Catalog
method#Quality Assurance#Reliability#Observability#Software Engineering

Risk-Based Testing

A testing method that prioritizes test activities by risk to focus limited resources on the most critical potential failures.

Risk-Based Testing prioritizes testing activities based on identified risks to product and users, enabling efficient use of limited testing resources.
Established
Medium

Classification

  • Medium
  • Organizational
  • Organizational
  • Intermediate

Technical context

Test management tools (e.g., TestRail, Zephyr)Issue tracking and CI systemsMonitoring and observability platforms

Principles & goals

Assess risks clearly and traceably.Allocate testing effort proportional to potential harm.Engage stakeholders early and communicate priorities transparently.
Build
Domain, Team

Use cases & scenarios

Compromises

  • Misjudgements can lead to undiscovered critical defects.
  • Stakeholder pressure can distort priorities.
  • Over-simplifying risk categories reduces usefulness.
  • Hold regular risk reviews with domain stakeholders.
  • Use a combination of metrics and expert judgement.
  • Use automation selectively for repeatable, high-priority tests.

I/O & resources

  • Risk register or list
  • Product requirements and architecture description
  • Historical defect and usage data
  • Prioritized test plans and test cases
  • Risk and release recommendations
  • Documentation of mitigation actions

Description

Risk-Based Testing prioritizes testing activities based on identified risks to product and users, enabling efficient use of limited testing resources. The method combines risk assessment, test planning and focused execution so that high-likelihood and high-impact defects are addressed first. It supports informed release decisions during the development cycle.

  • More efficient use of limited test resources on critical areas.
  • Improved decision basis for releases and risk posture.
  • Focus on defect types with high likelihood and impact.

  • Prioritization quality depends on accuracy of risk assessment.
  • May neglect low-risk tests that are cumulatively relevant.
  • Requires disciplined maintenance of the risk portfolio.

  • Coverage of high-risk areas

    Percentage of tests covering high-risk relevant functions.

  • Discovery rate of critical defects

    Number of critical defects per tested risk category within a release.

  • Time to test execution for high-risk areas

    Average time from identifying a risk to completing its tests.

Banking backend

Prioritization of integration and transaction tests by impact on account balances and compliance.

E-commerce platform

Focus on checkout and inventory functions before a major marketing campaign.

Medical software

Test planning oriented to patient safety and regulatory requirements.

1

Identify risks and assess likelihood and impact.

2

Define risk categories and thresholds.

3

Prioritize test cases and activities based on risk weighting.

4

Implement automated tests for highest risk areas.

5

Monitor results, maintain risk portfolio and adapt test plan.

⚠️ Technical debt & bottlenecks

  • Lack of automation in prioritized areas.
  • Incomplete or outdated defect history.
  • No integration between risk and test management tools.
Lack of domain knowledgeLimited test automationInsufficient defect history
  • Using risk-based testing as a pretext to reduce testing indiscriminately.
  • Incorrect risk assignments leading to missing safety checks.
  • Counting only formal risks while practical user paths remain untested.
  • Underestimating cumulative effect of small defects.
  • Failing to update the risk portfolio across releases.
  • Over-reliance on individuals for risk assessment.
Experience in risk management and QAAbility to analyze historical defect dataKnowledge of product domain and user impact
Criticality of functionsRegulatory requirementsAvailability of limited testing resources
  • Time constraints before releases
  • Limited test environments and data
  • Regulatory documentation obligations