Risk-based requirement prioritization — save project money, time and effort
Nov 17, 2022 by Yogesh Kshirsagar
Nov 17, 2022 by Yogesh Kshirsagar
Risk-based prioritization (RBP) is about identifying requirement risks, understanding testing needs and ranking requirements in line with business priorities.
Testing has its own set of risks including ambiguous requirements, test environments, unavailability and not having proper stubs or automation tools for testing. Crucially, if you don’t address a particular risk, it could become a costly issue in production.
RBP can streamline your entire software development process if carried out efficiently and effectively. It can also save money diverted to testing bugs you could have captured earlier in the software development lifecycle (SDLC).
The entire team is responsible for developing crystal clear requirements at the beginning of your project. If team members don’t understand a requirement, it will cause defects in production. It’s extremely expensive to fix anything in production. After all, you’ll need to stop applications, risking losing reputation points because your system is down (imagine your bank system failing for 5 minutes just when you want to make an important transaction).
The cost of fixing defects increases exponentially if you allow them to propagate from one phase to another. Let’s say a requirement issue surfaces in the design phase; it would be much timelier and more cost-effective to contain it in the requirements phase itself.
If programmers, testers and managers know precisely what they’ll be implementing as a team, there will be very few change requests, reducing time-to-market and saving a great deal of money and effort. Clearly, if your requirements are frozen with next to no changes, you can stick to the project scope and schedule, and deliver on time or even early.
The challenge is whether you can test, prioritize and categorize your requirements to optimize and test development.
RBP is a process that enables you to clarify, redefine and rank your requirements according to importance, even before you begin development and testing. This article looks at identifying non-testable requirements and making them testable, plus the practical benefits of risk-based prioritization.
You rarely encounter project supervisors or test managers at pains to understand whether your requirements can be tested or reviewed as a team exercise. It’s one of test management’s critical challenges and a threat to your entire testing process.
These five characteristics help team members understand and interpret requirements consistently.
So, when you’re in the sprint planning or analysis phase, business analysts gather requirements so the testing team can go through the lot and check the testing criteria. If you haven’t fully identified your testing team, make sure you have a test manager, plus some test engineers and developers who can work on clarification.
If you see that you can’t test some of your requirements, try to make them testable by applying risk-based prioritization. For instance, your requirement definition might say, “The application should show a status message or disconnect a user if there is no activity for about 60 seconds.”
The statement raises the following questions:
You cannot test ambiguous requirements. Inevitably, different people interpret things differently. Developers might implement one thing, and testers test something else entirely. Then the resulting product will have little value and create no customer satisfaction. Consequently, you must make requirements crystal clear.
To make it testable, you have to work with your business analysts to clarify the ambiguities, update the requirements, and circulate the updated documentation throughout the team. Once you’ve completed this initial exercise, you can start the core process of risk-based prioritization.
The three-step risk-based prioritization process:
Number two input parameters (impact and probability) for each requirement. “Impact” gauges the ramifications of your requirement failing in production. “Probability” indicates the chance of failure or errors creeping into production. These two parameters are generally rated from 1 to 3 (low-high).
Multiplying the impact and probability ratings together gives you the requirement risk scores (1-9). Having identified the risk scores, we divide your requirements into high-risk, medium-risk and low-risk requirements by setting up some guidelines as follows:
Parameters and the scoring model can vary depending on the company you’re working with.
The left table shows the guidelines set for requirements categorization. The table on the right shows permutations and combinations along with basic categories like high, medium and low.
The test manager consolidates all the inputs and circulates the results, detailing the number of high-, medium- and low-risk requirements as follows:
Based on these inputs the team starts working on development, testing and implementation.
In summary, risk-based prioritization helps:
All three are interrelated, in terms of the sequence of change and the technologies involved. However, institutions can’t wait to complete each step in sequence, rather having to adopt hybrid solutions to progress on all fronts.
The risk-based prioritization testing process allows you to scrutinize requirements in the gathering phase. It enables you to focus on testing and minimizing defects that penetrate the system due to inaccurate requirements. At the same time, it helps you identify priorities and category requirements, and optimize your UAT. RBP provides a strong foundation for testing, automatically improving your development process quickly and with maximum business value.
Find out more about how Zoreza Global can help you streamline your software development process by visiting luxoft.com/capital-markets or contact us — we have many more insights to share with you.