Risk-Based Testing in Practice - Erik van Veenendaal Testing in Practice .pdf · RiskRisk--Based...

Risk Risk-Based Testing In Practice Based Testing In Practice PRISMA PRISMA ® Erik van Veenendaal Erik van Veenendaal www.erikvanveenendaal.nl www.erikvanveenendaal.nl Never speculate on Never speculate on that which can be that which can be known for “certain” known for “certain”

Transcript of Risk-Based Testing in Practice - Erik van Veenendaal Testing in Practice .pdf · RiskRisk--Based...

Page 1: Risk-Based Testing in Practice - Erik van Veenendaal Testing in Practice .pdf · RiskRisk--Based Testing In Practice Based Testing In Practice ... Practitioner” and many other books

RiskRisk--Based Testing In PracticeBased Testing In Practice


Erik van VeenendaalErik van Veenendaalwww.erikvanveenendaal.nlwww.erikvanveenendaal.nl

Never speculate on Never speculate on that which can be that which can be known for “certain”known for “certain”

Page 2: Risk-Based Testing in Practice - Erik van Veenendaal Testing in Practice .pdf · RiskRisk--Based Testing In Practice Based Testing In Practice ... Practitioner” and many other books

Erik van Veenendaal

� Founder and major shareholder ImproveQS

� In testing since 1989 working for many different clients and in many different roles

� Author “TMap”, “The Testing Practitioner” and many other books and papers

www. erikvanveenendaal.nl

Improve Quality Services BV 22

other books and papers

� Vice-President International Software Testing Qualifications Board (ISTQB) 2005 - 2008

� Vice-Chair TMMi Foundation

� Keynote speaker, e.g. EuroSTAR, STAReast

� Winner of the European Testing Excellence Award (2007)

Page 3: Risk-Based Testing in Practice - Erik van Veenendaal Testing in Practice .pdf · RiskRisk--Based Testing In Practice Based Testing In Practice ... Practitioner” and many other books

Improve Quality Services BV

� Service organization in the area ofTesting, Requirements Engineering and Quality Management

� Consultancy, Subcontracting and Training

www. improveqs.nl

Improve Quality Services BV 33

� Consultancy, Subcontracting and Training

SW Process ImprovementQuality AssuranceIT-AuditingRequirements Engineering& management (IREB)

Testing (TMap, TMMi)Test Process ImprovementCertification (ISTQB)- incl. Advanced !!Inspections / Reviews

Page 4: Risk-Based Testing in Practice - Erik van Veenendaal Testing in Practice .pdf · RiskRisk--Based Testing In Practice Based Testing In Practice ... Practitioner” and many other books

What is Risk?What is Risk?

�� “A factor that could result in a “A factor that could result in a future future negativenegative consequence; usually expressed consequence; usually expressed as impact and likelihood” (ISTQB Glossary)as impact and likelihood” (ISTQB Glossary)

��Testers ‘only’ have the responsibility to Testers ‘only’ have the responsibility to

Improve Quality Services BV 4

��Testers ‘only’ have the responsibility to Testers ‘only’ have the responsibility to identify the risks and provide information on identify the risks and provide information on their statustheir status

�� “to dare to undertake”“to dare to undertake”��management attitude and style…..management attitude and style…..

Page 5: Risk-Based Testing in Practice - Erik van Veenendaal Testing in Practice .pdf · RiskRisk--Based Testing In Practice Based Testing In Practice ... Practitioner” and many other books

Testing = Risk ManagementTesting = Risk Management

�� Objective: most Objective: most feasiblefeasible coveragecoverage��Effective usage of limited resourcesEffective usage of limited resources

�� ResourcesResources��StaffingStaffing

Improve Quality Services BV 5


�� InfrastructureInfrastructure

��Time !Time !

�� ....

�� the the rightright level and type of coverage on thelevel and type of coverage on therightright parts at the parts at the rightright timetime

Page 6: Risk-Based Testing in Practice - Erik van Veenendaal Testing in Practice .pdf · RiskRisk--Based Testing In Practice Based Testing In Practice ... Practitioner” and many other books

The challenge….The challenge…. if onlyif onlywe knew !!we knew !!

