There has been a lot of buzz in the industry around Risk Based Testing. Before we talk about this, let’s agree on why we do testing. Testing is basically a component of a risk mitigation strategy for any project, regardless of the size. The objective of testing is to uncover defects that may lead to undesirable results for the system users and for the organization. The potential for undesirable results are generally referred to as risk. By employing proper techniques, testing can help avoid or mitigate business risks for an organization.
We all agree that the system has to be tested thoroughly, and we all want to deliver 100% defect free systems. But, we live in a practical world where we don’t have the luxury of time and money to test everything and anything that we want to test. So, it is critical to plan and prioritize the tests based on the business risks to obtain optimum results. Below are three high level steps to implement risk based testing in your projects.
STEP 1 - Risk Evaluations: This step is to evaluate all requirements in the project and assign appropriate risk parameters. Parameters include: Business Criticality and Failure Probability. Business Criticality is an indicator of how critical the requirement is to the business. It can be categorized as 1-Critical, 2- Important, and 3- Nice to have. If this is a critical requirement, then it means that the business impact will be severe if this requirement were to fail or malfunction. The Failure Probability is an indicator of the likelihood of this requirement to fail, and this is assessed based on the technical complexity of how the requirement is being implemented. This can have the following three values: 1-High, 2-Medium, and 3-Simple. To give an example from a Guidewire implementation perspective, a business requirement with ‘1-Critical’ business complexity can have ‘2-Medium’ Failure Probability if the requirement is being configured by leveraging Guidewire out of the box functions
STEP 2 - Risk Analysis: Once risk evaluations are completed for all applicable requirements, the risk analysis has to be performed on each and the risk score has to be calculated accordingly. For example, a requirement with ‘1-Critical’ Business Criticality and ‘1-High’ Failure Probability gets the highest risk score possible. You may develop your own simple excel tool to calculate the risk scores or alternatively, there are several tools available in the market to help you with that.
STEP 3 – Test Design and Execution: Once the risk analysis is completed, the test design and test execution can be planned based on the risk scores assigned to the requirements. The risk scores can be used in the following manner:
Schedule and sequence the test design and test execution efforts based on the risk scores, i.e., schedule high risk score requirements first, before the low risk score requirements are tested. This way, the critical requirements get addressed first and adequate time and focus are allocated to the business critical requirements.
Plan and develop the number of test scenarios and test conditions based on the risk scores, i.e., requirements with the high risk scores should have a higher number of test conditions over the low risk score requirements.
With Risk Based Testing, you will be able to achieve optimum results by:
Finding critical defects early in the project;
Focusing on the targeted tests and with the right level of tests;
Planning and running efficient and effective test phases; and
Mitigating business risks in a measured manner to deliver a very predictable business outcome.