Unravelling the Risk-Based Ruse

Sogeti UK / Content Hub / Our Blog / Unravelling the Risk-Based Ruse

In the ever-accelerating push for IT to deliver more for less in decreasing timeframes; one of the enabling ploys selected by Test Teams is to adopt and declare that they are taking a “risk-based approach”.

I recently watched an interview between an investigative reporter and a local government official who was representing a Local Authority food standards agency, the exchange went as follows:

Reporter: Following a public information request; it states that, this Local Authority hasn’t carried out a single food-standards check in any of its food outlets in the last year.
Government official: That’s right: we operate a risk-based approach.
Reporter: How can you justify not carrying out any tests in the last year and the potential risk to public health.
Government Official: We judge that risk to be very low.

Is this acceptable? Would the end-users, the public in this case, understand the potential implications of taking a risk-based approach?

How can we tell how good the judgement is that: no tests were necessary?

Do we know what the constraints are? Can we calculate that this is a “low-risk” independently of any prevailing constraints, or has the “low-risk” assessment been driven by other factors such as “not enough, or any, budget” or “not enough time” or “not enough band-width”.

So: how can we provide a more transparent judgement to allow the affected stakeholders to have a clearer line-of-sight and, crucially, the opportunity to flex one or more of the prevailing constraints if they believe that the resultant risk-based decision is, for want of any other term, “too risky”.

Therefore I think we have a duty to add the constraining caveats that underpin the covering statement “we are using a risk-based approach” whenever we use that phrase to better describe and throw-light on the quality assurance approach being taken on the customers’ behalf and to allow our stakeholders an informed view and the opportunity to challenge and potentially adjust the constraining parameters.

How good are we at assessing risk? Remembering that the end-user or the business should have the correct perspective but how does the end-user community perceive the word “risk”? Their judgement is likely to be coloured by their role. The riskiest areas highlighted will be those that support their core roles without being able to consider objectively the competing risks for other roles.

Assuming we can arbitrate and make that assessment then we can assign our resources intelligently to the areas of most risk.

Classically we can test the functions that are most likely to go wrong, and those with the biggest impact of failure if they do go wrong first. This is a well-known technique and a well-trodden path for test strategies and test plans.

Having established a risk-based approach with all of the constraining factors transparently articulated and agreed, we still face two more hurdles:

How well can we implement the approach?
How should we react to changes of plan so that the underpinning approach is not compromised?

Let’s look at what typically happens in practice for any IT project delivery of a reasonable size and complexity.

There is usually a high-correlation between the most critical functions and the most complex ones, leading to the most complex functions being delivered last, and often “late”, which confounds the neatly arranged risk-based plan where the complex ones have the priority.

As the QA/Test team is in place and keen to be making progress, typically effort then gets spent on testing anything that is ready for test, usually the least complex or the untouched elements. The time for testing the functions labelled “high-risk” gets squeezed and delayed nullifying the correct application of the carefully planned risk-based approach.

It is rare to see a project team, mid-flight, re-assess the risk profile once the test execution train is rolling. Expending effort and making progress concentrate the management attention and become the metrics of choice, instead of measures of residual risk which was the underpinning dynamic of the original planning. In short: the planned risk-based approach is compromised by stealth.

I propose a checklist that needs to work alongside any project that proclaims to be adopting a risk-based approach, and as a sidebar, is there any other approach in the real-world?

At the planning stage:
Do we have the time, effort and cost constraints documented?
Do we understand the risk assessment approach?
Do we agree with the risk assessment? {Have all stakeholders had their input?}
Can we accept the planned level of risk that will remain at project closure? {and if not we should re-visit the constraints}

At the execution stage:
Can we keep track of the level of residual risk?
Can we make plan flexibly so that conscious decisions can be made to vary or not vary the constraints based on the projected level of residual risk at project close?

If we follow this risk-based approach checklist, I believe we will be better informed on whether or not we wish to try one of those food outlets!

...

Now, where did I put that take-away menu...

Contact

Sogeti UK
Make an enquiry
0330 588 8000

Sogeti UK
Make an enquiry
0330 588 8000
Phil Lupton
Account Director, Sogeti UK
+3305888221

Phil Lupton
Account Director, Sogeti UK
+3305888221

Cookies	Description
Registered visitor cookie	Cookie given to each registered user.
Registered visitor functionality cookie	Cookies used to remember the unique identifier given to each registered user.
Social plug-in content sharing cookie	Cookies set by services such as Facebook Connect or Twitter Button, which allow social networks users to share the content of our websites on social networks.
Unregistered visitor cookie	Cookies used to give to unregistered users a unique identifier in order to recognize them and to analyze how they use the website.
Analytic cookie	Cookies used to store URLs of the previous page visited, enabling to track users navigating from inside or from outside the website. If you click on a Sogeti advertisement on a non-Sogeti website, a cookie may be used to log which website you are on, in order to ensure our advertisements are served effectively and to measure whether our advertisements are viewed. Google Analytics: cookies set by Google analytics are used for web analytical purpose, but are not used to track individual users. For further information on how Google Analytics collects and uses information on our behalf and the right to use such cookies, please refer to the Google Analytics products and services privacy statement. If you object to your Personal Data being collected by Google Analytics, you may download and install the Google Analytics Opt-out Browser Add-on. Pardot: cookies set by Pardot are used to track users on our website. Visits are tracked for known users only. Unknown users are recorded as anonymous users. Please refer to Pardot privacy policy for any further information on their use and your rights related to the use of such cookies.