Improve Quality Services BV 6

Page 7: Risk-Based Testing in Practice - Erik van Veenendaal Testing in Practice .pdf · RiskRisk--Based Testing In Practice Based Testing In Practice ... Practitioner” and many other books

RiskRisk--Based TestingBased Testing

�� Risk identificationRisk identification looks at ways of looks at ways of establishing what the risks are and where establishing what the risks are and where they arethey are

�� Risk analysisRisk analysis looks into the critical, complex looks into the critical, complex

Improve Quality Services BV 7

�� Risk analysisRisk analysis looks into the critical, complex looks into the critical, complex and potential error prone areasand potential error prone areas

�� Then we build tests to Then we build tests to mitigatemitigate the riskthe risk

�� Subsequently we Subsequently we monitormonitor and and reportreportregarding the risksregarding the risks

Page 8: Risk-Based Testing in Practice - Erik van Veenendaal Testing in Practice .pdf · RiskRisk--Based Testing In Practice Based Testing In Practice ... Practitioner” and many other books

Based on practical experiencesBased on practical experiences

Improve Quality Services BV 8

Page 9: Risk-Based Testing in Practice - Erik van Veenendaal Testing in Practice .pdf · RiskRisk--Based Testing In Practice Based Testing In Practice ... Practitioner” and many other books

Risk IdentificationRisk Identification

�� Split up in functional and/or technical itemsSplit up in functional and/or technical items

�� Higher level test according to requirementsHigher level test according to requirements

�� Lower levels test according to architectureLower levels test according to architecture

Improve Quality Services BV 9

�� May also be based on a brainstorm sessionMay also be based on a brainstorm session

�� Maximum number of appr. 35 risk itemsMaximum number of appr. 35 risk itemsRisk item 1Risk item 1 FunctionalityFunctionality

Risk item 2Risk item 2 SecuritySecurity

Risk item 3Risk item 3 FunctionalityFunctionality

Risk item 4Risk item 4 InteroperabilityInteroperability

Page 10: Risk-Based Testing in Practice - Erik van Veenendaal Testing in Practice .pdf · RiskRisk--Based Testing In Practice Based Testing In Practice ... Practitioner” and many other books

Risk AnalysisRisk Analysis

�� Risk = impact x likelihoodRisk = impact x likelihood��What is the impact for the business ?What is the impact for the business ?

��What is the likelihood that there are defects ?What is the likelihood that there are defects ?

�� Determine factors based on previous Determine factors based on previous

Improve Quality Services BV 10

�� Determine factors based on previous Determine factors based on previous projects, e.g. defect patternsprojects, e.g. defect patterns

You already know this !You already know this !Exercise: Risk FactorsExercise: Risk FactorsImpact Impact –– Business riskBusiness risk








l ris



cal r


Page 11: Risk-Based Testing in Practice - Erik van Veenendaal Testing in Practice .pdf · RiskRisk--Based Testing In Practice Based Testing In Practice ... Practitioner” and many other books

Factors From PracticeFactors From Practice

�� LikelihoodLikelihood��complexitycomplexity

��new development new development (level of re(level of re--uses)uses)


�� ImpactImpact��business importance business importance

(“selling item”)(“selling item”)

�� financial (or other) financial (or other) damage (e.g. safety)damage (e.g. safety)

defect patterns / historydefect patterns / history

Improve Quality Services BV 11

�� interrelationship interrelationship (# interfaces)(# interfaces)


�� technologytechnology

��geographical spreadgeographical spread

�� inexperience (of inexperience (of development team)development team)

damage (e.g. safety)damage (e.g. safety)

��usage intensityusage intensity

��external visibilityexternal visibility

��cost of reworkcost of rework

�� legal sanctionslegal sanctions

WeightingsWeightingscan be appliedcan be applied


Page 12: Risk-Based Testing in Practice - Erik van Veenendaal Testing in Practice .pdf · RiskRisk--Based Testing In Practice Based Testing In Practice ... Practitioner” and many other books

Stakeholder AnalysisStakeholder Analysis

�� A stakeholder is anyone who is interested in A stakeholder is anyone who is interested in the product (both internal and externalthe product (both internal and external)

�� Who is responsible?, Who is responsible?,

�� Who has a problem when things go wrong?Who has a problem when things go wrong?

�� Who needs the system at their work?Who needs the system at their work?

Improve Quality Services BV 12

�� Who needs the system at their work?Who needs the system at their work?

�� Document the knowledge areas of the Document the knowledge areas of the stakeholdersstakeholders��e.g. factors, domain, requirements typee.g. factors, domain, requirements type

�� Missing stakeholders means missing risks!!Missing stakeholders means missing risks!!

