OneStopTesting - Quality Testing Jobs, eBooks, Articles, FAQs, Training Institutes, Testing Software, Testing downloads, testing news, testing tools, learn testing, manual testing, automated testing, load runner, winrunner, test director, silk test, STLC

Forum| Contact Us| Testimonials| Sitemap| Employee Referrals| News| Articles| Feedback| Enquiry
 
Testing Resources
 
  • Testing Articles
  • Testing Books
  • Testing Certification
  • Testing FAQs
  • Testing Downloads
  • Testing Interview Questions
  • Career In Software Testing
  • Testing Jobs
  • Testing Job Consultants
  • Testing News
  • Testing Training Institutes
  •  
    Fundamentals
     
  • Introduction
  • Designing Test Cases
  • Developing Test Cases
  • Writing Test Cases
  • Test Case Templates
  • Purpose
  • What Is a Good Test Case?
  • Test Specifications
  • UML
  • Scenario Testing
  • Test Script
  • Test Summary Report
  • Test Data
  • Defect Tracking
  •  
    Software testing
     
  • Testing Forum
  • Introduction
  • Testing Start Process
  • Testing Stop Process
  • Testing Strategy
  • Risk Analysis
  • Software Listings
  • Test Metrics
  • Release Life Cycle
  • Interoperability Testing
  • Extreme Programming
  • Cyclomatic Complexity
  • Equivalence Partitioning
  • Error Guessing
  • Boundary Value Analysis
  • Traceability Matrix
  •  
    SDLC Models
     
  • Introduction
  • Waterfall Model
  • Iterative Model
  • V-Model
  • Spiral Model
  • Big Bang Model
  • RAD Model
  • Prototyping Model
  •  
    Software Testing Types
     
  • Static Testing
  • Dynamic Testing
  • Blackbox Testing
  • Whitebox Testing
  • Unit Testing
  • Requirements Testing
  • Regression Testing
  • Error Handling Testing
  • Manual support Testing
  • Intersystem Testing
  • Control Testing
  • Parallel Testing
  • Volume Testing
  • Stress Testing
  • Performance Testing
  • Agile Testing
  • Localization Testing
  • Globalization Testing
  • Internationalization Testing
  •  
    Test Plan
     
  • Introduction
  • Test Plan Development
  • Test Plan Template
  • Regional Differences
  • Criticism
  • Hardware Development
  • IEEE 829-1998
  • Testing Without a TestPlan
  •  
    Code Coverage
     
  • Introduction
  • Measures
  • Working
  • Statement Coverage
  • Branch Coverage
  • Path Coverage
  • Coverage criteria
  • Code coverage in practice
  • Tools
  • Features
  •  
    Quality Management
     
  • Introduction
  • Components
  • Capability Maturity Model
  • CMMI
  • Six Sigma
  •  
    Project Management
     
  • Introduction
  • PM Activities
  • Project Control Variables
  • PM Methodology
  • PM Phases
  • PM Templates
  • Agile PM
  •  
    Automated Testing Tools
     
  • Quick Test Professional
  • WinRunner
  • LoadRunner
  • Test Director
  • Silk Test
  • Test Partner
  • Rational Robot
  •  
    Performance Testing Tools
     
  • Apache JMeter
  • Rational Performance Tester
  • LoadRunner
  • NeoLoad
  • WAPT
  • WebLOAD
  • Loadster
  • OpenSTA
  • LoadUI
  • Appvance
  • Loadstorm
  • LoadImpact
  • QEngine
  • Httperf
  • CloudTest
  •  
    Languages
     
  • Perl Testing
  • Python Testing
  • JUnit Testing
  • Unix Shell Scripting
  •  
    Automation Framework
     
  • Introduction
  • Keyword-driven Testing
  • Data-driven Testing
  •  
    Configuration Management
     
  • History
  • What is CM?
  • Meaning of CM
  • Graphically Representation
  • Traditional CM
  • CM Activities
  • Tools
  •  
    Articles
     
