This blog post will cover what risk based testing is, how to perform it and the following
What is a Risk?
Risk can be defined as the probability and consequence of unexpected incidents.
In the context of software testing, the risk would come in the form of tight schedules, undefined project scope, insufficient resources, continuously changing resources, etc. Usually, testing is the last stage in developing an application so it always happens under pressure and severe time constraints.
When you are working on building or testing a software product in a project, there is always a risk that is involved. We can understand this using two types of risks- Product Risk and Project Risk.
What is a Product Risk?
The possibility of a software product failing or being unable to satisfy the expectations of the customer, user or any stakeholder for some reason is called Product Risk.
Some examples of Product Risk:
- Using new technology in the product like a new programming language, DataBase server, new integrations etc.
- Upgrading or migrating can affect multiple areas of the software product.
- New developer or development team who are not familiar with the product.
What is a Project Risk?
An unexpected event that can affect the project is a project risk, here the risk can have both positive and negative effects on the project.
Some examples of Project Risk are:
- Huge changes in the requirements at the last minute.
- Delay in getting the test build, unavailable test environment, delay in fixing issues in the test build and environment.
- Problems like lack of technical knowledge, shortage of staff etc.
What is Risk-Based Testing?
Now that we have seen what risk is and the types of it, let’s see what Risk-Based Testing is.
Risk-based testing is a testing methodology that manages, prioritizes and executes test activities based on the possibility and impact of risks in the software product.
It organizes the testing in such a way that it shreds off the remaining level of product risk at the time of the deployment. By doing so at the early stage of the project we can identify product risk that helps us focus on the planning, specifications, preparations and execution.
What is Risk-Based Testing in Agile?
Agile is an SDLC model that is known for its speed and flexibility. In Agile, we plan a 1 to 4-week Sprint ( a short time in which a team works to create a prototype, workable version or a new module to be added to the system). It is hard to test out every functionality thoroughly in a short time frame.
Risk-based testing makes use of such risks to prioritize and highlight the right set of tests we have to execute at the right time. It concentrates on testing the functionality that has the biggest impact and likelihood of failure.
Thus Risk-based testing strategy is especially helpful in Agile methodology, for test analysis, planning, estimation, design, execution, and results reporting.
What is the Purpose of Risk-Based Testing?
- To create and establish a framework that promotes clear discussions between different stakeholders about the risk at hand. It will help you define terms and agree on a common language that makes risk visible and actionable.
- To address client’s needs such as business features, timing, quality, cost, etc as well as development team needs such as scope, timeline, maintenance etc.
- To provide a clear framework to decide how to manage budgets, negotiate timelines, avoid delays etc without affecting software quality.
- To highlight the important features and issues to the clients, which in turn creates this hierarchy of testing requirements.
When to perform risk-based testing?
We can perform Risk Based testing for the following scenarios:
- When there is a constraint related to time, cost and resources in the project.
- When the project is full of testing challenges due to new technology and complex structures.
- When the project is completely new for the testing team, this involves a lot of risks that need accurate identification.
What is the Process involved in Risk-Based Testing?
The process involved in performing Risk-based testing can be divided into 3 steps:
- Risk Identification
- Risk Assessment
- Risk Mitigation
How to identify Risk?
The first step in solving the problem is to identify the problem.
We should have clear communication with software architects and developers who have faced many risks in the past to understand vulnerable areas in the project. Along with that our test team will analyse requirements, design specifications and other documentation to identify potential risks.
We should also be aware of the risk that may reveal themselves as the project progresses. As a testing team, we should be ready for such situations and make ourselves flexible depending upon the situation.
How to Assess Risk?
We can assess risk by classifying the risk first.
Serious: As the name suggests, it has to be the first priority, immediate action should be taken to isolate the risk. Other activities should be ceased until the risk is reduced to a low or medium level.
High: We have to isolate, eliminate, substitute the risk and implement risk controls. If we can’t resolve it immediately, we should define strict timelines to resolve these issues.
Medium: These are reasonable ones, we must implement actionable steps to minimize these.
Low: These don’t create any significant problem, but we should keep a periodical review to check whether these risks are under control.
Next, we have to identify the probability and impact of these Risks.
|Defects found in last stage||Medium||High|
|Scope not defined||Medium||Medium|
A real-life example would be Covid-19, this pandemic has a huge impact on business. Now , it is considered one of the factors when planning, budgeting, schedules and resources.
How to Mitigate Risk?
Once we have identified and assessed the Risk, the next step here would be to resolve or mitigate the risk. Mitigation deals with handling the risk and lessening its impact.
Depending upon the risk level of each module, we can decide upon the effort that we are going to allocate test activities such as test design, execution and debugging. That would be intensively testing high-risk modules and using less detailed techniques for the low-risk ones.
How to perform risk-based testing?
Step 1: We can start with risk assessment, by creating a list of major components in our application. Write down 10 to 15 critical functionality in the application and label their risk level, probability and impact.
Step 2: Now we can map our test coverage against the risk assessment to identify the gaps in our coverage. An ideal scenario would be having adequate coverage for high and medium risk areas, if not we should address them right away.
Step 3: In addition to that, we have to communicate with the product management and development team to understand key features that are going to be implemented, it’s impact and risk as well.
Step 4: Next build your test plan by assigning more testing resources to areas of high risk. Usually, newly developed features pose a higher risk to the overall application, so you can start with that.
Step 5: As we keep doing this we’ll learn from our efforts, communicate better with our teams and adjust our test plan. Eventually, we will get to the place where we have high test coverage and low risk
What are different testing techniques in Risk-Based Testing?
- Product Risk Management (PRisMa)- It is used to determine the appropriate test strategy and test design techniques in such a way that it prioritizes the high- level risk modules first.
- Pragmatic Risk Analysis and Management (PRAM) – It encloses the processes, techniques and methods that help in analysing and managing the risks associated with the project. It is based on Risk Priority number (RPN) calculation.
- Systematic Software Testing (SST) – It needs requirements specifications as input into the risk analysis.
What are the different metrics used in Risk-Based Testing?
- Number of planned vs executed test cases.
- Number of test cases – passed vs. failed
- Number of risks identified – status and severity of each
- Number of critical risks – still open
- Instances of test environment downtime
- Test Summary Report
- Test Coverage Report
- Effort expended – scheduled vs. actual
- Schedule variation – planned vs. actual
- Percentage of risk identification
- Percentage of risk mitigation
What are the Benefits of Risk-Based Testing Approach ?
- It creates a more structured with well defined scope, priority and timeline, i.e we’ll know clearly when to start/stop testing.
- It improves business performance, reduces the likelihood of negative reviews, and generally minimizes the impact of risk.
- We can focus on the critical ones in turn increasing the efficiency and decreasing the number of test cases.
- It reduces the overall cost by mitigating lots of risk.
- It continuously adjusts problematic areas through testing.
Risk based testing is a collaborative effort where the developing team and the testing team come together to mitigate risk. They assess and calculate the level of risk in each module, they map out the priority based on high level – low level risk. It avoids the over-testing, which slows down project to optimize the efficiency of the process.
- Test Strategy vs Test Plan – Difference between Test Strategy and Test Plan
- Security Testing Tutorial | Software Testing Material
- Software Test Plan Template with Detailed Explanation [Sample Test Plan Document]
- How to Minimize Testing QA Outsourcing Risks | Software Testing Material
- The Complete Guide To Writing Test Strategy [Sample Test Strategy Document]