Risk analysis and risk management are not highly developed in the software development world. Identifying risks at the beginning of a project is often difficult. Very little use is made of earlier experiences with projects that are similar to the one you’re about to start. Also the risks that are identified are often too abstract to be of any use. E.g. “errors can harm the reputation of the company” or “security leaks can lead to serious problems” are not very helpful in getting the real issues on the table.
Also we often see that a test manager does his/her risk analysis after the functional design has been made, as part of the creation of the test plan. We are talking about both the product risk analysis and the project risk analysis. Various stakeholders and specialists give input to get the list of risks on the table. The purpose of this list is to establish which parts of the product are important and need more focus, need to be tested thoroughly, and which parts need less attention.
Risk analysis is usually divided in project risk analysis and product risk analysis. In development projects one does not exist without the other and a product risk can lead to a project risk and vice versa. When you don’t have proper resources you may need more time and the product quality could be less in the end. When functionality is missing then you may need to do a lot of testing all over and this could lead to project risk with respect to time and money. Just a couple of examples.
You always hear project managers and test managers talk about separate responsibilities. Sure: the project manager is responsible for the whole project and within that project the test manager is responsible for the testing. But is that a reason why the project manager should do his own risk analysis and the test manager after that should do it all over, more focussed on testing this time? What a waste. A lot of meetings, a lot of pointless discussions. All for the “stakeholder management is important” and “communication is important”. OK, all people that are important for the implementation of the product (or service or whatever) should be involved. Definitely. The product must be accepted in the organization. But can we do the risk analysis without wasting a lot of time? Yes!
The risk analysis (both product and project risk analysis) should have been made during the functional design phase, during which developers, users, product specialists, managers and also the test manager should be involved. The only way to identify all the risks is when all people involved work together.
Let us return to our basic triangle. At the start of the project the business case is defined. In the business case a brief outline what the result of the project should be and what is required to get to that result. During the analysis phase the project risks and if possible the product risks on a high level are defined. We are now at the starting point of the development process, the top of the triangle. Already an estimate of the size of the project is made and the possible problems that can be expected. Already in that phase representatives of the various parties involved should participate in the risk analysis of the project and product risks.