What is a Product Risk analysis?
A project never has unlimited time and money for development. Such constraints in terms of time and money impose restrictions on the amount of functionality and/or quality to be achieved within a project. For testing this translates into making choices with regard to what to test, how to test and how thoroughly to test.
The PRA is an important tool to help the tester divide the limited resources. This starts with the risks involved with the specific project or change. We would like to like to test the most in the places where the risk is highest. The PRA helps to identify and estimate those risks.
To make high quality choices in this, the tester benefits greatly from input from various angles: which parts of the system deliver the highest benefit (or, if it fails, cause the highest damage costs), which feature or characteristic are deemed most important, which parts are invoked most, in time or by customers?
A PRA may consider a system under test from a variety of viewpoints, e.g. from a business viewpoint: how does the system fit in the business processes, which features are most important, but also from a technical/IT viewpoint: is proven technology used, how stable is an installed source code base, …?
The PRA aims at identifying high risk, high yield or highly used parts of the system under test so that test resources can be allocated accordingly.
A PRA can be conducted by all stakeholders, be it business people or IT staff. The outcome is used to plan development and test and/or other quality measures. Based on risk class, concrete test techniques and coverage types can be assigned to distinct parts of the system under test.
In principle, all analysis and design artifacts can function as input for the PRA. Non tangible knowledge (‘in the heads of people’) is also a very valuable input.
A common tangible, sometimes only intermediately used, artifact is a matrix with several angles of the system under test. Each axis in the matrix represents one aspect of the SuT, the intersections of the axes contain a derived risk classification.
The value and usefulness of a PRA depends heavily on the involvement and commitment of the various stakeholders.
Testers need a sound knowledge of test coverage and test techniques to translate risk classes into a proper test design. Without this knowledge, the output of a PRA adds less value to the effectiveness of efficiency of testing.