Is possibility of a negative or undesirable outcome
It is a possibility, not a certainty
The level of risk associated with its possible negative consequences
Risk is classified into 2 types: Product Risk and Project Risk
Where to look for risks?
Dependencies: HR, tool, equipment, etc.
Assumptions: may not actually be true.
Project characteristics: objectives, requirement, design, implementation, testability, etc.
Activities on the critical path
Team spirit and attitude
Outside project: organization, policies, rules, standards, etc.
….
Product Risk
Product risks/Quality risks: the possibility that the system or software might fail to satisfy some reasonable customer, user, or stakeholder expectation
Unsatisfactory software might:
Omit some key functions that the customers specified
Unreliable and frequently fail to behave normally
Fail in ways that cause financial or other damage to a user or the company that user works for
Have problems related to a particular quality characteristic, which might not be functionality, but rather security, reliability, usability, maintainability or performance
Project risks: apply to testing. The same concepts we apply to identifying, prioritizing and managing product risks.
What project risks affect testing?
Direct risks:
Late delivery of the test items to the test team
Availability issues with the test environment
Indirect risks
Excessive delays in repairing defects found in testing
Problems with getting professional system administration support for the test environment
For any risk, product or project, you have four typical
options:
Mitigate: Take steps in advance to reduce the likelihood (and possibly the impact) of the risk.
Contingency: Have a plan in place to reduce the impact should the risk become an outcome.
Transfer: Convince some other member of the team or project stakeholder to reduce the likelihood or accept the impact of the risk.
Ignore: Do nothing about the risk, which is usually a smart option only when there's little that can be done or when the likelihood and impact are low
Software Quality and Risk
Contrary to popular beliefs, testing cannot demonstrate that software works
Software testing must be viewed as a risk mitigation activity designed to reduce the risk of defects in software
Standard lists of risk factors are useful for identifying potential risks
Risk analysis priorities risks based on the likelihood that they will occur & their potential impact
Software testing
To prove the software works correctly
Executing all paths => Only possible for a simplest of software
Every combination of input & output => Only possible if the executing the tests could be performed automatically
Testing and Risk:
There will always be a real possibility that software will contain defects no matter how well it is tested
The goal of software testing is to minimize the risk of defects Risk-based Testing
Uses risk to prioritize and emphasize the appropriate tests during test execution
Starts early in the project, identifying risks to system quality and using that knowledge of risk to
guide testing planning, specification, preparation and execution
Involves both mitigation and contingency
Mitigation - testing to provide opportunities to reduce the likelihood of defects, especially high-impact defects
Contingency - testing to provide opportunities to reduce the likelihood of defects, especially high-impact defects
Minimizing Risks
Risk assessment:
Identify what potential risks exist
Determine the likelihood of a risk occurring & the impact if it occurs
Risk control: identify & perform activities to
Minimizing the likelihood of a risk occurring
Minimizing the impact if the risk occurs
Risk Statement template
Given the <condition>, there is a possibility that
<consequence> will occur
Condition: describes the situation that gives rise to the risk
Consequence: describes a potential undesirable outcome related to the situation
Analyzing Risks
Quality Risk Dimensions
Prioritizing Risks
Compare risks with the software quality characteristics described in ISO 9126 and estimate the potential impact that each risk could have each characteristic
Example: (open excel file for reference)
Risk Factor Influence on Software Quality Characteristics
Example
Risk Control
Risk can be controlled by planning, specifying & executing activities designed to:
Minimize the likelihood of a risk occurring
Minimize the impact of the risk if it does occur
The results of executing risk control activities is recorded for three reasons:
The record provides auditable evidence that the risk control activities were performed
The data can be used to measure the efficiency of the risk control activities
The data can be used o decide if an acceptable level of risk has been achieved
