password reset activity appears in audit log within 5 seconds

Security:

  • Penetration testing confirms no vulnerabilities in reset flow
  • CISO sign-off obtained on security design
  • Rate limiting prevents more than 5 reset requests per email per hour

Usability:

  • User testing with 10 participants shows 90%+ completion rate without assistance
  • Average time to complete reset: under 2 minutes

Operational:

  • Monitoring dashboard shows reset success rate and failure reasons
  • Runbook documented for common failure scenarios
  • Support team trained on troubleshooting procedures

Each criterion is testable. Each can be marked complete or incomplete. No ambiguity.

The Non-Functional Requirements Nobody Remembers Until It's Too Late

Functional requirements get all the attention. Non-functional requirements (NFRs) are the silent killers of projects.

Performance NFRs: "The system shall return search results within 2 seconds for queries containing up to 5 keywords when the database contains 10 million records."

Scalability NFRs: "The system shall support 10,000 concurrent users with linear cost scaling (doubling users should not more than double infrastructure costs)."

Availability NFRs: "The system shall maintain 99.9% uptime during business hours (6 AM to 10 PM EST, Monday through Friday), allowing maximum 43 minutes of unplanned downtime per month."

Security NFRs: "All data in transit shall be encrypted using TLS 1.3 or higher. All data at rest shall be encrypted using AES-256. Encryption keys shall be rotated every 90 days."

Maintainability NFRs: "Code coverage shall be minimum 80% for unit tests. All public APIs shall include OpenAPI documentation. Deployment process shall be fully automated via CI/CD pipeline."

Usability NFRs: "New users shall be able to complete their first transaction within 5 minutes without training. Help documentation shall be available within 2 clicks from any screen."

NFR Category Poor Example Good Example
Performance "Should be fast" "API response time < 200ms for 95% of requests"
Security "Must be secure" "Authentication via OAuth 2.0, sessions expire after 30 minutes of inactivity"
Scalability "Should handle growth" "Support 500% user growth over 2 years without architecture changes"
Availability "High uptime" "99.95% uptime (maximum 4.38 hours downtime annually)"

Time to Build the Machine

Here's how to actually implement these practices:

Step 1: Use a Structured Template

Create a requirement template that forces completeness. Don't allow requirements to be "done" until all sections are filled.

REQUIREMENT ID: REQ-[NUMBER]
TITLE: [Clear, concise title]

REQUIREMENT STATEMENT:
[Atomic, outcome-driven statement]

MEASURABLE CRITERIA:
- [Specific metric 1]
- [Specific metric 2]

RATIONALE:
[Why this requirement exists, with data]

BUSINESS GOAL:
[Strategic objective this supports]

BUSINESS VALUE:
[Quantified benefit: cost savings, revenue, risk reduction]

STAKEHOLDERS:
| Name | Role | Concern | Power/Interest | Engagement Strategy |

CONSTRAINTS:
- Technical: [Specific technical limitations]
- Budget: [Cost constraints]
- Time: [Deadlines, milestones]
- Organizational: [Process, approval requirements]
- Regulatory: [Compliance requirements]
- Operational: [Deployment, support constraints]

ACCEPTANCE CRITERIA:
1. [Testable criterion 1]
2. [Testable criterion 2]
...

TRACEABILITY:
- Parent Requirement: [If applicable]
- Related Requirements: [Dependencies]
- Test Cases: [Links to test specifications]

Step 2: Conduct Stakeholder Mapping Workshops

Before writing requirements, run a 2-hour workshop:

  • Identify all stakeholders
  • Plot them on the power-interest matrix
  • Surface concerns through structured interviews
  • Document constraints from each stakeholder perspective

Step 3: Write Requirements in Pairs

Pair a business analyst with a technical architect. The BA focuses on the "what" and "why," the architect focuses on the "how feasible" and surfaces technical constraints early.

