This article addresses each of these areas – as well as some of the broader issues associated with risk-based testing. What is Risk-Based Testing? Generally speaking, risk is the possibility of a negative or undesirable outcome or event. Testing is concerned with two main types of risks: • Product or quality risks, which are problems that can potentially affect the quality of the product itself, such as a defect that could cause a system to crash during normal operation. Project or planning risks, which are problems that can potentially affect overall project success, such as a staffing shortage that could delay completion of a deliverable.
Of course, not all risks are equal and there are a number of ways to classify the different levels of risk. The simplest is to look at two factors:
Rex Black, Ken Young, and Peter Nash
Page 1 of 11
A Case Study in Successful Risk-Based Testing at CA • The likelihood of the problem occurring, which depends primarily on technical considerations, such as the programming languages used and the constraints of a given computing platform. The impact of the problem should it occur, which depends primarily on business considerations, such as the financial impact of system downtime or the amount of lost staff productivity.
Risk-based testing is guided by the level of risk associated with items identified during analysis. Although risk can guide testing in various ways, there are three common ones. First, during all test activities, test teams allocate effort to each quality risk item based on the relative level of risk. Test managers and analysts align the rigor and extensiveness of test techniques with the level of risk. They carry out test activities in risk order, starting with the most important risks. They also work with the project team to prioritize resolution of discovered defects based on the level of risk. Second, test managers implement control steps for all significant identified project risks. A control step is either a mitigation (something done in advance to reduce the likelihood and/or impact of a risk) or a contingency (something you are prepared to do if the risk becomes an event to reduce the impact of the event). The higher the level of risk, the more thoroughly that project risk is controlled. These project risks must include risks related to testing itself, since problems during test execution can reduce test scope and thereby result in quality risks. Third, test managers and test analysts report...