A few years ago, I was reading a paper that mentioned Risk Based Testing and it said:

Risk Based Testing is:

  • Risk Identification
  • Risk Assessment
  • Risk Mitigation

This started a series of thoughts for me.  First – I recognised those words, they are the simplified, generic stages of Risk Management that you might read in any material dealing with risk management.  Secondly, I have been in testing for over 20 years, I have worked in teams that called themselves Risk Based many times but, although we spoke of risk often, we did not use these words to describe our activities. So … is it right to say that this is the Risk Based testing process?  I had to have a pretty good think.

Well, in Risk Identification one examines the context, realises that there are far too many risks to be able to identify and manage them all, so we work to select the significant, important risks and manage those.  In testing we have an activity where we examine the context of the application to be developed, realise that there are too many tests to be able to identify and run them all (exhaustive testing is impossible) and select the significant, important tests and work on those.  We call this – Test Analysis.

Risk Identification = Test Analysis

When we identify a test, we are identifying a risk.  When we create a test to ensure that the Log On function works, we do so specifically because there is a risk that it will not work.

In Risk Assessment we put values on the likelihood and impact (at least) of the risks in order to put the list of risks identified into a meaningful order so that we can manage the most serious ones first.  In testing we examine which tests will cause more damage to the business (impact) and where in the system defects are more likely to appear (likelihood) and order our tests to address the most significant ones first.  We call this Test Prioritisation.

Risk Assessment = Test Prioritisation

In Risk Mitigation we take actions to reduce the impact, or likelihood, or both, of the risks to bring the level of risk down to an acceptable level.  In testing we act to reduce the probability of undetected defects going live down to an acceptable level (we can never guarantee that software is defect free). We call this action Test Execution.  Test Execution reduces risk – Risk Management teaches us that risks are unknowns; testing provides information and therefore reduces the unknowns.

Risk Mitigation = Test Execution.

So – the words all map to testing.  Are they therefore correct – that Risk Based Testing is Risk Management?  Yes … and No.

The activities identified are not activities that we only perform in Risk Based Testing, they are activities that we perform in all forms of testing, therefore:

All testing is Risk Management.

We decided to put this hypothesis to the test.  I booked onto a risk management training course and qualification: M_o_R by Axelos.  This is a risk management method and qualification aimed at anyone involved in organisation / corporate risk management (and indeed any other form of risk management) and the other participants in the course were company directors, charity directors and civil servants.

My theory was that, because testing is risk management and the activities of testing map to risk management activities, I would find that this mapping continued all the way through an in-depth risk management process. Because I am well versed in test management and testing principles, I should therefore find the course quite straight forward.

To cut the long story short the theory was proven correct – I found the course enjoyable and straight forward and I passed the foundation and practitioner exams with the highest scores in the class. The activities that course took us through are the things that we have slowly, over the 40 or so years since Myers wrote The Art of Software Testing, introduced to the testing process. Including scope definition, stakeholder management and the stages mentioned above.  The most important difference is that Risk Management have been working on this process specifically. Their process is more in-depth throughout – the testing process has started from the mitigation activity of test execution and grown from there.  It seems to me that there are things for testers to learn from risk managers.

Next time I will start to examine what lessons we might learn from it.

Joe Elledge is an accredited trainer of BCS, ICAgile, iSQI, PeopleCert and ISTQB certified courses, with over 20 years’ experience in test management, quality assurance and training roles. Joe has worked in a variety of industries, including Telecommunications, Banking, Insurance, and automotive and in a variety of geographical regions, including UK, Ireland, Germany, India, America, Scandinavia, and Switzerland. Find out more about us and our other Expleo Academy trainers.