Risk analysis is absolutely key to being an effective tester. I have rarely found it effective or possible to “test everything”, and so there is always an element of deciding what and how much I want to test before I have confidence in the quality of a piece of work. Even in cases where I do need vast test coverage, I still need to prioritise what I will test first. The reason I do this is because I want to provide reports on the most important defects as soon as possible, as this is where I deliver the most value.
What to test and how much to test?
So how do I answer these questions? With more questions of course! There are a variety of factors that determine how I will answer, but some general questions that help me decide are:
- What is it? What does it do?
- How complex is it?
- How much do I understand about it?
- Does it have good documentation I can refer to?
- Does it have clear requirements?
- How much time do I have to test? Is there a deadline?
- What resources do I have available to me?
- What tools do I have available to me?
- How critical to the business is it?
- Does it interact with or affect other critical systems?
- Who uses it? How do they use it?
- Is it a modification to an existing system or a brand new system?
- If it's a modification, does the system have a history of instability?
- What is the modification and what does it affect?
- Are there any pre-existing defects I need to know about?
- Are there any performance or security concerns?
- What are the most important parts of the system? Do I have an order of priority?
There are many, many more questions I could ask. Some of these questions I might already know the answers to, but they still influence my decisions on what and how much I test. Its important to realise that some of these questions have impacts on one another, it is only with the full picture that I can effectively identify risks. For example, with limited time and resources, it directly impacts how much I will test and therefore I would prioritise testing the critical areas of the system that are new or have changed.
Asking these questions also allows other members of the team to consider them and helps them gain an insight into my work and what I’m looking for. Over time this can provoke them into providing better information and lead to more collaboration.
But surely you always prioritise critical areas of the system?
Not necessarily, there may be many critical areas and it may not be possible for me to test all of those areas given the time and resources I have available. We may in fact consider some critical areas to be very stable and know that they have not changed. I may decide to accept the risk of not testing these areas in order to focus on areas that I know are more unstable or have been affected by change.
No testing? That’s crazy!
I’m not saying no testing, I’m just suggesting that no testing can be an option - but one of many. Ideally if I had any critical areas that I felt I couldn’t comprehensively test in the time frame I would still look to perform some testing. This can range from very basic smoke tests, time-boxed exploratory tests or some further prioritised order of tests. If this particular area is something that is regularly covered during regression testing, then it may have automation scripts I could run. I may choose to only run automation scripts for that area.
However, ultimately, you will be making a decision to not test something, somewhere. Therefore you must be comfortable with being able to draw this line based on your informed understanding of the risks.
What if there is no deadline?
Then I would ask the business how long is too long. The business will want the work by some ideal time, otherwise they would not ask for the work to be carried out. They will not wait indefinitely and there is always value in delivering work quickly.
Usually a business may give you no deadline simply because they do not understand enough about testing but want you to do a good job. They don’t want to give you an arbitrary deadline because they don’t know themselves how much testing is enough. It is important to start a dialogue at this point to really explore what the business wants and collaboratively come to a decision on how much testing you really want to do.
- In order to decide what to test, you need to gather information regarding time, resources, priorities, etc.
- Not testing specific areas is a valid option.
- Comprehensive testing is never an option in an agile environment.
- There is always a desired deadline even if it is not explicitly stated.