  • What Is Software Testing?
  • Effective Defect Reports
  • Software Security
  • Tracking Defects
  • Bug Report
  • Web Testing
  • Exploratory Testing
  • Good Test Case
  • Write a Test
  • Code Coverage
  • WinRunner vs. QuickTest
  • Web Testing Tools
  • Automated Testing
  • Testing Estimation Process
  • Quality Assurance
  • The Interview Guide
  • Upgrade Path Testing
  • Priority and Severity of Bug
  • Three Questions About Bug
  •    
     
    Home » Testing Articles » Testing - General Articles » The Risks of Risk-Based Testing

    The Risks of Risk-Based Testing

    A D V E R T I S E M E N T


    I am a big fan of risk-based approaches. I have developed some of these approaches, used them, and taught them over the past 18 years.  In order to prioritize testing, we need to understand risk and apply it intelligently.

    I've also been burned by risk-based approaches. Software that should not have failed, did fail and caused a greater impact than expected.  This happens even to the best of the best. Consider situations that are risk-based and still are on the losing end of the risk equation:

    • Car owners that have low safe-driving premiums sometimes wreck their car.
    • The tornado that destroys a home in a "non Tornado" area.
    • People who outlive their life insurance policy.
    • Good credit risks that go bankrupt...

    This is my little "lessons learned" compilation about risk-based testing - especially concerning ways that we can be fooled by risk.

    #1 - There is no physics of software that dictates how it must behave.  Just because our risk assessment may indicate a software item should not fail, the software may not behave that way. As Lee Copeland states in his book, A Practitioner's Guide to Software Test Design, in the discussion on pairwise testing, "there is no underlying 'software defect physics'...".  In other words, in spite of what we think we know about software and defects, we can still see software behavior that evades our assumptions and approaches. As testers, we need to understand that all the tricks and techniques we use may be helpful, but are not guaranteed to be totally accurate or effective. 

    Many of the risk assessment methods are based upon observed behavior of software in given situations. There are no universal laws of software. What we have observed over the years of observing software behavior may not apply to all situations. Therefore, we need to be careful in concluding which risks are present based on someone else's experience.

    #2 - We can't see clearly into the future.  Unexpected things can happen that can change the risk equation by a little or a lot. Risk by its very nature contains a degree of uncertainty.

    Another way to say this is "You don't know what you don't know." There are things that are outside of our knowledge. The troubling thing is that sometimes we don't even know what those things are!

    #3 - People do not always provide accurate information.  When we base a risk assessment on information obtained from people, there is always the possibility the information could be skewed, inaccurate or misleading. It's not necessarily that people lie (although they do from time to time), but sometimes they forget things or they have a remembrance that may be slanted toward their view of things.

    #4 - The "I want to believe" syndrome. There are times that we don't have a rational reason to believe in something, but we would really like to. In terms of risk, some people believe in a lesser degree of risk than is actually justified. They may want to believe that a software item will not fail, but that does not change the actual risk. This could also be called "risk denial."  Risk denial is one approach to dealing with risk, just not a good one.

    #5 - The "High Risk" effect. This is the opposite of the "I Want to Believe" syndrome. In this view, so many things are seen as high risks, the value of risk assessment is lost. Few things fall into the "low" or "moderate" categories of risk. People may tend to favor the importance of their own areas and think that if anything fails, the entire operation will cease. The problem with this view of risk is that the value of risk assessment is lost because people fail to establish workable risk levels. Everything is a high risk.

    #6 - Flawed assessment methods.  This can result from many causes, but the most common ones I have seen are 1) misapplying someone else's methods that don't apply well in another context, 2) devising an inaccurate and unproven method on your own, 3) misapplying a good method incorrectly because of a lack of understanding.  The problem is that you may place a lot of faith in the assessment method without fully realizing the limitations and risks.

