There are different risks a project may be subjected to, such as legal liabilities, security, non-compliances with basic regulation, safety and project failure. There are different activities that testers may conduct in risk management and these are risk identification, risk prioritization and risk treatment. Risk identification depends on the project scope. These can be done with the use of different tools and methods. Testers may use project objectives, prior system knowledge, knowledge of system design, known industry practices, prior customer complaints and knowledge of system usage. A sample of a risk is when a known unstable system is tagged to be developed in future projects, this will be declared as a risk.
It is important to have proper documentation of all the risks in the project. This will help project stakeholders to understand the impact of these risks to the project. There is a need for developers and testers to revisit this list as the project progress one step closer to deployment. This will help developers and testers to keep track of the risks if they have disappeared or if there are new risks that have appeared.
Risk prioritization is ranking the risks on how urgent and important it should be addressed. Prioritizing risks is not difficult if the developers and testers have a complete understanding of the risks. Prioritization can be measured by risk impact and risk probability. Risk impact is measured by either money loss or a scale from 1 to 10. On the other hand, risk probability can be rank from 0 (no probability from occurring) or 1 (certain to occur). Combining risk impact and risk probability will give the team a risk magnitude. A total of risk magnitude will give the stakeholders tangible values of the risk involve in the project.
The last step is risk treatment. Testers would decide and plan how to treat each risk. Theoretically, there are four ways of risk treatment and these are risk avoidance, risk transfer, risk mitigation and risk acceptance. Risk avoidance is postponement of developing application components for a later release. This is not usually done as this would have a huge project impact. Risk transfer is done by outsourcing the solution to another specialty company that would have the right resources to treat the risk. Risk mitigation is the most common risk treatment used by developers and testers as this would lower the risk impact. Risk acceptance is when a risk is not treated in prior releases and will be accepted in the current release as there is no available option for the team.
Risk management is an important activity as this will bring more understanding to all project stakeholders. Project stakeholders should make sure that the risk assessment document is continuously reviewed and tracked all throughout the project. Test plans are synchronized with the updated risk assessment document. This will make creation of test scenarios easier for testers