1. 1. Risk
   1. What? The probability of occurrence of an undesirable outcome
   2. Product Risk (Quality Risk )
      1. The possibility that the system or software might fail to satisfy of fulfill some reasonable expectation of the customer or the stakeholder
      2. Type of Product Risk
         1. Functional
            1. Relative to how the product may not achieve the activities it is designed to
         2. Non Functional
            1. Relative to such possible problem as not performing a ( correct ) calculation quickly enough
      3. Common Source
         1. Missing requirement
         2. Misunderstood requirement
         3. etc,...
   3. Project Risk
      1. The risk associated with the testing activity which can endanger the test project cycle
   4. Business Risk
      1. These risk are threatening the entire organization from the business view
      2. Type of Business Risk
         1. Strategic Risk
         2. Compliance Risk
         3. Operational Risk
         4. Reputational Risk
2. 2. Risk-based Testing
   1. Basically a testing done for the project based on risk
   2. Test only what matters
   3. The idea that we can organize our testing efforts in a way that reduces the residual level of product risk when the the system is deployed
   4. How to perform
      1. 1. Make a prioritize list of risks
      2. 2. Perform testing that explores each risk
      3. 3. As risks evaporate and new ones emerge ,adjust your test effort to stay focused on the current crop
   5. Just because testing is motivated by risk does not mean that explicit accounting of risk if required in order to organize a test process
   6. 4. Steps to approach
      1. 1. Determine impact
         1. must have features vs nice to have features
      2. 2. Determine probability of failure
         1. new technology might lead to higher risk
         2. complex logic and business rules
         3. development effort
         4. ambiguity in requirements
         5. rushed schedule
      3. 3. Determine regression impact
         1. changes to high risk areas
         2. changes to highly integrated areas
         3. lack of clear definition of the scope of changes
         4. scope of regression based on the change
      4. 4. Determine recovery effort/ difficulty from potential failure
         1. existence of work around if potential failure occurs
         2. existence of back out procedure and ease of performing back outs
         3. ability and turnaround time to fix problems in case of failure
         4. existence of alerts or early warning indicators to aid proactive intervention
3. 3. Risk Analysis
   1. Probability and Impact of Risk
      1. Probability : explain what are the chances for that risk to occur
         1. eliminate (0%)
         2. improbable(0-10%)
         3. remote (11-40%)
         4. occasional(41-60%)
         5. probable (61-90%)
         6. frequent (91-100%)
      2. Impact : the bad stuff that is going to happen if the risk is being realized
         1. negligible -4 - little or minimal damage or
         2. Marginal - 3 - short term
         3. Critical - 2 -large consequences which can lead to a great amount of loss
         4. Catastrophic - 1 - top priority
   2. Risk Analysis process
      1. Identify Risk
         1. the process of determining risks that could potentially prevent the program,enterprise,or investment from achieving itsobjectives
         2. Quantitative Risk : give context
            1. method
            2. multivariate statistical models
            3. event trees
            4. system dynamics models
            5. sensitivity analysis
            6. This is a technique used to determine which risk has the greatest impact on the project
            7. project simulations
            8. stochastic simulation models
            9. additive models
            10. Expected value analysis (EMV)
            11. used to calculate the expected value of an outcome when different possible scenarios exist for different values of the outcome with some probabilities assigned to them
            12. analysing data
            13. mathematical
            14. statistical method
            15. 1. Summarising Data : Grouping and Visualising
            16. 2. Measures of Location : Averages : gives information ab the size of the effect of what you are testing
            17. 3. Measures of Spread : Range ,Variance , Standard Deviation : how widely the data are spread across the whole possible measurement scale
            18. 4. Skew
            19. common sources
            20. survey
            21. observation
            22. secondary data
            23. interview
         3. Qualitative Risk :tell stories
            1. method
            2. risk screening based on impact and probability
            3. pareto diagram
            4. failure modes and effects analysis
            5. project definition rating index
            6. common sources
            7. interviews
            8. focus group
            9. secondary data
            10. observation
         4. Using Risk Register to track risk
            1. The Risk Register is a document that contains information about identified project risks, analysis of risk severity and evaluations of the possible solutions to be applied
            2. Help track issues and address problem as they arise
            3. Step to create
      2. Estimate Risk
         1. Scale of Risk analysis
            1. Qualitative Scale
            2. we work with feeling or assessments
            3. Impact : Bad > Worse > Worst
            4. Probability : Not likely > Likely > Very Likely
            5. Quantitative Scale
            6. we work with exact measures or numbers
            7. Impact : can be expressed as actual cost
            8. Probability : can be expressed as <10% ; 10%< x <50% ; 50% < x <80% ; > 80%
         2. Risk value = Impact x Probability
         3. Risk Assessment Matrix
            1. the risks are grouped based on their likelihood and the extent of damages or the kind of consequences that the risks can result in.
