Conducting requirements and gap analysis in projects

Companies encounter continuous need to adapt or respond to changes and internally or externally induced standards, rules and regulations. Requirements play a significant role in majority of businesses and to manage them effectively, organisation needs a well-established process related to business analysis and requirements management.

Business analysis process is a group of activities that elucidates business needs and their implementation. It analyses discrepancies and gaps within the company, including activities for their remediation. Requirements processing in a company starts with addressing the need for change, its analysis and requirements implementation, i.e. its operating in real-word environment. Requirements changes can occur throughout the project; therefore, requirements need to be regularly verified so that they properly reflect business needs and desired future state.

Correlation between requirement and gap

Requirement describes a need for new business initiative, activity, change or project with the goal of achieving a desired outcome. Generally, requirements can be business requirements or non-functional, also known as high-level requirements and functional as the low-level requirements.

Gap denotes lack of compliance, lack of quality, standards or some other element that significantly affects the organisation adversely and needs to be remediated. It represents disparity between unmet and met requirement.


Gaps can be of various kinds, such as compliance gaps, legal gaps, performance gaps, communication gaps and others. Gap management process is a common activity within an organisation, especially in very large companies and corporations governed by extensive internal policies, regulations and standards. For some companies, particularly newer and smaller ones, implementing structured gap analysis can be deemed disruptive, intimidating and unnecessary. Some businesses rather decide to leave as-is situation and consider it simply as “business as usual”. However, appropriate gap analysis can be an effective organisation´s health check and can assist in conducting internal audit process.

Stakeholders in requirements and gap management process

Stakeholders make a crucial part of requirements and gap management process. Depending on extent and volume of the process, they usually include one or several business analysts and their leads, project manager, persons from the relevant departments to which gap discovery, analysis and closing concerns; such as Legal department, IT department, Operations, Finance, and various subject matter experts as compliance officer, data protection officer, risk manager, etc.

Business analyst and project manager are mostly affected by the requirements and gap management process. They need to ensure that gaps are properly identified, analysed, complied and closed. Business Analyst is usually the activity coordinator and needs to ensure consensus on gap compliance and closure while dealing with cross-functional teams and various opposite interests.

Projects with gap remediation focus

Projects with the gap remediation focus have the task to discover, define, assess and remediate the gaps represented in a certain business activity or affecting the entire organisation.

Compliance or remediation project is created with the goal of rectification of issues, practices and processes not compliant with regulations or required framework or can negatively affect the business. Identifying what the gap is; which can be translated as-is state and defining what to-be state or remediated state must be, is a usual flow in gap remediation projects. Gaps and their remediation form a part of the project plan and when related to a similar topic, grouped into work items. Gap managing activities begin with identifying gaps, defining them, assessing, negotiating them with the relevant stakeholders, documenting and finally, remediating them.

An example of a remediation project is the project related to the General Data Protection Regulation (GDPR) implementation, which main objective is to be compliant with the respective EU Regulation. Since the GDPR Regulation came into force on 25 May 2018, the organisations across the EU and EEA had a very tight schedule to successfully implement it within their organisation. They were obliged to act timely and effectively in order to assess their as-is state, their responsibilities and duties and to properly update internal policies, processes and systems. Some tasks included conducting a detailed gap assessment and analysis to screen as-is compliance with the GDPR and remediating the gaps where non-compliance has been identified.

Description of the requirements analysis in an organisation

Requirements analysis comprises of the set of activities within overall business analysis process. It represents a requirements “refinement” phase, where requirements are analysed before entering formal documenting and approval phase. To reach requirements analysis stage, first a need for change must be identified through collecting or eliciting requirements by virtue of different tools such as interviews, questionnaires, workshops, prior documentation etc.

First versions of requirements are still work in progress; therefore, requirements need to be analysed, which means:

  1. Evaluating whether they fit the purpose,
  2. Assessing their need for re-adjustment, removal or adding
  3. Assessing whether they suit company´s strategical or operational goals,
  4. Assessing whether they are agreed among all stakeholders.
  5. Evaluating whether they respond defined standards related to contents, format and quality.

Requirements analysis serves as a basis for decision making and it is an interphase among elicitation and approved requirements, used as a control point for requirements implementation.