    #7 - No assessment method.  In this view, risk assessment is based on intuition. You can be easily fooled by this view of risk, but at least you are aware that it is a guess (perhaps an informed one, but still a guess). A major problem is that you have nothing upon which to base risk assumptions. If later you ever need to defend a risk-based decision, without a method you are left with little defense of how you arrived at the decision. This is a very bad position, especially when safety, lots of money, or reputation is at stake.

    #8 - Failing to incorporate intuition. I know, another opposite. I just wrote that intuition alone can fool you and can leave you defenseless if anyone challenges your rationale. However, there is a role for intuition. There have been many times when I followed a hunch and found defects even when the risk assessment indicated a low risk of failure. Unfortunately, this is not something that can be trained, but must be learned over time. Experience forms the basis of a lot of what we consider intuition and we need to learn how to listen to the inner voice that tells us to consider things perhaps not indicated in a risk assessment.

    #9 - Only performing the risk assessment once.  Risk assessment is a snapshot taken at a given point in time. The problem is that risks change throughout a project. To get an accurate view of risk, assuming the method is reasonably sound, the assessment should be performed on a regular basis. In fact, the assessment should continue even after system deployment because the risks are still present and still changing. Ideally, you should have pre-defined checkpoints throughout the project, such as at the concept stage, requirements, design, code, test and deployment. Some people find that even within each of these project activities multiple risk assessment snapshots may be needed.

    #10 - Failing to report risk assessment results correctly and timely. The longer a known risk remains unreported, the less time is available to address it. In addition, the risk may increase or decrease over time.  When risk assessment results are conveyed with missing, incorrect or ambiguous information, then any conclusion based on them is at risk of being incorrect. It's helpful to keep in mind that risk assessment results are like any other form of measurement and can be manipulated to suit the objectives of the presenter or the receiver. A case in point is the situation where the presenter of the results is fearful of giving bad news.

    #11 - Failing to act on assessment results.  Unless you take action on a risk, the risk assessment is little more than an exercise. You may have learned a great deal from the assessment, but to prevent problems or prioritize testing you must make adjustments in how things are currently being done. You may have an accurate and timely risk assessment, but it does little good without application.

    #12 - An inappropriate view of risk.  You can view risk from multiple perspectives. The project view of risk includes how the project is managed, the level of user and customer involvement, the quality of user requirements, etc.  This view is helpful in keeping the project on track and preventing project failures. The technical view of risk identifies where the risk is found in a system or application. This is the view that is needed to prioritize testing at the application level. Finally, there is the business or mission view of testing. This view of risk assesses how our business, mission, customers or users may be impacted. This view of risk is helpful in determining the criticality of processes.

    Another aspect of the level of risk is shown in the example below. Let's say that you have performed a risk assessment and have assigned levels of risk to test cases (Figure 1). This is fine for testing isolated functions. However, if you need to test a transaction that involves test cases from all levels of risk, then the level of risk at the test case level does little good.  You need to know the risk at the transaction level (Figure 2). This often requires that another risk assessment is needed at the transaction level.

    Figure 1 - Risk Assignments at the Test Case Level

    Figure 2 - Risk at the Transaction Level

    #13 - The "cry wolf" syndrome.  As already stated, sometimes a risk is identified yet fails to materialize. When the same risks are raised, even rightfully so, yet fail to be experienced, people start to not believe them. Examples of this are hurricane forecasts, tornado warnings, economic forecasts (such as recessions), etc. So, like the boy who sounded the alarm in jest about a wolf, sometimes a risk may sound like just another concern that is exaggerated. Unfortunately, sometimes a wolf (or risk) actually appears!

    The Safety Net

    There is a word that is often used in conjunction with risk, that people sometimes omit. That word is "contingency".

    The reason that contingencies are needed is because we have a rich history of seeing how real life events may not match the risk assessment. Think of a contingency as a "Plan B" just in case a risk materializes.

    In the insurance industry, reserves are established to cover higher levels of loss than normal premiums may cover. Minimal reserve levels are set by law. An insurer may set higher levels if they need more assurance that they can cover unexpected losses. An insurance company may also obtain coverage through reinsurance companies to cover large or catastrophic losses. These kinds of protections have been established to protect insurance policyholders and to help assure the financial stability of the insurer.

