{"id":364,"date":"2016-04-04T16:07:40","date_gmt":"2016-04-04T15:07:40","guid":{"rendered":"http:\/\/oso.com.pl\/?p=364"},"modified":"2016-04-04T08:14:11","modified_gmt":"2016-04-04T07:14:11","slug":"testing-as-risk-reducing-activity","status":"publish","type":"post","link":"https:\/\/oso.com.pl\/?p=364&lang=en","title":{"rendered":"Testing as risk-reducing activity"},"content":{"rendered":"<p>What is software testing? There are many ways to answer this question:<\/p>\n<ul>\n<li><a href=\"http:\/\/istqbexamcertification.com\/what-is-a-software-testing\/\">ISTQB<\/a>: <em><em>&#8222;Process of executing a program or application with the intent of finding the software bugs.&#8221;<\/em><\/em><\/li>\n<li><a href=\"https:\/\/en.wikipedia.org\/wiki\/Software_testing\">Wikipedia<\/a> (<a href=\"http:\/\/kaner.com\/\">Cem Kaner<\/a> would probably agree): <em><em>&#8222;Investigation conducted to provide stakeholders with information about the quality of the product or service under test.&#8221;<\/em><\/em><\/li>\n<li><a href=\"http:\/\/www.satisfice.com\/info_rst.shtml\">James Bach<\/a>: <em>&#8222;Lighting the way of the project by evaluating the product.&#8221;<\/em><\/li>\n<\/ul>\n<p>I give you here another approach\u00a0on what software testing can be: a <strong>risk-reducing activity<\/strong>.<\/p>\n<p>When\u00a0you use it, any unknown in the project will show up as potential risk, and testing-related activities will reduce the risk.<\/p>\n<p>This approach can help you answer the &#8222;hard&#8221; questions of testing: what to test, and when you have tested enough?<\/p>\n<h5>Risk classification<\/h5>\n<p>Let&#8217;s start with classifying\u00a0risk. The classic approach is to estimate the impact and likelihood of a given risk. For testing purposes it may\u00a0be enough to asses both on a 3-point scale: low \/ medium \/ high. It is up to you to define what these mean for your organization. A loss of a single customer\u00a0is\u00a0a low impact in some cases, or a high one if that is your organization&#8217;s only client. Same for\u00a0likelihood: you can try giving specific\u00a0percentage value, or just do an estimate.<\/p>\n<p>This classification allows you to map risks to a heat map like this one (after <a href=\"https:\/\/www.owasp.org\/index.php\/OWASP_Risk_Rating_Methodology\">OWASP<\/a>):<\/p>\n<table>\n<tbody>\n<tr>\n<td style=\"text-align: center;\" colspan=\"5\"><strong>Overall risk severity<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\" rowspan=\"4\"><strong>Impact<\/strong><\/td>\n<td style=\"text-align: center;\">HIGH<\/td>\n<td style=\"text-align: center; background-color: #fee971;\">Medium<\/td>\n<td style=\"text-align: center; background-color: #f89964;\">High<\/td>\n<td style=\"text-align: center; background-color: #f45058;\">Critical<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\">MEDIUM<\/td>\n<td style=\"text-align: center; background-color: #a3cf6d;\">Low<\/td>\n<td style=\"text-align: center; background-color: #fee971;\">Medium<\/td>\n<td style=\"text-align: center; background-color: #f89964;\">High<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\">LOW<\/td>\n<td style=\"text-align: center; background-color: #54b467;\">Note<\/td>\n<td style=\"text-align: center; background-color: #a3cf6d;\">Low<\/td>\n<td style=\"text-align: center; background-color: #fee971;\">Medium<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\"><\/td>\n<td style=\"text-align: center;\">LOW<\/td>\n<td style=\"text-align: center;\">MEDIUM<\/td>\n<td style=\"text-align: center;\">HIGH<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: center;\"><\/td>\n<td style=\"text-align: center;\" colspan=\"4\"><strong>Likelihood<\/strong><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h5>What to test?<\/h5>\n<p>Risk identification, a process of calling out risks, will help you with\u00a0the &#8222;what to test&#8221; question. It does not have to be hard.<\/p>\n<p>Based on my experience you may want to:<\/p>\n<ul>\n<li>Learn from the past: look\u00a0through past work\u00a0and see what others have called out as risks in their projects. Also any issues in similar work missed\u00a0before? These are worth calling out as risks that you need to\u00a0deal\u00a0with in the project.<\/li>\n<li>Cast a wide net: your organization: developers, product owners, fellow testers&#8230;, are great\u00a0in\u00a0coming up with potential risks.<\/li>\n<li>Search for the unknowns: Socratic\u00a0<em>&#8222;I know that I know nothing&#8221;<\/em>\u00a0is\u00a0a good start to other risk-identifying tasks. <a href=\"http:\/\/oso.com.pl\/?p=312&amp;lang=en\">Assumptions<\/a> may have to be broken&#8230;<\/li>\n<\/ul>\n<p>After you have identified the risks you can assess them.\u00a0I would encourage you to do it as group exercise: in-person, offline, using <a href=\"https:\/\/en.wikipedia.org\/wiki\/Delphi_method\">delphi method<\/a> etc.