Why Risk-Based?
- Can't test everything — prioritize
- Focus effort where impact is highest
- Optimize limited time and resources
Risk Assessment Matrix
| Low Impact | Medium Impact | High Impact |
|---|
| High Likelihood | Medium | High | Critical |
| Medium Likelihood | Low | Medium | High |
| Low Likelihood | Low | Low | Medium |
Risk Factors
Business Risk
- Revenue impact if fails
- User-facing vs internal
- Regulatory/compliance
- Brand reputation
Technical Risk
- New technology
- Complex integration
- Performance sensitivity
- Third-party dependencies
Change Risk
- Size of code change
- Area of codebase modified
- Developer experience with area
- Previous defect history
Applying Risk-Based Testing
- List features/areas
- Assess risk (business × technical × change)
- Allocate test effort proportionally
- Critical risk → exhaustive testing
- Low risk → basic smoke testing or skip
Example
| Feature | Business | Technical | Change | Total Risk | Test Effort |
|---|
| Payment | 5 | 4 | 3 | 60 | Exhaustive |
| Profile | 2 | 1 | 2 | 4 | Basic |
| Search | 3 | 3 | 4 | 36 | Thorough |
| About page | 1 | 1 | 1 | 1 | Smoke only |