Step 4: Review Against the Testability Checklist

For each requirement, ask:

  • Can a QA engineer write a test case from this requirement alone?
  • Can we measure success objectively?
  • Is there any ambiguous language (should, fast, user-friendly, robust)?
  • Does it contain more than one requirement in disguise?

Step 5: Create Traceability Matrices

Link requirements to business goals, test cases, and implementation components. When a requirement changes, you know exactly what else is affected.

Requirement ID Business Goal Test Cases Components Affected Status
REQ-042 Reduce churn 15% TC-042-001, TC-042-002 AuthService, EmailService In Progress

The Handoff That Actually Works

The moment of truth: handing requirements to the development team. Here's what they need:

The Complete Package:

  1. Requirements document with all eight pillars completed
  2. Stakeholder contact list with decision-making authority clearly marked
  3. Constraint summary highlighting non-negotiables
  4. Acceptance criteria formatted as testable specifications
  5. Mockups or wireframes for user-facing features
  6. Data models showing entities and relationships
  7. Integration specifications for external systems
  8. Non-functional requirements with measurable targets

The Handoff Meeting:

  • Walk through top 10 requirements in detail
  • Clarify ambiguities immediately
  • Identify technical risks
  • Agree on definition of done
  • Establish communication protocol for questions

The Safety Net:

  • Assign a requirements owner available for clarification
  • Schedule weekly requirements review sessions
  • Create a shared backlog with priority rankings
  • Establish a change control process

Your Requirements Survival Kit

The eight pillars, the NFR checklist, and the handoff process cover a lot of ground. If you take nothing else from this article, these four principles and four diagnostic questions are the ones to keep close.

  • Make requirements atomic: One requirement, one testable outcome, no hidden complexity
  • Quantify everything: Business value in dollars, performance in seconds, success in percentages
  • Map your stakeholders: Know who has power, who has interest, and what keeps them up at night
  • Document constraints early: Technical, budget, time, organizational, regulatory, operational

Questions to ask yourself:

  • Can a developer read this requirement and know exactly what to build?
  • Can a tester read this requirement and write test cases without asking questions?
  • If this requirement costs $100,000, can you explain why it's worth it?
  • Have you identified the stakeholder who will kill this project in month 3 if you don't address their concern now?

The difference between a $2.3 million failure and a successful delivery often comes down to requirements that are atomic, not chaotic. Which side of that line are your requirements on?

Share this article

Share on XShare on LinkedIn

Related articles

Building Better Stories: Architecture That Actually Engages
Stakeholder ManagementDocumentation

Building Better Stories: Architecture That Actually Engages

The best architecture means nothing if no one listens. Architects are trained to think in systems and abstractions, but the people they need to convince think in stories. Learn how to use a five-act structure, concrete examples, analogies, and audience mapping to turn your technical decisions into narratives that keep stakeholders engaged and get your proposals approved.

9 min read
Solutions Architect: Five Jobs, One Salary, Zero Bathroom Breaks
Architecture PracticesStakeholder Management

Solutions Architect: Five Jobs, One Salary, Zero Bathroom Breaks

Solutions Architects live at the intersection of strategy and execution, business and technology, governance and innovation. Here's what that really means, and why being good at this job is more about multiplication than addition.

17 min read
Mind the Gap: Making Business Architecture Deliverables Work for You
Business Architecture

Mind the Gap: Making Business Architecture Deliverables Work for You

It was day one of a new strategic initiative at a European telco. The CIO had called us in a cross-functional team of enterprise and solution architects to "make sense" of the business transformation underway. The ask? Launch a new B2B digital marketplace within 12 months, tightly integrated with legacy billing and CRM systems. Before diving into cloud-native platforms, APIs, or integration middleware, we had to do the architect’s equivalent of checking the map: define the baseline and target business architectures, and more importantly, identify the gaps.

7 min read

Enjoyed this article?

Subscribe to get more insights delivered to your inbox monthly

Subscribe to Newsletter