Have you ever had a challenging time trying to get a manager or coworker to recognize a potentially project-stalling issue? Risk is inherent when creating something valuable and complex (like software), but sometimes it's hard to analyze and explain in a productive way. Here Johanna Rothman shares her method for addressing risks.
Setting: Our tester, Tim, is verifying load performance of a server. He has been waiting for his chance to use the server to run his tests. While he's waiting for the developers to finish, he realizes that if the server dies, he can't verify the load performance of the application. Tim makes a beeline for Pam the project manager's office.
Tim: "Hey, did you know this server is critical to our ability to load test?"
Pam: "Hmm, no, I didn't realize that." (Pam goes back to reviewing the schedule.)
Tim: "Well, I want to get another one, okay?"
Pam: "What?! No, you can't have another server. If you get another server, other people will want more servers, and then our budget will be shot."
Tim: "But if we don't have the server at all, I won't be able to test."
Pam: "Hmm, then our bug counts will go down. That's not bad."
(Tim glares at Pam.)
Pam: "Okay, then it's your job to tell me how likely the equipment is to break and how much it will cost to fix."
Ever had a conversation like this with a project manager? I hope not. But if you had, you probably walked away furious and disgusted. You knew that the project manager really didn't care what your answer was. However, you know that you somehow have to bring this information to the project manager's attention, so that she can take a more responsible approach to managing the potential issue.
Potential issues are risks. Formal risk analysis is what happens when you consider the likelihood that a potential issue will occur, and take into account the severity of it happening, giving you the exposure. Then you create a mitigation plan to deal with the problem. Testing is one form of risk mitigation, by looking for defects before the customers find them. But that's not the only form of risk mitigation you're likely to need.