Risk Management





Risk management is the identification, assessment, and prioritization of risks (defined in ISO 31000 as the effect of uncertainty on objectives) . It is  followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities.

One of these activities of application development is risk management. Risk management may be done in different levels in the company.Risks often exist at project level, especially in software testing.

Risks are problems that may or may not occur. They have a certain probability of occurrence

Risks are not exactly problems.
Project may be subjected to different kinds of risks such as
  • Legal , 
  • Security, 
  • Non-compliance with basic regulation, and 
  • Project failure. 
Risk management is an important activity . It gives better understanding to all project stakeholders. Risk assessment document should be continuously reviewed and tracked throughout the project and Test plans should be synchronised with the updated risk assessment document.

Activities in risk management are as follows:


  • Risk identification, 
  • Risk prioritisation and 
  • Risk treatment
Risk identification Risk identification is majorly dependent on the project scope.

It is often carried forward with different tools and methods such as :

  • Project objectives, 
  • Prior system knowledge, 
  • Knowledge of system design, 
  • Known industry practices, 
  • Prior customer complaints and 
  • Knowledge of system usage. 
Example :An unstable system is tagged to be developed in future projects, this will be declared as a risk.
It is imperative to have proper documentation for risk involved and assessed in a project. It in turn will help project stakeholders to understand the impact of these risks to the project.

Developers and testers must revisit this list frequently as the project progress one step closer to deployment. This will help developers and testers to keep track of the risks if they still exist or if there are new risks that have appeared.

Risk prioritisation means ranking the risks on how urgent and important it is to be addressed. To accomplish this task one must have a complete understanding of the risks.

 Prioritisation is often measured by:

  1.  Risk impact and 
  2.  Risk probability. 
Risk Impact is usually measured by either money loss or a scale from 1 to 10.

Risk Probability is ranked from 0 (no probability from occurring) or 1 (certain to occur).

Risk Magnitude Combination of  risk impact and risk probability .

Risk Treatment There are four ways of risk treatment :

  • Risk avoidance
  • Risk transfer
  • Risk mitigation and 
  • Risk acceptance. 
  1. Risk avoidance we can postpone development of  application components for a later release. But this would have a big impact.
  2. Risk transfer is done when we outsource the solution to another speciality company that has have the right resources to treat the risk. 
  3. Risk mitigation is the most common of the above ways to treat a risk. It is often used by developers and testers as this has usually a low impact. 
  4. Risk acceptance means that the risk was not treated in prior releases and it has to be accepted in the current release because there are no options to deal with it.