�� Assign factors to stakeholdersAssign factors to stakeholders

Page 13: Risk-Based Testing in Practice - Erik van Veenendaal Testing in Practice .pdf · RiskRisk--Based Testing In Practice Based Testing In Practice ... Practitioner” and many other books

Individual stakeholders scoringIndividual stakeholders scoring



Usage Usage



Item 1Item 1 5555

9 : Critical9 : Critical5 : High5 : High3 : Moderate3 : Moderate1 : Low1 : Low0 : None0 : None

Improve Quality Services BV 13

Item 2Item 2Item 3Item 3Item 4Item 4Item 5Item 5



they shallthey shallmakemake


Page 14: Risk-Based Testing in Practice - Erik van Veenendaal Testing in Practice .pdf · RiskRisk--Based Testing In Practice Based Testing In Practice ... Practitioner” and many other books

“Consensus” Meeting“Consensus” Meeting

�� Discuss issue list Discuss issue list -- first defects found !!first defects found !!

�� Result could influence developmentResult could influence development

LikelihoodLikelihood ImpactImpact










Experience level

Experience level

Business im


usiness import.

Usage intensity

Usage intensity



Improve Quality Services BV 14










Experience level

Experience level

Business im


usiness import.

Usage intensity

Usage intensity



Item 1Item 1 55 33 22 11 55 1616 55 44 11 1010

Item 2Item 2 22 11 22 11 22 88 33 33 11 77

Item nItem n

Page 15: Risk-Based Testing in Practice - Erik van Veenendaal Testing in Practice .pdf · RiskRisk--Based Testing In Practice Based Testing In Practice ... Practitioner” and many other books

The Product Risk MatrixThe Product Risk Matrix




MoSCoW prioritiesMoSCoW priorities

Must TestMust TestCould TestCould Test


focus of focus of development development

testingtestingfocus focus

of of

Improve Quality Services BV 15




33 151599







Should TestShould Test“Won’t Test”“Won’t Test”


testingtesting of of systemsystem

level level testingtesting

Page 16: Risk-Based Testing in Practice - Erik van Veenendaal Testing in Practice .pdf · RiskRisk--Based Testing In Practice Based Testing In Practice ... Practitioner” and many other books

Example System Level TestingExample System Level Testing





Use Cases (incl. alternatives)Use Cases (incl. alternatives)Decision Table TestingDecision Table Testing

Use Cases (basic flow)Use Cases (basic flow)Equivalence PartitioningEquivalence Partitioning

Improve Quality Services BV 16




33 151599







Use Cases (incl. alternatives)Use Cases (incl. alternatives)Equivalence PartitioningEquivalence PartitioningUse Cases (basic flow)Use Cases (basic flow)

Page 17: Risk-Based Testing in Practice - Erik van Veenendaal Testing in Practice .pdf · RiskRisk--Based Testing In Practice Based Testing In Practice ... Practitioner” and many other books

Differentiated Test Approach !!Differentiated Test Approach !!

•• Reviews & inspectionReviews & inspection

•• Test design startTest design start--up up meetingsmeetings

•• Reviews of test designReviews of test design

•• More time & effortMore time & effort

•• Most experienced Most experienced personperson

•• Priority settingPriority settingMust Test

Improve Quality Services BV 17

•• Reviews of test designReviews of test design

•• Level of detail of test Level of detail of test casescases

•• Exit criteriaExit criteria

•• Level of independenceLevel of independence

•• Priority settingPriority setting

•• Regression testingRegression testing

•• ReRe--testingtesting

without this risk managementdoesn’t make much sense !!

Must Test….. Test Approach …..

Should test…… Test Approach …..

Could Test….. Test Approach …..

Would Test….. Test Approach …..

Page 18: Risk-Based Testing in Practice - Erik van Veenendaal Testing in Practice .pdf · RiskRisk--Based Testing In Practice Based Testing In Practice ... Practitioner” and many other books

Practical GuidelinePractical Guideline Shall be companyShall be companyspecificspecific

Test levelTest level QualityQuality






High riskHigh risk

Acceptance Acceptance testtest

FunctionalityFunctionality IsolationIsolationrere--testtest

Basic flow UCBasic flow UC

Isolation Isolation rere--testtest

Use casesUse cases

Full reFull re--testtest

Use casesUse cases

Improve Quality Services BV 18

Basic flow UCBasic flow UC


Use casesUse cases


Use casesUse cases

Domain Domain expertsexperts


System testSystem test FunctionalityFunctionality EquivalenceEquivalence


No testware No testware reviewsreviews



Internal Internal Review TDsReview TDs


Table testingTable testing

External External Review TDsReview TDs


Page 19: Risk-Based Testing in Practice - Erik van Veenendaal Testing in Practice .pdf · RiskRisk--Based Testing In Practice Based Testing In Practice ... Practitioner” and many other books

Recognize this .... ?Recognize this .... ?

