software testing genius

How to do Risk Analysis

Welcome to “Software Testing Genius”. Subscribe to my RSS feed for latest content on Software Testing.

How to do Risk Analysis?

All software projects benefits from risk analysis. Even non-critical software, using risk analysis at the beginning of a project highlights the potential problem areas. This helps developers and managers to mitigate the risks. The tester uses the results of risk analysis to select the most crucial tests.

How Risk Analysis is done?

Risk analysis is a well-defined process that prioritizes modules for testing.

A risk contains following three components

(a) The risk (rI) associated with a project (i <- 1 to n).

(b) The probability of occurrence of a risk, (II).

(c) The impact of the risk (XI)

Risk analysis consists of first listing the potential problems and then assigning a probability and

severity value for each identified problem. By ranking the results, the tester can identify the potential problems most in need of the immediate attention and select test cases to address those needs.

There are two methods of doing systematic risk analysis

Method-1: Using Risk Analysis Table (RAT)

Problem ID

Potential Problem (rI)

Probability of


Impact of

Risk (xI)

Risk Exposure
=(II) * (xI)


Loss of power





Corrupt file header





Unauthorized access





Databases not synchronized





Unclear user documentation





Lost sales





Slow throughput




Legend for the Risk Analysis Table is as under

Problem ID: Is a unique identifier associated with a risk.

Potential problem (rI):
It is a brief description of the problem.

Probability of occurrence (II):
It is a probability value on a scale of 1 (low) to 10 (high).

Severity of impact (XI):
It is a severity value on a scale of 1 (low) to 10 (high).

Risk exposure:
It is defined as the product of (II) and (XI).

In this Risk Analysis Table, the values of II and xI range from 1 to 10.

Multiplying the probability and severity values yields the risk exposure.

"The higher the risk exposure product, the more important it is to test for that condition".

Applying this rule to the above Risk Analysis Table, we will get the following rankings of the potential risks problems based on the product of risk-exposure.

The order of preference shall become

Although problems D and G have the same risk exposure, they differ by their probability and severity values.

Some organizations prefer to use this method of using Risk Analysis Table, while many others adopt risk-matrix analysis methodology.

Method-2: Risk Matrix Analysis (RMA)

A risk matrix allows the tester to evaluate and rank potential problems by giving more weight to the probability or severity value as necessary. The software tester uses the risk matrix to assign thresholds that classify the potential problems into priority categories.

There are four main methods of forming risk matrices

RMA Method - 1: Typically, the risk matrix contains four quadrants, as shown below.

Each quadrant in the above figure represents a priority class defined as under

Priority 1: High severity and high probability.

Priority 2: High severity and low probability.

Priority 3: Low severity and high probability.

Priority 4: Low severity and low probability.

We can see from the graph of above figure that a risk with high severity is deemed more important

than a problem with high probability. Thus, all risks mapped in the upper left quadrant fall into priority 2.

For example, the risk-e, which has high probability of occurrence but low severity of impact, is put under priority 3.

RMA Method - 2: For an entirely different w application, we may swap the definitions of priorities 2 and 3, as shown the figure below.

An organization favoring the above figure seeks to minimize the total number of defects by focusing on problems with a high probability of occurrence.

Dividing a risk matrix into quadrants is most common. The testers can determine the thresholds using different types of boundaries based on application specific needs.

RMA Method - 3: Diagonal band prioritization scheme.

If severity and probability tend to be equal weight i.e., if (II) = (XI)., then diagonal band prioritization scheme may be more appropriate. This is shown in the figure given below.

This threshold pattern is a compromise for those who have difficulty in selecting between priority-2 and priority-3 in the quadrant scheme.

RMA Method - 4: Some managers found out that the problems with high severity must be given the top priority, irrespective of the value of probability. This problem is solved with RMA Method-4 and is shown in following figure.

The remainder of the risk matrix is partitioned into several lower priorities, either as quadrants (RMA Method-1 and 2) or as diagonal bands (RMA Method-3).

Many More Articles on Risk Analysis & Security Testing

Largest Database of Sample Papers - 1000+ Unique Questions for ISTQB Foundation Exam

ISTQB Foundation Exam - Full Crash Course for Download

ISTQB Advanced CTAL Test Analysts Exam - Full Crash Course for Download

ISTQB Advanced CTAL Test Manager Exam - Full Crash Course for Download

What Successful Testers say about the Quality of this website

If you want to keep track of further articles on Software Testing,
I suggest you to subscribe my
RSS feed

You can also Subscribe by E-mail
and get All New articles delivered directly to your Inbox.

Get your Absolutely Free Copy of Several MS PowerPoint Presentations & E-Books related to ISTQB, HP Load Runner, IBM RFT, HP QTP & QC Certification Exams, prepared by Popular Writers & Trainers, by writing to:

Full Study Material for Popular Certification Exams:

Study Material - HP QTP & QC Certification Exam

Study Material - IBM RFT Certification Exam

Study Material - HP LoadRunner Certification Exams for All Modules

Study Material - ISTQB Certification Exam

Most Popular Topics in Demand:

Practical Roadmap to QTP Certification

Practical Roadmap to CSTE Certification

Consolidated Study Material - Testing & QA

Rehearsal of QTP in 1 Hr. -  Interview Questions


Comments :


# 1 mcallen foreclosures on 2012-03-10 08:56:18
cool post! Keep up the neat work!

Leave Your Comments: (*) Marked Fields are Mandatory

You can apply basic formatting to the text

Name *
Email Address *
Speak your mind
sex hikayeleri