What is risk ?
Risk is an uncertain event or condition that, if it occurs, has an effect on at least one objective.
The probability of something happening multiplied by the resulting cost or benefit if it does. (This concept is more properly known as the ‘Expectation Value’ or ‘Risk Factor’ and is used to compare levels of risk)
With respect to software testing there are mainly two types of risks.
– Product Risk
– Project Risk
Product risk – These types of risk generally effect quality of product delivered. These types of risks directly effect test object.
Where as Project risk effect overall success of a project. For example, potential staffing shortage that could result in delay of completion of project can be classified as project risk.
In Risk Based testing we use the risk identified with the level of risks identified for each risk item to help our testing.
Risks can be used to guide testing in different ways like:
1. Based on the risks identified we can identify test objects which require more effort and accordingly allocate more time to high risk items.
2. Test reporting based on Residual Risks. Like which tests have not yet run or have been skipped? Which tests we have run ? What passed and what failed.
Just like you buy insurance when you are worried about potential risks like accident or premature death. Similarly we should test areas/objects that are worrisome and ignore the ones which are not having any risks.
Benefits of Risk based testing
- As testers we often face time pressure and seldom find enough time to run the test we want to. Mostly all testings are generally time boxed. Risk based testing provides a way to prioritize and triage test at any point of time.
- Risk based testing provides a smart way to choose finite number of tests from an infinite set of tests.
- Often when there are time pressure, risk based testing provides a way to drop test intelligently while also providing a way to discuss with project stake holders the risk inherent in doing so.
- Risk based testing helps in determining acceptable level of residual risk rather than relying on inadequate metrics like bug and test counts.