Risk-Based Testing
Time is always limited. Risk-based testing uses risk exposure to decide what to test first, how deeply to test it, and what to deprioritise when time runs out.
What it is
Risk-based testing (RBT) is an approach to test planning where you use risk assessment to prioritise test activities. The areas with the highest risk get the most test effort; low-risk areas get less or none. This is how experienced leads make defensible decisions about coverage when there isn’t time to test everything.
Product risk vs project risk
- Product risk — risks that the software will fail to meet stakeholder needs. These become test targets. Examples: payment processing errors, data loss, security vulnerabilities.
- Project risk — risks that affect the testing process itself. Examples: late delivery of test environments, incomplete requirements, team capacity issues.
Risk-based testing primarily addresses product risk. Project risk is managed in the test plan.
Risk exposure = likelihood × impact
Risk exposure is the product of two factors:
- Likelihood — how likely is this to fail? (technical complexity, code churn, new developer, known defect history)
- Impact — what’s the consequence if it fails? (financial loss, user harm, reputational damage, regulatory breach)
| Feature area | Likelihood (1–5) | Impact (1–5) | Exposure | Priority |
|---|---|---|---|---|
| Payment processing | 3 | 5 | 15 | High |
| User authentication | 2 | 5 | 10 | High |
| Product search | 4 | 3 | 12 | Medium |
| Wishlist feature | 2 | 2 | 4 | Low |
| Email preferences | 1 | 1 | 1 | Very Low |
Building a risk register
- Identify risks — brainstorm with stakeholders, developers, and the team. Review defect history. Check industry-specific risks.
- Assess likelihood — consider: code complexity, number of changes, developer experience, module age, integration points.
- Assess impact — consider: user importance of the feature, business criticality, regulatory requirements, number of users affected.
- Calculate exposure — multiply the scores. Sort descending.
- Map to test effort — high risk = deep testing + automation + early testing. Low risk = light testing or none.
How risk drives test decisions
- Test order — test high-risk areas first so critical bugs are found early.
- Test depth — high-risk areas get full EP/BVA/decision table coverage. Low-risk areas may get smoke tests only.
- Automation priority — high-risk, frequently run paths should be automated first.
- Exit criteria — if time runs out, you can demonstrate that high-risk areas were fully tested and low-risk areas were consciously deprioritised.
ISTQB mapping
| Ref | Topic | Level |
|---|---|---|
| CTFL 5.2 | Risk management overview — product vs project risk | Foundation |
| CTAL-TM Ch. 2 | Risk-based testing — full framework, risk register, mitigation | Advanced / Lead |
| CTAL-TA 2.3 | Risk-based testing tasks for the Test Analyst | Advanced / Senior |
Practice this technique: Try Test Lead Practice 02 — Risk-based prioritisation, Senior Practice 09 — Cross-level regression.
NZ example — risk register for a NZ e-commerce platform
For a New Zealand e-commerce platform, a practical risk register might include:
- Payment processing via POLi (NZ bank-to-bank payment) — High likelihood if newly integrated, High impact (revenue loss, customer trust) = exposure 25, test first and deepest.
- NZ address validation (RD addresses, apartment formats) — Medium likelihood (complex input rules), High impact (failed deliveries) = exposure 15.
- GST calculation correctness — Low likelihood (stable code), High impact (tax compliance breach, IRD penalty) = exposure 10.
- Product image display — Low likelihood, Low impact = exposure 4, test last or not at all if time is cut.
Risk-based testing means: when the sprint is shortened, you can show the stakeholder exactly which risks were fully tested and which were consciously deferred. “We tested payment and address validation; we deferred product image testing — here is the residual risk.”
Try It — Build a risk register
A NZ government agency is launching a new online rates payment portal. Five feature areas need risk scoring. Assign Likelihood (1–5) and Impact (1–5) scores to each area, then check your reasoning against expert answers.
| Feature area | Likelihood (1=rare, 5=certain) |
Impact (1=trivial, 5=critical) |
Your exposure |
|---|---|---|---|
| Payment processing (credit card + POLi) | — | ||
| Rate calculation (council formula, new code) | — | ||
| Login & authentication (RealMe integration) | — | ||
| PDF receipt generation | — | ||
| Help text / FAQ page | — |
Expert reasoning
| Feature area | Likelihood | Impact | Exposure | Why |
|---|---|---|---|---|
| Payment processing | 4 | 5 | 20 | High complexity, financial loss if broken, reputational damage. Test first and deepest. |
| Rate calculation | 4 | 5 | 20 | New custom code, IRD-equivalent compliance issue if wrong, affects every ratepayer. |
| Login / RealMe | 3 | 4 | 12 | External dependency, blocks all portal access if broken, but RealMe is mature. |
| PDF receipt | 2 | 3 | 6 | Nice to have, users can screenshot if broken. Not a blocker. |
| Help / FAQ | 1 | 1 | 1 | Static content. A typo is embarrassing but not a risk. |
Ranking insight: Payment and rate calculation tie at exposure 20 — both should get equal deep testing. Help/FAQ is exposure 1 — if you run out of time, skip it and document the residual risk.