To Risk It or to Identify and Fix It? What’s Your Take?

What is a risk? Risk is a potentiality of failure. When the risk is discussed in the software industry with respect to delivery, it is either attributed to project risk or product risk.

How do we avert risk from our project delivery? This can be taken care of by the testing team, but how?

With today’s dynamic market, where the technology is made obsolete by a better technology being developed, Time to Market has become most vital. To meet these shorter time spans, organizations are adopting agile concepts. Iterative models are being followed for incremental deliveries based on the priorities defined by the stakeholders. The answer to all this from a testing perspective is risk-based testing. Identifying and mitigating risk play vital roles. When was the last time you approached testing using a risk-based model? This is possible by designing a test plan that aligns with delivery and operations. Risk-based test management is the solution to achieve timely delivery, focusing on business-critical requirements. The methodology that provides an evaluation of requirement risk (business risk or technical risk) as an input to test planning is a full-lifecycle proposition.

Sometimes it becomes difficult and taxing to identify the potential risk(s) as things might not be evident and straightforward. Locating the upfront risks is as important as contemplating the potential risk(s) based on the market in which our client operates. Potential risks can be the technologies involved, the current competition and potential competition, and the possible security issues around the flexibility and limitations of the software being designed. The substantial uncertainty that may occur in the future can endanger the project objectives. All the potential risks are not for the vendor to solve unless if the client provides enough data and looks forward to such consultancy from the vendor. Projects will never be subject to the same kind of risks, so the risk management exercise should be conducted each time. Nothing remains constant and risks change over time; hence, the need for organizations to forecast and assess the potential risks before the critical decisions are made.

There are two dimensions to potential risk. We can qualify the risk as well quantify the risk. If we have to analyze something we need to know the volume of occurrence as well as the level of impact. If we prioritize the identified risk on a scale, considering the probability of occurrence against the level of impact it can have on the project, particularly on the key attributes of budget, schedule, or quality — this is a qualitative approach of analyzing the risk.

Now, this prioritization is in turn consumed, and additionally, highly processed data is used to quantify the probability of the high-priority risks numerically. This acts as input to make decisions amidst the uncertainty; to verify the alignment towards specific project objectives; and to compute the achievable margins, release date, and the scope. This is a quantitative approach to analyzing the risk.

Identifying and Analyzing Risk –

There are certain methods that can be used to identify the risk and impact, and for analyzing the probability of recurrence based on past data.

Cause and Effect Matrix. This is a useful method for the root cause analysis conducted at the end of the project delivery. To identify the possible causes, the participation of all stakeholders is essential for brainstorming and forming a Fishbone diagram. Assigning scores to each of them helps to understand which activities created the risk and the critical steps present in the process.

Failure Mode Effect Analysis (FMEA). It is a systematic and qualitative tool, widely used in early development cycles for analyzing potential reliability or quality problems. FMEA is measured by 3 factors:

1. Frequency: Tracked on a scale of 1 to 10, indicate how frequent a discrepancy is likely to occur.
2. Severity: Factor that determines the possible impact on the client.
3. Detection: The probability of the discrepancy event getting detected.

Prioritization based on the 80-20 principle proposed by Pareto is done for each of the criterion identified.

Risk Control. This method is used to define an acceptable level of risk for an organization. Senior management sets this by having thorough discussions with the stakeholders. Once the risk tolerance level is earmarked for the organization, called Risk Appetite, the assessment is carried out to identify if the risk foreseen is exceeding the defined value. If so, mitigating actions are taken accordingly.

Respond to Risk. This is more of a corrective-action-taking method to mitigate risk and eliminate what has gone wrong in an effective way.

These are the most effective actions to take towards a potential risk:

1. Accept: To perform risk assessment, not do anything, and continue the same way, which is accepting the risk.
2. Avoid: To identify the risk and prevent it by not taking part in any risk-causing act.
3. Transfer: To avert and transfer the risk to a different entity altogether, if possible.
4. Mitigate: To mitigate risks by adding suitable controlling measures or by manipulating the risky behavior by modifying its probability or at least the level of impact.

The main aim of risk mitigation is to reduce the probability of occurrence to a manageable level of impact. The process is structured in the below steps:

1. Discussing the probable controls.
2. Measuring benefits.
3. Estimating the associated cost.
4. Evaluating the resultant probability.
5. Effect and residual risk.

So, in short –

1. Identify the critical blockers as quickly as possible (at the lowest price).
2. Target the business-critical area first and provide confidence to the business.
3. Justify testing effort + cost of business and technology risks.

The solution as a Tool to Manage Risk –

Taking the current market into account, there is an acute requirement for a tool that could at least do the following activities, while managing the risks and helping us with the risk-based test management:

Synergetic Review and Feedback – A platform to have collective review and feedback by all the concerned stakeholders as reviewers so they can vote for an item in question and provide their valuable inputs as comments. This platform should be usable for discussion and should help tracking the review and feedback being provided.

Analyzing End Effect – Based on custom relationships, if the work items can be linked, the impacts associated with the artifacts can be analyzed. Based on priority, prominent impact areas can be identified, and mitigation plans can be agreed upon. Test plans could leverage the identified impact areas.

Complete Traceability – Traceability is a great means of control by establishing the two-way relation between the business requirements and the test cases, which in turn, help to track the changes impacting each other, thus helping to measure the residual risks associated with the overall project.

Test Execution – Tool that can support test execution, whether it’s manual or automation testing. Based on a trigger or due to a changed priority, the tool should be capable of running the required test suite.

Exhaustive Metrics – A tool that can generate real-time visual metrics and graphical representations highlighting the actions to be taken on a customizable dashboard for management personnel to make critical business decisions.

A tool that can be used for test planning through test execution to bug reporting. Should be able to configure workflows accordingly and set business rules without writing even a line of code.

A flexible tool that can offer value proposition by adjusting to the company’s specific business needs.