What is risk-based testing in agile?
Shreya Bose, Technical Content Writer at BrowserStack - November 25, 2021
What is risk based testing?
The most common complaint that comes from software testing using the Agile method is the lack of time. Since the term is itself a synonym for speed, its emphasis on getting things done is self-explanatory. However, this brings up a burning question for every Agile tester in the world.
What features do we test first?
Most Agile sprints last a couple of weeks. That timeframe is undoubtedly not enough to test every or even most features of modern websites and apps. As development progresses, software becomes more complex and requires more tests to verify its functionality. Running thousands of tests is completely unfeasible, and testers must prioritize what needs to be tested within increasingly shorter timelines.
The answer lies in risk-based testing.
What is risk-based testing in Agile?
If a QA team struggles with deciding how to allocate time and effort in each sprint, their best bet is using risk-based testing. This refers to a testing strategy that uses ‘defined risk’ to determine testing goals. In other words, the risk-based testing approach organizes testing efforts in ways that lower the residual level of product risk when the software goes into production. This strategy is useful for test analysis, planning, estimation, design, execution, and results reporting.
What exactly is a ‘risk’?
Risk refers to the occurrence of an unforeseen event that can impact the success of a product (software, in this case). These events could have occurred in the past or may be a concern for future occurrences. Risks can serve as a reliable parameter to plan, schedule, and allocate tester effort.
Purpose of risk-based testing in Agile
Risk-based testing applies the principles of risk management to testing activities. It aims to:
- Create and offer a framework that facilitates clear discussion between testers, developers, and other stakeholders about the risks at hand. Essentially, it isolates risks to make them identifiable and actionable.
- Cover customer needs as well as developer needs when considering what counts as a risk.
- Provides the criteria to decide how to manage budgets, negotiate timelines, avoid delay – all without affecting software quality.
- Highlights what features/issues matter most to customers, thus creating a hierarchy of testing requirements.
How to conduct risk based testing in Agile?
Before creating a plan for risk-based testing, ask the following questions:
- What needs to be tested first?
- How to reduce the testing effort?
- How many features can be covered with each test cycle?
- How to decide what not to test?
- What metrics are required to measure testing success here?
Since risk-based testing categorizes test scenarios based on the impact each risk will have on business success and user experience, start by defining impact. Whichever feature has the greatest impact on customer experience needs to be tested first.
This mode of risk quantification lets testers define the overall impact of each risk and predict how much damage not testing a particular feature can cause. Use the following five levels of impact:
- Critical: Not testing a feature can harm the software’s central functioning and might lead to revenue loss and lowered credibility.
- Medium: Not testing a feature may not directly affect customers, but it would still cause significant disruption of the back-end system.
- Moderate: Not testing a feature will possibly cause some minor inconvenience or annoyance for the customers.
- Marginal: Not testing a feature will cause little or no disruption. Usually applies only to cosmetic errors.
When choosing among risk-based testing tools, look for one that allows the cataloging and allocation of impact levels.
For a holistic deep-dive into risk-based testing, check out this webinar on Shift in Testing and Continuous Delivery in which Kavitha Appakayala (Senior Manager, Quality Engineering, eBay) will break down the industry-wide shift in testing to achieve continuous delivery.
There are three steps to risk-based testing:
- Identify risks
- Assess risks
- Mitigate risks
Identify Risks
Risk identification can be done in several ways:
- Expert interviews
- Independent reviews
- Risk workshops
- Brainstorming with stakeholders
- Reviewing similar previous projects
Stakeholders play an important role in risk detection. By involving the broadest possible cross-section of stakeholders, testers stand the best chance of detecting the largest majority of product quality risks.
Bear in mind that even though a considerable number of risks might be detected at this stage, newer threats may reveal themselves as the project progresses. New information about risks and their impact level might emerge. Testing teams must be open to new information and be ready to tweak tests if required.
Assess Risks
Risk assessment requires the following steps:
- Classify risk
- Identify the possibility of the risk occurring
- Impact of risk
- Assigning risk to owner/testers/developer/stakeholder
By analyzing and evaluating risks, QAs will know what features need to be run through relevant test scenarios, and in what order.
A few factors that influence risks:
- Frequency with which a feature is used
- Significance of the feature in the user journey
- Probable loss of reputation, business casualties, or legal concerns
- Probability of security breach
- Probability of negative publicity arising from a particular failure
Mitigate Risks
Once risks have been identified and assessed, they need to be dealt with, resolved, and mitigated. Mitigation occurs through test design, execution, and debugging. Thus, the allocation of effort to testing activities depends on the risk level posed by each feature.
More thorough testing activities are naturally designed for higher-level risks while less detailed techniques are ascribed to lower-level risks. This helps to create software with the highest chances of success from both customer-facing and technical perspectives.
Practical risk mitigation actions should be undertaken after answering the following questions:
- What project artifacts and documents should be reviewed?
- How independent should the testers be?
- How experienced should the tester be?
- How much retesting is required?
- Is regression testing necessary? If so, how much?
Metrics essential for risk-based testing
- Number of test cases – planned vs. executed
- Number of test cases – passed vs. failed
- Number of risks identified – status and severity of each
- Number of critical risks – still open
- Instances of test environment downtime
- Test Summary Report
- Test Coverage Report
- Effort expended – scheduled vs. actual
- Schedule variation – planned vs. actual
- Percentage of risk identification
- Percentage of risk mitigation
- Percentage of defect leakage
Benefits of risk-based testing approach
- Greater customer focus: Risk-based testing emphasizes thorough tests on features that affect customers most directly, AKA higher risks. This directly improves business performance, reduces the probability of negative reviews, and generally minimizes the impact of each identified risk.
- Better software quality: Risk-based testing focuses on finding higher risks first, and ensuring that the most important functions are testing first. Consequently, the software can be released with confidence in the fact that fundamental and customer-facing functions meet quality expectations.
- More structured testing: When risks are identified and their impact is quantified, it becomes easier to decide what to test, where to start, and stop testing. In other words, it becomes easier to define the scope of testing as well as test execution priority within limited timelines. This provides the structure needed to organize thousands of tests in every single development project.
Risk-based testing is frequently one of the most effective ways to implement Agile principles in software testing. By using a quantifiable parameter (i.e., risk) to determine which tests must be pushed up the ladder, QAs can accurately place tests in a hierarchy that serves the best interests of the software. This also serves customers and business owners’ interest, since risk-free software fosters high-quality user experiences and positive revenue streams.
With risk-based testing, all the above can be achieved in restricted schedules, thus implementing the very essence of Agile development and testing.
Run manual and automated tests on real browsers and devices. Start running tests on 2000+ real browsers and devices on BrowserStack’s real device cloud. Run parallel tests on a Cloud Selenium Grid to get faster results without compromising on accuracy. Detect bugs before users do by testing software in real user conditions with BrowserStack.