<\/p>\n<p>The assessment will allow you to map the risks to a heat map and then prioritize the\u00a0testing. You are most likely to start with items identified as critical risks.<\/p>\n<pre>A note: you will never be able to identify all the risks. But you will get better over time. Testing and test planning are risk-reducing on meta-level, too.<\/pre>\n<h5>When have I tested enough?<\/h5>\n<p><a href=\"https:\/\/en.wikipedia.org\/wiki\/Risk_management\">Risk management<\/a> helps to answer this question. There are generally 5 things you can do with the risk:<\/p>\n<ol>\n<li>Mitigate<br \/>\nReduce it. For a team this\u00a0typically means &#8222;test it&#8221;. An unknown becomes known, and risk is lowered.<\/li>\n<li>Avoid<br \/>\nEliminate it. It could be through change of scope, requirements change, etc.<\/li>\n<li>Transfer<br \/>\nShare it. This may not be obvious, but maybe you can have a third-party certify your product, and take responsibility for issues found later? Transfer can be also achieved\u00a0through insurance. (yes, there seems <a href=\"http:\/\/www.techinsurance.com\/products\/verticals\/programming-and-application-developers\/\">to be an insurance<\/a> that covers bugs)<\/li>\n<li>Accept<br \/>\nEven if you identified and assessed a risk it does not always have to mean you need to do anything about it. Low risks can be sometimes simply\u00a0ignored.<\/li>\n<li>Exploit (after\u00a0<a href=\"http:\/\/www.dbpmanagement.com\/15\/5-ways-to-manage-risk\">DBP Management<\/a>)<br \/>\nTurn it into an advantage. Maybe\u00a0you have identified a risk of handling huge load by your website? But that is something you actually want, so you exploit the risk by making your website even more attractive, useful, easy to reach.<\/li>\n<\/ol>\n<p>When do you know you have tested enough then? You lower the risk to an acceptable level. And what is an acceptable level? The answer to this question may be a risk you can transfer to your stakeholders :).<\/p>\n<p>Let me know what your take on\u00a0risk-reducing in software testing is.<\/p>\n<hr \/>\n<p>&nbsp;<\/p>\n<h5>Additional resources<\/h5>\n<p><a href=\"http:\/\/www.coso.org\/documents\/COSOAnncsOnlineSurvy2GainInpt4Updt2IntrnlCntrlIntgratdFrmwrk%20-%20for%20merge_files\/COSO-ERM%20Risk%20Assessment%20inPractice%20Thought%20Paper%20OCtober%202012.pdf\">Risk Assessment in Practice<\/a> &#8211; easy to follow\u00a0guide<\/p>\n<p><a href=\"https:\/\/www.mindtools.com\/pages\/article\/newPPM_78.htm\">Risk\/Impact Probability Chart<\/a>\u00a0&#8211; risk heatmap example<\/p>\n<p><a href=\"https:\/\/www.schneier.com\/blog\/archives\/2007\/08\/perceptions_of.html\">Perceptions of Risk<\/a> &#8211; people are bad at estimating\u00a0risk by Bruce Schneier, this should not discourage you though from trying to reduce risks<\/p>\n<p><a href=\"https:\/\/www.psychologytoday.com\/articles\/200801\/10-ways-we-get-the-odds-wrong\">10 Ways We Get the Odds Wrong<\/a> &#8211; people are bad et estimating risk by\u00a0Psychology Today to learn more what your brain does with risks<\/p>\n","protected":false},"excerpt":{"rendered":"<p>What is software testing? There are many ways to answer this question: ISTQB: &#8222;Process of executing a program or application with the intent of finding the software bugs.&#8221; Wikipedia (Cem Kaner would probably agree): &#8222;Investigation conducted to provide stakeholders with information about the quality of the product or service under test.&#8221; James Bach: &#8222;Lighting the &hellip; <a href=\"https:\/\/oso.com.pl\/?p=364&#038;lang=en\" class=\"more-link\">Czytaj dalej<span class=\"screen-reader-text\"> \u201eTesting as risk-reducing activity\u201d<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"jetpack_post_was_ever_published":false},"categories":[20],"tags":[],"class_list":["post-364","post","type-post","status-publish","format-standard","hentry","category-testing"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p217OK-5S","jetpack-related-posts":[],"_links":{"self":[{"href":"https:\/\/oso.com.pl\/index.php?rest_route=\/wp\/v2\/posts\/364","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/oso.com.pl\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/oso.com.pl\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/oso.com.pl\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/oso.com.pl\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=364"}],"version-history":[{"count":13,"href":"https:\/\/oso.com.pl\/index.php?rest_route=\/wp\/v2\/posts\/364\/revisions"}],"predecessor-version":[{"id":482,"href":"https:\/\/oso.com.pl\/index.php?rest_route=\/wp\/v2\/posts\/364\/revisions\/482"}],"wp:attachment":[{"href":"https:\/\/oso.com.pl\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=364"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/oso.com.pl\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=364"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/oso.com.pl\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=364"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}