Risk-based testing starts with a quality risk analysis (identifying and assessing product quality risks). This analysis is the foundation of the master test plan and the other test plans. As specified in the plan(s), tests are designed, implemented, and executed in order to cover the risks. The effort associated with developing and executing a test is proportional to the level of risk, which means that more meticulous test techniques (such as pairwise testing) are used for higher risks, while less meticulous test techniques (such as equivalence partitioning or time-boxed exploratory testing) are used for lower risks. In addition, the priority of the development and execution of the test is based on the level of risk. Some safety-related standards (e.g., FAA DO-178B/ED 12B, IEC 61508), prescribe the test techniques and degree of coverage based on the level of risk. In addition, the level of risk will influence decisions such as the use of reviews of project work products (including tests), the level of independence, the level of experience of the tester, and the degree of confirmation testing (re-testing) and regression testing performed.
During the project, the test team is aware of additional information that changes the set of quality risks and/or the level of risk associated with known quality risks. Periodic adjustment of the quality risk analysis, which results in adjustments to the tests, will occur. These adjustments will occur at least at major project milestones. Adjustments include identifying new risks, re-assessing the level of existing risks, and evaluating the effectiveness of risk mitigation activities. To take one example, if a risk identification and assessment session occurred based on the requirements specification during the requirements phase, once the design specification is finalized, a re-evaluation of the risks will occur. To take another example, if during testing a component is found to contain considerably more than the expected number of defects, one can conclude that the likelihood of defects in this area was higher than anticipated and thus adjust the likelihood and overall level of risk upward. This could result in an increase in the amount of testing to be performed against this component.
Product quality risks can also be mitigated before test execution starts. For example, if problems with the requirements are located during risk identification, the project team can implement thorough requirements specification reviews as a mitigating action. This will reduce the level of risk, which means that fewer tests are needed to mitigate the remaining quality risk.