is an approach to testing wherein risks identified along with the level associated with each risk is used to plan testing. This blog post gives an overview of testing based on analysis of risks and their levels plus a look at an informal method of performing the analysis.
To begin, we look at what constitutes a risk. The definition states that risk is the possibility of a negative or undesirable event or outcome. From a testing perspective, we are concerned with two categories of risks. The first category is the Quality risk that affects the product, such as potential defects in the product that cause it crash, lose data, etc. The second category of risk is the Project risk that relates to management of the project and includes items such as inadequate resourcing, insufficient time to test, late binding features, etc.
Our focus here is on the Quality risks. Risks once identified, need to be classified and ordered according to their risk level. A risk level signifies the importance of a risk as defined by its likelihood of occurrence and business impact. Risk level can be expressed as high, medium, low or in terms of a number. Risk levels help in determining the extent of testing to be performed against the particular risk. You would naturally want to focus the greater part of your test efforts on those areas that have the higher levels of risk. As testing progresses risks are re-assessed and reports will appraise stakeholders in terms of residual risk.
Identification and analysis of risks can happen at each phase – requirements, design, development. It may also be viewed as a form of review to determine what the product might do that it should not be doing. Informal techniques of risk analysis may be performed for most projects that do not require heavy weight formal techniques of assessment. These require much lesser commitment of time and effort and also need little documentation. Here, stakeholder inputs based on their knowledge of requirements and experience, any historical information and checklists of risks are used to identify and classify risks. Since inputs from stakeholders is important, getting the right folks to participate is key so that risks are rightly identified and risk levels correctly assessed.
To begin, we look at what constitutes a risk. The definition states that risk is the possibility of a negative or undesirable event or outcome. From a testing perspective, we are concerned with two categories of risks. The first category is the Quality risk that affects the product, such as potential defects in the product that cause it crash, lose data, etc. The second category of risk is the Project risk that relates to management of the project and includes items such as inadequate resourcing, insufficient time to test, late binding features, etc.
Our focus here is on the Quality risks. Risks once identified, need to be classified and ordered according to their risk level. A risk level signifies the importance of a risk as defined by its likelihood of occurrence and business impact. Risk level can be expressed as high, medium, low or in terms of a number. Risk levels help in determining the extent of testing to be performed against the particular risk. You would naturally want to focus the greater part of your test efforts on those areas that have the higher levels of risk. As testing progresses risks are re-assessed and reports will appraise stakeholders in terms of residual risk.
Identification and analysis of risks can happen at each phase – requirements, design, development. It may also be viewed as a form of review to determine what the product might do that it should not be doing. Informal techniques of risk analysis may be performed for most projects that do not require heavy weight formal techniques of assessment. These require much lesser commitment of time and effort and also need little documentation. Here, stakeholder inputs based on their knowledge of requirements and experience, any historical information and checklists of risks are used to identify and classify risks. Since inputs from stakeholders is important, getting the right folks to participate is key so that risks are rightly identified and risk levels correctly assessed.
