Difference between product and process risks

In practice, the differences between process risks and product risks are often unclear. It is therefore important for a test manager to make sure that the stakeholders understand the difference. The test process must result in an understanding of the (ongoing) product risks. Process risks represent a threat to achieving this result.

Product risk

A product risk is the risk that the product does not live up to the expectations. Such expectations are rendered concrete by the functional and non functional requirements for a product.

Process risk

A process risk is a risk related to the chance that the (execution of the) process (the test process in this case) does not live up to the expectations. As such, process risks are related to process control. Success is threatened by two risk types: risks related to the execution of the internal process and risks related to external threats.

Internal process risks

A (project or test) plan is used to tackle a number of known process risk areas in advance. The quality of the plan and plan execution control have a direct bearing on the internal process risks.

External process risks

Process risks also have a relationship with possible disruptions from outside. The external risks for these environmental factors are generally impossible to control. However, a project can try to anticipate these events to minimize the resulting damage as much as possible.


The damage associated with a process risk can generally be expressed in terms of the extra time and money required for the process to achieve the desired results.

Throughout the test process, the test manager must implement measures to manage the process risks that threaten the success of his results. As such, it is important for a test manager to specify the risks to the test process explicitly. The client and other stakeholders will have a better understanding of the risks to the test process and keep them in mind when managing the total execution process.

We should note that confusion may result if the chance of failure of a process risk is also part of the chance of failure of a product risk.

Example In the product risk analysis, the deployment of inexperienced developers is specified as one cause of the higher chance of failure for a certain object part. A vital customer process will be shut down if the object part fails, resulting in loss of hours and revenue for the customer organisation. The chance that inexperienced developers will be deployed cannot yet be determined because the development team has not yet been established. If inexperienced developers are deployed, the chance of failure will increase. A mitigating measure in this situation is to classify the object part in a higher risk class. As a result, the object part must be tested more thoroughly. In this process risk analysis, the test manager identifies the deployment of inexperienced developers as a threat to the progress of the test process. Inexperienced developers may deliver lower software quality, which would result in more retesting than was planned originally. This would endanger the deadline. The test manager discusses the process risk with the project manager. It becomes clear that inexperienced developers will indeed be deployed. The test manager proposes to schedule more time for retesting this object part. The project manager does not agree and therefore decides to accept the risk and the damage that may result. He could also take compensatory measures beyond testing, e.g. coaching the inexperienced developers.