Risk analysis in software testing is an approach to software testing where software risk is analyzed and estimated. Traditional software testing usually looks at relatively straight-forward function testing.
What is Risk?
Probability of loss ‘or’ potential negative event that may or may not occur in the future. Loss can be anything i.e. increase in production cost, development of poor quality software, not meeting project deadlines, etc.
- Risk is caused due to the lack of information, time or future uncertainty.
- It provides an opportunity to develop the project better.
Types of Risks
Risks are identified, classified and managed before the actual execution of the program. These risks are classified into different categories.
- Internal Risks: These are the risks that arise from risk factors within the organization and during normal operation. These are within the control of the project team and are often forecastable, and thus can be avoided or mitigated. Internal risks mainly arise from human ‘or’ technical factors.
- External Risks: External risks are difficult to control and come from risk factors outside the organization/project. These are beyond the control of the project team and mainly stem from legislative, environmental or political changes.
Why do Risks arouse?
Software Risks arise mainly of three possible cases:
- Known Knowns: These are software risks that are actually facts known to the entire team as well as defined in the Project Management Plan. For instance: Project delay due to not having enough developers.
- Known Unknowns: These are the risks that the organization is aware of but is unaware of the size and effect of the risk, whether they still exist or not.
Example: Requirements from the client are not captured properly and this fact is known to the project team. However, whether the client has communicated all the information properly or not is unknown to the project.
- Unknown Unknowns: These are risks that come from situations that are highly unexpected by the organization.Example: They are generally related to working with technology ‘or’ tools that you have no idea about but your client wants to work that way.
Risk Analysis and Management involves the identification of the areas of uncertainty that could negatively affect value; Analyze and Evaluate those uncertainties; and also develops and manages the Ways of dealing with the Risks.
- Risk Management is an ongoing activity i.e. continuous consultation and communication with stakeholders helps to both identify new Risks and to monitor the identified Risks.
- The Project Team can develop plans for avoiding, reducing, or modifying the Risks, and when necessary, implementing these plans.
Elements of Risk Analysis -
Risk analysis is the process of identifying risks in applications and prioritizing them to test. The goal is to identify a comprehensive set of relevant Risks and to minimize the unknowns.
- Risks are discovered and identified through a combination of expert judgment, stakeholder input, experimentation, past experiences, and historical analysis of similar initiatives and situations.
- A Risk event could be due to one occurrence, several occurrences, or even a non-occurrence.
- A Risk condition could be just one event or a combination of events. One event or condition may have several consequences, and one consequence may be caused by several different events or conditions.
Analysis of a Risk involves understanding the Risk and estimating the level of a Risk. Sometimes controls may already be in place to deal with some Risks, and these should be taken into account when analyzing the Risk.
The “Risk Impact Scale” is the best way to showcase the impact of Risks.
- The likelihood of its occurrence could be expressed as a probability either on a numerical scale or with values such as Low, Medium, and High.
- The impact of any Risk can be described in terms of cost, duration, solution scope, solution quality, or any other factor agreed to by the stakeholders such as reputation, compliance, or social responsibility.
- The Risk Analysis results are compared with the potential value of the change ‘or’ of the solution to determine if the level of risk is acceptable or not.
- An overall project Risk level may be determined by adding up all the individual risk levels.
There are four possible ways to deal with Risks:
Avoid: Eliminate the threat ‘or’ protect the project from its impact. Common actions that can eliminate Risks are:
- Change the scope of the project.
- Extend the schedule to eliminate a Risk to timely project completion.
- Change project objectives.
- Clarify requirements to eliminate ambiguities and misunderstandings.
Reduce the probability or impact of the risk. This is not always possible and often comes with a price that must be balanced against the value of performing the mitigating action.
Sometimes there is no other alternative than to proceed with the project and accept the Risk. But producing documentation, holding meetings, and communicating the Risk with stakeholders can go a long way toward minimizing the damage.
Strengths of Risk Analysis
Risk Analysis can be applied to Strategic Risks which affect the long-term value of the enterprise; Tactical Risks which affect the value of a change; and Operational Risks which affect the value of a solution once the change is made.
- An organization typically faces similar challenges on many of its initiatives. The successful Risk responses on one initiative can be useful lessons learned for other initiatives.
- The Risk level of a change ‘or’ of a solution could vary over time. Ongoing Risk Management helps to recognize that variation and to re-evaluate the Risks and the suitability of the planned responses.
- It can transform Risks into a threshold for new opportunities.
- Prevents department isolation.
The number of possible Risks to most projects can easily become unmanageably large. It may only be possible to manage a subset of potential Risks.
- There is the possibility that significant Risks are not identified.
- High dependency on team experience.
- Vague, difficult to implement plans.
Managing Risks doesn’t mean one will be able to fend off all the unwanted events from the project but it does imply that when ‘or’ if they do happen, you’re prepared to respond to them. No matter how hard one tries, it is impossible to plan for every single Risk. As soon as something is noticed that’s not quite right, don't mull over it excessively - voice it out and collaborate with the project team to develop an effective strategy for responding to it.