For each combination of characteristic, process and product requirement, the participants estimate the damage if the quality of a specific characteristic were to be inadequate. Generally speaking the (intended) users of the product are best able to estimate the damage that would result if the product failed in the production situation.
Damage can be expressed in an absolute form in terms of money. In a relative form, organisations often use high, moderate, low to classify the damage.
The ‘Risk factors per quality characteristic’ checklist is one tool to help determine the possible damage per characteristic.
The 'What if?’ technique is suitable to identify the damage and the gravity of the damage. The following questions are asked per combination of characteristic, process and product requirement:
- What undesirable events may occur for this characteristic of the process if the product requirement is not met?
- What are the damaging effects of these undesirable events for the process?
- How often are these processes executed?
- What is the concrete impact of the damage?
The starting point is that all damage indications start at low; the participants must argue why the damage is more extensive for specific requirements. As an addition we use the classification 'very low' when an item, whether it is a requirement or a subsystem is about to be forgotten.
Characteristic: Functionality
| Process |
Sub process |
Product requirement | Damage | Arguments |
|---|---|---|---|---|
| Sales | ---- | Compliance with the functional requirements | High | Loss of revenue if breakdown of the sales process |
| Sales | Advice | With an eye to the legal duty of care, the advice given and how the client decides to deviate from the advice must be recorded | High | High fines and negative press will result for the company if this functionality does not work (correctly). |
| Sales | Offer | The offer must contain the correct premium. | Moderate |
Damage table for the characteristic of functionality.
Characteristic: Security
| Processprocess |
Sub process |
Product requirement | Damage | Arguments |
|---|---|---|---|---|
| Sales | ----- |
Compliance with the security policy |
High | In the event of non-compliance with the security requirements, confidential customer information may become public and the company will suffer serious loss of reputation. |
Damage table for the characteristic of security.
Building Blocks
- Product Risk Analysis
- Product Risk and Benefit Analysis
- Quality Risk Analysis (Quality for DevOps Teams)
Overview
Product Risk Analysis - Execution
Related wiki's
- Alternative PRA
- Risk poker
- BDTM Product Risk Analysis
- Dealing with incomplete information
- Product risk management