Risk Based Testing part II.

Step by Step Guide

Did you take decision to go for Risk Based Testing approach? Great, you did the first important step. Next question is, how to effectively prepare and execute all actions to achieve desired results. Here is the step by step guide.

In my previous blog post, I have discussed the Risk Based Testing principles. Now there is a time to move forward and take necessary actions step by step.

It is a process

Risk Based Testing approach, technically speaking, is process and as such, it has to be treated this way.

It has a defined inputs, steps that have to be followed, as well as outputs or results of the process.

Risk Based Testing follows the following steps:

  • Preparation:
    • Definition of Risk Based Testing matrix (elements of tests).
    • Preparation for the risk assessment sessions, approach definition.
    • Identification of stakeholders / participants
  • Define relevant combinations of the elements that must be analysed
  • Assess the impact of possible defects
  • Assess the probability of defects
  • Determine the risk classes
  • Check completeness.

Risk Assessment Preparation

Before starting with the risk assessment itself, you will need to determine the test elements. Those are the elements of release or project that need to be analysed and tested.

You can imagine this as a matrix where elements create a combination.

  • One side of the matrix contains quality characteristics. Those are more or less fixed and standard for all your risk assessments in the future. E.g. Functionality, Performance, Usability, Security, Reliability… you may find more and use them on your project.
  • Second side contains test objects that are subject of the testing. The granularity here is up to you. It is really flexible. E.g.
    • based on the modules of the application
    • based on processes
    • based on requirements or

based on the change requests (when your project is in the support and maintenance mode.


  • Keep it simple and stay consistent over time during the project or release to release. Otherwise you will lose your audience and you will spend a lot of effort over and over.
  • You may define both sides of the table by yourself, however the preferred approach would be a discussion and group effort together with key stakeholder e.g Project Manager, Release Manager of Development Lead. You will sell this approach to them much easier if they will be part of it
An example of the test elements table

An example of the test elements table

Risk Assessment Approach

During the risk assessment meeting, you will analyse every single test element and assess the probability and Impact for each of them. One of the things, you need to do before the meeting is to prepare the categorization. You can use A,B,C or 1,2,3 or H,M,L or you can create your own ones. Keep it simple and stay consistent is again the key. You may use more than 3 levels but I would recommend to stay with 3, max 4.

And this is it. You are ready for the assessment!!!

Define relevant combinations

Defining the relevant combinations between quality characteristics and test objects is the first exercise of the Risk Assessment Meeting. Participants will indicate together if there is a combination between the relevant quality characteristics and the test object parts.

Results may look like this:

In the later stages of the process, you will work just with the “X” elements.

Assess the impact of possible defects

It is rather a business question however all participants are asked to estimate the impact of a possible defect. Of course, there will be different opinions presented. Participants with business focus see the situations differently than IT people. You as a test manager need to moderate the discussion, watching the time and finally make a conclusion. Conclusions must be justified by the majority of the participants at the end of this process and relevant cells will be marked.

Assess the probability of defects

This is more or less the same process as this mention above. The final results are also documented in the table.

Determine the risk classes

In this process the results of the two former exercises will be combined. Final score of the test elements may have more than just 3 classes, as shown in the mapping table.

The final Product Risk Log may looks like the following table.

And this is it.

Good thing is, that you have successfully delivered your first risk assessment. Your Product Risk Log was born.

Bad thing about is that this is not the end, this is just the beginning. You have now your tool to manage you next planning, preparation and execution.

Before the finish today, let me do short wrap up

Risk Based Approach is easy to implement and is a powerful tool and opportunity to reduce the level of risks to acceptable minimum. Keep it simple and stay consistent and your effort will lead to success.

And keep in mind:

No risk = > No test

Good luck


In my next post:

I will go to more generic topic, which is, testing roles on the project:

  • Responsibilities
  • Expectations
  • And more

Do not hesitate to contact me in case of any query. I will come back to you. 

Or leave a comment / feedback down bellow.

Leave a Comment

Your email address will not be published. Required fields are marked *