    There is debate among project managers about "padding" estimates. Some feel that the estimate should be carefully calculated as accurately as possible and that should be the actual working estimate.  Others feel that this approach is a recipe for disaster because there is no room for dealing with contingencies.

    I blame senior management and customers for the root cause of this debate.  The problem is that management and customers are notorious for taking any estimate and reducing it by X%.  Some people believe that all estimates contain padding, therefore all estimates can (and must) be reduced to "more reasonable" levels.

    I propose a healthier view of this debate.  Instead of padding, I prefer to call these "project reserves". When used as intended, project reserves are a good thing. They help us deal with the unexpected.

    Problems arise when people abuse reserves. An example of this is when people steal time from reserves to compensate for poor project decisions. It's one thing to use a reserve for extra needed time because a supplier is late, but another thing to use the reserve because developers are creating highly defective software.

    I believe project reserves are needed and form one point of balance when we are fooled by risk.

    Another form of balance is the contingency plan. Reserves are just time and money - they don't tell you what to do, but a contingency plan does. You can have a contingency plan for just about any project activity. However, there are some major activities that deserve priority consideration. Here are some examples of situations that justify a contingency plan:

    • What if the requirements are inadequate?
    • What if the degree of requirements change is excessive?
    • What if high levels of defects are discovered during testing or reviews?
    • What if severe problems are encountered during implementation?

    These contingencies can also be addressed in a risk mitigation strategy.

    The reasonable conclusion is that every risk assessment should also address project reserves and contingencies.

    Summary

    The better we understand how we can be fooled by our approach to risk assessment, the better we can develop a rational approach to keeping the project on track. The key is not to rely on just one aspect of the risk picture. We must also balance risk with contingencies to compensate for the eventual shortcomings with any risk assessment or approach.



    More Testing - General Articles
    Previous 1 2 3 4 5 6 7 8 9 10 11 Next



    discussionDiscussion Center
    Discuss
    Discuss

    Query

    Feedback
    Yahoo Groups
    Y! Group
    Sirfdosti Groups
    Sirfdosti
    Contact Us
    Contact

    Looking for Software Testing eBooks and Interview Questions? Join now and get it FREE!
     
    A D V E R T I S E M E N T
       
       

    Members Login


    Email ID:
    Password:


    Forgot Password
    New User
       
       
    Testing Interview Questions
  • General Testing
  • Automation Testing
  • Manual Testing
  • Software Development Life Cycle
  • Software Testing Life Cycle
  • Testing Models
  • Automated Testing Tools
  • Silk Test
  • Win Runner
  •    
       
    Testing Highlights

  • Software Testing Ebooks
  • Testing Jobs
  • Testing Frequently Asked Questions
  • Testing News
  • Testing Interview Questions
  • Testing Jobs
  • Testing Companies
  • Testing Job Consultants
  • ISTQB Certification Questions
  •    
       
    Interview Questions

  • WinRunner
  • LoadRunner
  • SilkTest
  • TestDirector
  • General Testing Questions
  •    
       
    Resources

  • Testing Forum
  • Downloads
  • E-Books
  • Testing Jobs
  • Testing Interview Questions
  • Testing Tools Questions
  • Testing Jobs
  • A-Z Knowledge
  •    
    Planning
    for
    Study ABROAD ?


    Study Abroad


    Vyom Network : Free SMS, GRE, GMAT, MBA | Online Exams | Freshers Jobs | Software Downloads | Programming & Source Codes | Free eBooks | Job Interview Questions | Free Tutorials | Jokes, Songs, Fun | Free Classifieds | Free Recipes | Bangalore Info | GATE Preparation | MBA Preparation | Free SAP Training
    Privacy Policy | Terms and Conditions
    Sitemap | Sitemap (XML)
    Job Interview Questions | Placement Papers | SMS Jokes | C++ Interview Questions | C Interview Questions | Web Hosting
    German | French | Portugese | Italian