Measuring the Risk Factor


of complexity, a high expected impact of failure, and a high severity of failure, which would give it a risk priority of 12 (3 + 3 + 3 + 3). The requirement that each Password be 5 characters long has a risk priority of 7.

The next step is to reorganize the list of requirements in order of risk priority. This sorted list provides clear insight into which requirements to test first. As Craig and Jaskiel point out, however, this technique, "doesn't take into account the testing dependencies."

Table 4—Sorted Priorities for the Login Function

After this, the software team should establish a "cut line" to indicate the line below which features will be tested less. 

Table 5—"Cut Line" for Login Function Requirements

Table 5 indicates that the requirement "upon successful login, a welcome screen shall be presented" will be tested less in the current release of the software.

An optional issue to consider is mitigation of risk. For example, the mitigation strategy for the highest priority risk in Table 5 may be to make code reviews a mandatory part of the software development process.

This paper presented one way to complete a risk analysis as part of the software risk management process. Risk analysis should be done early in the software development lifecycle. The risk analysis method presented here is flexible and easy to adopt. I proposed that expected impact, likelihood of failure, complexity, and severity should all be considered as good indicators. Risk analysis allows you to prioritize those requirements that should be tested first. The process allows the test team to set expectations about what can be tested within the project deadline. Many different indicators can be used. It is also possible to use different rankings rather than 1-3. The higher the scale, the more granular the analysis.

Further Reading

  • Risk-Based Testing by James Bach
  • The Risks to System Quality by Rex Black
  • Systematic Software Testing by Rick Craig and Stefan Jaskiel
  • Waltzing with Bears: Managing Risk on Software Projects by Tom DeMarco and Timothy Lister
  • Software Risk Management Makes Good Business Sense by Steve Goodwin
  • A Calculated Gamble by Payson Hall
  • Testing in a Squeezed, Squeezed World by Geoff Horne
  • How Software Doesn't Work by Alan Joch and Oliver Sharp
  • Assessment and Control of Software Risks by Capers Jones
  • An Introduction to Risk/Hazard Analysis for Medical Devices by Daniel Kamm
  • Ottevanger, Dr. Ingrid B. "A Risk-Based Test Strategy," IQUIP Informatica B.V. 3 (November 22, 2000).
  • Risk Analysis Basics by Johanna Rothman
  • Cyclomatic Complexity by Edmond VanDoren
  • Wold, Geoffrey H., and Robert F. Shriver. "Risk Analysis Techniques," Disaster Recovery Journal: Vol. 7 no. 3.

About the author

AgileConnection is a TechWell community.

Through conferences, training, consulting, and online resources, TechWell helps you develop and deliver great software every day.