�� After months of testing the system finally After months of testing the system finally goes life and …………. Failsgoes life and …………. Fails

�� Test manager says: ‘we already knew this Test manager says: ‘we already knew this would happen’would happen’

Improve Quality Services BV 19

would happen’would happen’

�� Who is at fault?Who is at fault?

�� Risk based testing = Risk based reportingRisk based testing = Risk based reporting

The majorThe majorTest DeliverableTest Deliverable


Page 20: Risk-Based Testing in Practice - Erik van Veenendaal Testing in Practice .pdf · RiskRisk--Based Testing In Practice Based Testing In Practice ... Practitioner” and many other books



Does this support managementDoes this support managementto make the release decision?to make the release decision?

Defect Reporting exampleDefect Reporting example

Improve Quality Services BV 20





wk1 wk2 wk3 wk4wk5 wk6 wk7 wk8 wk9w




open defects

Page 21: Risk-Based Testing in Practice - Erik van Veenendaal Testing in Practice .pdf · RiskRisk--Based Testing In Practice Based Testing In Practice ... Practitioner” and many other books

No, just

can I release !!

Communication Levels …Communication Levels …

Improve Quality Services BV 21

Page 22: Risk-Based Testing in Practice - Erik van Veenendaal Testing in Practice .pdf · RiskRisk--Based Testing In Practice Based Testing In Practice ... Practitioner” and many other books

Risk Based Reporting (1)Risk Based Reporting (1)


Risk item 1

Risk item 2

Improve Quality Services BV 22

Risk item 3

Risk item 4

Risk item 5

Page 23: Risk-Based Testing in Practice - Erik van Veenendaal Testing in Practice .pdf · RiskRisk--Based Testing In Practice Based Testing In Practice ... Practitioner” and many other books

Can we release the product?Can we release the product?


Risk item 1

Risk item 2

Management view

Improve Quality Services BV 23

Risk item 3

Risk item 4

Risk item 5

Page 24: Risk-Based Testing in Practice - Erik van Veenendaal Testing in Practice .pdf · RiskRisk--Based Testing In Practice Based Testing In Practice ... Practitioner” and many other books

Survey ResultsSurvey Results

•• EaseEase--ofof--useuse 6,56,5 77 (large (large σσnn))

“it’s simple but not easy”“it’s simple but not easy”

7,67,6 88

averageaverage medianmedian

Improve Quality Services BV 24

•• UsefulnessUsefulness 7,67,6 88

•• EfficiencyEfficiency 7,47,4 77

•• EffectivenessEffectiveness 7,27,2 77

Page 25: Risk-Based Testing in Practice - Erik van Veenendaal Testing in Practice .pdf · RiskRisk--Based Testing In Practice Based Testing In Practice ... Practitioner” and many other books

Benefits: Defect Detection %Benefits: Defect Detection %


introductionintroductionriskrisk--based testingbased testing

in addition to lead time reduction ...in addition to lead time reduction ...

Improve Quality Services BV 25







Y1 Y2 Y3 Y4 Y5

DDP Alpha Test

Page 26: Risk-Based Testing in Practice - Erik van Veenendaal Testing in Practice .pdf · RiskRisk--Based Testing In Practice Based Testing In Practice ... Practitioner” and many other books

Key learning pointsKey learning points

�� A structured and A structured and practical approachpractical approach for for risk based testing is risk based testing is availableavailable

�� ReRe--discuss discuss the risk assessment on a the risk assessment on a regular basisregular basis

Improve Quality Services BV 26

regular basisregular basis

�� Define a risk based Define a risk based differentiated test differentiated test approachapproach

�� Provide riskProvide risk--based based management reportingmanagement reporting

�� … it doesn’t stop at the planning stage… it doesn’t stop at the planning stage

Page 27: Risk-Based Testing in Practice - Erik van Veenendaal Testing in Practice .pdf · RiskRisk--Based Testing In Practice Based Testing In Practice ... Practitioner” and many other books


Thank You !!Thank You !!

Improve Quality Services BV 27

Full PRISMA white paper available Full PRISMA white paper available at at www.erikvanveenendaal.nlwww.erikvanveenendaal.nl

Thank You !!Thank You !!