Recap from the Polarion Panel Discussion at Realize Live Amsterdam
At this year’s Realize LIVE in Amsterdam, we posed a bold question to the audience:
Are 60–80% of your system requirements driven by risk and cybersecurity?
Surprisingly—or perhaps not—the majority nodded in agreement.
The session was more than just a panel; it was a dynamic conversation between industry leaders, shaped by real-world experience and real challenges. Moderated by Radek Krotil (Nextedy), the panel included:
- Hans-Juergen Mantsch (Siemens) – Leading initiatives in MBSE and Software-Defined Vehicles
- Alexander Heyers (Siemens) – Championing Polarion adoption in regulated industries
- Tibor Lapikas (Software Improvement Group) – Deep expertise in SBOMs, code quality, and secure development practices
- Radek Krotil (Nextedy) – Bridging risk data and actionable requirements in Polarion through RISKSHEET
🔍 Why Risk Is Now Driving Requirements
In domains governed by safety and security—think automotive, aerospace, and medical—it’s no longer surprising that regulations and risk analyses generate the majority of system requirements. Tools and methods like FMEA, HARA, TARA, STRIDE, and CVSS shape architectural choices, verification strategies, and compliance documentation.
Modern standards (e.g., ISO 26262, ISO 21434, NIS-2, CRA) demand deep traceability. That means risk isn’t just an upstream activity—it’s the source of hundreds, if not thousands, of work items that need owners, test cases, and closure criteria .
⚠️ Where It Hurts: Gaps Between Risk and Execution
One of the central pain points discussed was the disconnect between risk assessments and requirements engineering. In many teams, risk work happens in Excel, while ALM systems like Polarion manage requirements. The result? Broken traceability, missed mitigations, and duplicated effort.
Integrated tools like Polarion + RISKSHEET or SIG’s Sigrid platform aim to solve this, helping teams:
- Turn identified risks into actionable, testable requirements
- Assign ownership and track implementation status
- Keep traceability alive—even as designs and code evolve
💻 Software Eats Risk Management
With more systems becoming software-defined, risk management is no longer a one-time activity. New CVEs appear daily, SBOMs are dynamic, and OTA updates change the game. Risk is now a DevSecOps concern, not just a safety engineer’s domain.
The panel explored how continuous reassessment, tool-assisted risk modeling, and real-time traceability are now essential for compliance and resilience .
🧠 Collaboration & Culture: The Human Factor
Another theme that emerged was the need for shared understanding across roles. From cybersecurity to test engineers, from architects to compliance officers, everyone should be working on the same set of artifacts. A shared, secure ALM platform is crucial.
And yet, organizational culture is the key enabler. Without buy-in, even the best tools fall flat. The shift toward risk-driven development is as much about mindset as it is about process .
🔮 What’s Next: The Future of Risk-Driven Requirements
We wrapped up with a look ahead:
- AI-assisted threat modeling will help detect risks earlier
- System-of-systems engineering will stretch traceability to new levels
- Continuous compliance will become mandatory
- Reusable risk models will save time and reduce duplication
These trends point to one thing: deeper integration of ALM, MBSE, and security workflows will be non-negotiable .
📢 Final Thoughts
Risk-driven requirements are no longer a niche practice. They’re becoming the backbone of modern engineering. As the complexity of our systems grows, so too must our ability to trace, justify, and validate every decision—from risk to requirement to test.
Missed the session?
Or just want to go deeper? There’s no recording. However, you can still get the insights. Let’s keep the conversation going.
What can I do for you:
- Show how to turn SBOM findings into tracked work items.
- Replace risk spreadsheets with live Polarion artifacts.
- Benchmark how “risk-driven” your backlog really is.
So, don’t guess. Let’s map your risks to real requirements—together.