GUIDELINES FOR RISK ASSESSMENT

a. Time/deadlines:

• Establish any ‘mission critical’ or ‘soft’ target dates, and incorporate these when assessing the resource requirements.

b. Size of job:

• Is the client (or you) accurately assessing the impact of the change? Use the dataflow mapping to trace associated processing. User representatives (or the Business Consultant) should be able assess if any future policy events or product changes are affected.

c. Stability of environment:

• Does the test environment sufficiently mirror the production environment? Has the code been substantially amended in the past? Does the environment contain only valid data or is the data old, corrupt, incomplete or inappropriate?

d. Manageable tests:

• Not all risks can be eliminated by testing but they can be controlled. Do not test for testing’s sake. Tests should be run for minutes rather than hours.

e. Grade each risk:

• If the risk is critical to the user, then tests against the risk should be more exacting.

f. Balanced risk model:

• Review the initial risk model with the users and the analyst. Inevitably the testing required to cover all risks is substantial. Take a pragmatic approach to meet the time and resource constraints without significantly increasing the the risk. The solution must always be achievable and affordable.

g. The user knows best what is mission critical:

• Although the assessment of risk is a joint process, if the customer identifies an event that they feel must be tested for then this must be included in the risk model.

h. Risks increase if the functionality is to be backdated:

• Retrofitting code should be avoided if at all possible, as components require a baseline test (see Test Types) at the system date of implementation and re-testing at the current date.

> Top <