Friday, September 27, 2019

Of What? To Who? When?

Fiona Charles ran a workshop on business risk analysis for my team at Linguamatics last week. Across the day we covered risk-based testing, how it can help with prioritisation, and how it is often overlooked as a factor in test design.

We also looked at how the presentation of risks and their potential impact to someone who matters can be a way to engage stakeholders in the testing effort. Hopefully, this would in turn encourage contribution to activities such as test idea generation, triage, and attempts to mitigate risk elsewhere during design and development.
Stakeholders often expect a level of testing we can't deliver. (Fiona Charles)
The approach to risk assessment that Fiona outlined has some similarity to a pre-mortem. Essentially: assume the system has been implemented then look for ways in which it could go wrong. It's important to understand who the relevant stakeholders are — they are more than just your users — and to solicit diverse perspectives in your analysis to represent them.
Orient your questions to business impact and seek concrete answers. (Fiona Charles)
A mind map of checklists provided triggers for evaluating each risk, who was at risk, the potential impact, under what conditions, for how long, how often, and other factors. We wondered as a group about attempting to calculate the probability of a particular risk but Fiona warned us about getting too formal.
Use qualitative evaluation over numeric. (Fiona Charles)
The conversation around this reminded me that there's a human tendency to forget about black swans in risk assessment, to miss those events that are extreme in both scarcity and size of effect. Related, we talked about the difficulty of constraining this kind of analysis, or directing it into productive avenues such as surfacing the "unknown unknowns". There was overlap here with the useful distinction between risk and uncertainty.

It was interesting to me that the group I was in initially tried to drive risk identification with the mind map. While it certainly had value as a mnemonic, something like Kipling's Serving Men, we found that it made for a very messy map.

Better, we eventually thought, to generate the risks and then place them as the central node of their own map, each map showing which factors were relevant to them. We didn't get chance to try it, but some kind of small multiples view of risk might be interesting in the aggregate.

In this made-up example above, nine risks (the shaded blue central nodes) are being assessed for each of six factors (the clear nodes, in particular top-left represents stakeholders and bottom-right represents impacts). Arranging the analysis this way suggests a potential correlation of yellow and pink stakeholders to red and green outcomes which might be useful to dig into, or perhaps to form equivalence classes in testing.

For around half of the day we tried to apply the method to a hypothetical project set inside our own company with some of our business stakeholders playing themselves. I wrote the scenario to be realistic but, with hindsight, I think there was too much scope to find stakeholder disagreement about scope and we tended to pursue that rather than the wider risk landscape.

This is unsurprising given that it's our day job to find those risks, the risks are easily uncovered and have immediate impact, and there was time pressure. While not the key point of the workshop, it was still valuable be reminded that we should step back and think more carefully about other kinds of risk to other kinds of stakeholders.

I've written before about how I hold myself to high standards on the training I organise for the team. In particular, as a participant, I want to be open to learning at the start, I want to engage and contribute while I'm there, and I want to take something directly into my own practice afterwards. I think I achieved those things and, on this occasion, my intention is to more frequently enumerate who a risk is to, what the potential effects are, and under what circumstances.

1 comment:

  1. To a tester, "What could possibly go wrong?" isn't just a rhetorical question.

    Having said that, I've just been reading (and frankly, struggling with) Daniel Kahneman's 'Thinking, Fast and Slow'. One of the things I **have** taken away from the book is properly evaluating the impact on risk analysis of unusual events. Kahneman suggests that we are likely to over-emphasise the importance of unusual events, seeing them as more frequent than they actually are because they have happened to us.

    So (broadly speaking), I feel that risk analysis needs a wide range of inputs so that individual viewpoints - which may be biased - can be seen in more appropriate proportions.