After being analysed and finalised in documentation, requirements are sent for approval and implementation. The approval is usually given by the project sponsor, in some cases by the project manager, as stated in official project and requirements documentation.

Dealing with under-, over- and misanalysed requirements

There can often happen that requirements are under under-analysed, misanalysed or over-analysed.

  1. Under-analysed requirements

Under-analysed requirements have not been verified, controlled and compared to identified requirement. They lack evaluation and increase the possibility of latter deviance from requested outcome and steps planned for their realisation. For example, after requirements have been elicited, they have not been confirmed and agreed among all stakeholders, yet they have been put into execution phase right away. Under-analysis can occur due to inadequate communication among stakeholders, business analyst´s inadvertence, lack of resources, budget or time.

  1. Misanalysed requirements

Misanalysed requirements, as their name suggest, miss the purpose of their analysis and misinterpret the requirement. They are misleading and contribute to misunderstanding of what actually needs to be done, which can have severe consequences on business performance and success.

  1. Overanalysed requirements

Overanalysed requirements have unnecessary high level of analysis and do not serve the intended purpose. For example, business analyst or project manager focuses too much on quantity of requirements documentation and details having no significant impact on fulfilment of requirements purpose. Overanalysing can lead up to postponing of requirement implementation, bringing to scope creep and significant deadline breach.

Gap Analysis for comparing as-is and to-be state of an organisation

Gap analysis has the task to analyse identified gaps within an organisation and to assess their impact on the organisation. It usually assesses company’s existing processes, procedures and policies, i.e. as-is situation in terms of compliance with regulatory standards, laws, codes, guidelines or rules, best business practices or state and international regulations. Legal assessment of identified gaps often may be necessary either only for certain gaps, or all of them. Legal assessment can be executed by the legal department or by external law firm.


Gap analysis can be a very comprehensive work to conduct and often, everybody within the organisation is affected by it in some way. Gap analysis process should be tailored to meet the company´s needs. Gap analysis does not need to be particularly standardised, but it has to be structured in a way which is easy to follow and maintain. For each identified gap there need to be assessed its priority level, risk and urgency level, as well as other parameters if needed.

Gap analysis produces a number of underpinning documents such as document evidences, process documentation and others. Those documents are usually part of deliverable package.

Gap analysis can be conducted on different depth level and can be performed both by internal and external resources. Gap analysis and remediation progress is followed through so-called gap tracker document which depicts gap status.

Risk assessment and gap assessment are interconnected in many ways. Risk assessment is an important part of the whole gap remediation process where the risks are identified, managed and monitored. It serves as an “entry ticket” for gap assessment, controlling how the gap and its remediation affects the project and the business. When defining gap risk, one must assess its probability of occurrence as well as its impact.

Documents in gap analysis process

Gap management process begins with gap identification and its recording into an appropriate document where a thorough gap analysis is conducted. During the gap management process, there are created documents such as Gap Scope Statement, Gap Compliance Document, Gap Closure Document. Gap Scope Statement usually describes the following:

  1. Details on the document version, date, place, country, business unit
  2. Information about the gap – gap number, gap name, gap description, gap priority level, etc.
  3. Gap deliverables
  4. Gap acceptance criteria, its constraints and assumptions
  5. Sign-off details (name of document approver, approval date, etc.)

Gap closing process can vary from organisation to organisation, depending on e.g., size of organisation, its activities and organisation structure, gap type, etc. Once all gaps have been approved for closing and eventually closed, the project is in process of closing as well.

What matters in gap and requirements management process?

  1. Appropriate level of requirements analysis needs to be applied, with avoidance of over-analysing, under-analysing or misanalysing of requirements.
  2. Relevant metrics, parameters, frameworks and standards need to be identified and evaluated for gap remediation
  3. All stakeholders need to be properly identified and managed, including maintaining good relationship with them.
  4. Requirements and gap documentation need to be kept and maintained in appropriate repository, accessible to all involved parties.
  5. Critical thinking, good judgement and consultation are necessary when assessing whether the gap satisfies all conditions for closing or additional clarification is needed.
  6. Some stakeholders may continuously avoid agreeing to gap closure, it is important to be ready for such situations and make certain that all relevant evidences and arguments to resolve the disagreement are available.
  7. It is necessary to pay attention to lessons learned for latter subject-related tasks or projects.