            2. Serious : the activity must be stopped,immediate action must be taken to isolate the risk
            3. High : immediate action must be taken to isolate,eliminate,subtitle the risk and to implement effective risk controls
            4. Medium : Reasonable and practical steps must be taken to minimize the risks
            5. Low: usually do not pose any significant problem. Periodical review is a must to ensure the controls remain effective
            6. Step to create
            7. Identify the hazard
            8. Decide who might be harmed and how
            9. Evaluate the risk and decide on control measures
            10. Record Risk
            11. Review and Update
            12. Benefits
            13. Recognise and control hazards
            14. Create awareness among employees
            15. Set risk management standards,based on acceptable safe practices and legal requirements
            16. Reduce incidents
            17. Save cost by being proactive instead of reactive
            18. Challenges
            19. Risk assessment is viewed as limited value, episodic process. This challenge prevents risk assessment from being a consistent contributor to decision making, instead being used irregularly throughout the project’s life
            20. Failure to properly interpret and use the data gathered for a risk assessment. This failure will result in an assessment that is inaccurate, with too little or too much risk assigned.
            21. Too many risk assessments being performed. This problem can cause a very complex and confusing risk assessment process. To prevent this issue, using a consistent risk assessment process is very important, as is avoiding too many different categories for the risk analysis.
            22. Relying too heavily on risk assessment. While risk assessment can provide insight into the risks associated with a project, unanticipated problems can always occur. Additionally, risk assessment relies on probability to determine the chances of an incident occurring. Therefore, risk assessment cannot be considered to be the last chance at preventing incidents or failures.
   3. Two approach to Risk Analysis
      1. inside-out :begin with details about the situation and identify risks associated with them
         1. what risk are associated with this thing?
         2. vulnerabilities : weakness/possible failure
         3. threats : what inputs or situations might exploit a vulnerable and trigger a failure
         4. victims: who or what would be impacted ,how bad would that be
      2. outside-in :begin with a set of potential risks and match them to the details of the situation
         1. what things are associated with this kind of risk ?
         2. quality criteria categories
            1. capability : can it perform the required function
            2. reliability : will it work well and resist failure in all required situations
            3. usability : how easy is it for a real user to use the product
            4. performance :how speedy and responsive is it
            5. Installability :how easily can it be installed onto its target platform
            6. compatibility :how well does it work with external component and configurations
            7. supportability :hoe economical will it be to provide support to users of the product
            8. testability :how effectively can the product be tested
            9. maintainability : how economical will it be to built,fix or enhance the product
            10. portability : how economical will it be to port or reuse the technology elsewhere
            11. localizability : how economical will it be to publish the product in another language
         3. generic risk list
            1. complex : anything disproportionately large, intricate or convoluted
            2. new :any thing that has no history in the product
            3. changed : anything that has been tampered with or "improved"
            4. upstream dependency : anything whose failure will cause cascading failure in the rest of the system
            5. downstream dependency : anything that is specially sensitive to failures in the rest of the system
            6. critical :anything whose failure could cause substantial damage
            7. precise :anything that must meet its requirements exactly
            8. popular :anything that will be used a lots
            9. strategic : anything that has special importance to your business ,such as a feature that set you apart from the competition
            10. third-party :anything that used in the product,but developed outside the project
            11. distributed :anything spread out in time or space ,yet who elements must work together
            12. buggy : anything known to have a lot of problems
            13. recent failure : anything with a recent history of failure
         4. risk catalog
            1. risk list
            2. decide what component or function you want to analyze
            3. determine your scale of concern
            4. gather information ab the thing you want to analyze
            5. visit each risk area on each list and determine its importance in the situation at hand
            6. if any other risks occur to you that aren't on the list,record them
            7. record any unknowns which impact your ability to analyze the risk
            8. double check the risk distribution
   4. Agile quality risk analysis process
      1. Gather the agile team
      2. List iteration backlog items
      3. Identify functional Identify functional, non-functional functional quality quality risks for each item
      4. Assess identified risks: categorize each risk, determine risk level
      5. Build consensus and ensure a good distribution of risk ratings
      6. Use level of risk to choose extent of testing
      7. Select appropriate test techniques for each risk item
   5. Estimating Testing Effort
      1. Test strategy is defined during release planning
      2. During iteration planning, user stories are estimated
      3. Story points give implementation effort
      4. Risk level should influence story points
      5. Planning poker can be used to reach consensus, involve whole team, and avoid missing anything
      6. Reliable estimation, including testing, is necessary for smooth work pace and meaningful velocity
4. 4. Risk Management
   1. Risk Management Process
      1. Risk management is the identification, evaluation, and prioritization of risks
5. Why Risk-based Testing ?
   1. The main purpose of risk-based testing is to enable a proactive stance, allowing teams to address risks before they become negative outcomes or results.
   2. Projects are able to define when to stop testing.
   3. Test cases can be reduced and focused on the most critical areas.
   4. Less but more efficient test cases can be specified.
   5. A better and more focused tests and risk analysis are performed.
   6. Problem areas are discovered early. Preventive activities can be started immediately.
   7. Better strategies and test objects/cases can be selected.
   8. Overall test goals, strategies, and directions for testing can be focused and continuously adjusted against problem areas.
   9. Risks can be continuously monitored to know the status of the project and its quality.