Everyone exposes themselves to risk. Risk is an omnipresent part of every human endeavor, regardless of whether you are speeding on the highway or just taking a breath of fresh air. Testing is no exception.
Any software tester can tell you that risk and testing are related, but there is still very little clarity as to what risk-based testing actually is. Testing literature is replete with false statements, incomplete, and ambiguous explanations on the topic. In my experience, “risk-based testing” is often just a buzz-phrase with little substance behind it.
When I ask the question “what is risk-based testing”, I often receive the unsatisfactory response that risk-based testing is “testing based on risk”. While that answer isn’t wrong, it tells me that either “risk” or “testing” is not well understood in the testing community. Since the latter option seems highly improbable, our goal is to understand what “risk”, or more specifically business risk, means in the context of testing.
Let’s start by looking at business risk in order to understand what it causes.
Given the ubiquity of the general term, it is surprising how little consensus there is about its proper definition. Risk is incorporated into so many distinct disciplines, from insurance to engineering, that it is often defined in totally different ways by each one.
This brings us to an important conclusion: the meaning of risk varies widely between distinct professions. In other words, in each of these professions, the risk tells a different story. If we want to work out a universal definition to the term, we need to take a step back.