{"id":9686,"date":"2018-01-25T00:13:11","date_gmt":"2018-01-25T00:13:11","guid":{"rendered":"http:\/\/abstracta.us\/blog\/?p=9686"},"modified":"2025-05-05T21:20:36","modified_gmt":"2025-05-05T21:20:36","slug":"software-testing-risk-matrix","status":"publish","type":"post","link":"https:\/\/abstracta.us\/blog\/testing-strategy\/software-testing-risk-matrix\/","title":{"rendered":"Risk-Based Testing: The Software Testing Risk Matrix"},"content":{"rendered":"<p><!-- Go to www.addthis.com\/dashboard to customize your tools --><script src=\"\/\/s7.addthis.com\/js\/300\/addthis_widget.js#pubid=ra-58d80a50fc4f926d\" type=\"text\/javascript\"><\/script><\/p>\n<h1><span style=\"font-weight: 400;\">So much to test, so little time? Here&#8217;s how to create a software testing risk matrix for maximum results.<\/span><\/h1>\n<p><span style=\"font-weight: 400;\">When it comes to testing software, it can be a bit overwhelming when you get started. One resource that one can turn to is the <\/span><a href=\"https:\/\/abstracta.us\/blog\/software-testing\/the-software-testing-wheel\/\" target=\"_blank\" rel=\"noopener noreferrer\"><span style=\"font-weight: 400;\">software testing wheel<\/span><\/a><span style=\"font-weight: 400;\"> that we came up with at Abstracta, based on the ISO 25010 standards for software product quality. It explains all of the different quality factors and how to test them. But, it will soon occur to you the enormity of things that\u00a0should be\u00a0tested with only the finite time and resources you have. <\/span><\/p>\n<p><span style=\"font-weight: 400;\">That\u2019s when you have to apply <\/span><a href=\"https:\/\/www.forbes.com\/sites\/davelavinsky\/2014\/01\/20\/pareto-principle-how-to-use-it-to-dramatically-grow-your-business\/#3a19b8df3901\" target=\"_blank\" rel=\"noopener noreferrer\"><span style=\"font-weight: 400;\">Pareto\u2019s Principle<\/span><\/a><span style=\"font-weight: 400;\">: What is that 20% of things that you can test that will create 80% of the value of testing? Or to put it differently,\u00a0<\/span>take a<b> risk-based approach, choosing tasks that allow you to mitigate the aspects with the highest risk first.<\/b><span style=\"font-weight: 400;\"> In this post, I\u2019ll show you an activity that proposes to do this analysis using a risk matrix for software testing.<\/span><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Risk_Matrices\"><\/span><strong><span style=\"color: #00b674;\">Risk Matrices<\/span><\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><span style=\"font-weight: 400;\">Risk is composed of two factors: the probability of something happening and the (negative) business impact that it would have. So, if we draw it in a matrix, we will be able to distinguish zones according to risk, where the extremes will be:<\/span><\/p>\n<ol>\n<li style=\"font-weight: 400;\"><b>Very likely, high impact: <\/b><span style=\"font-weight: 400;\">We must test it! <\/span><\/li>\n<li style=\"font-weight: 400;\"><b>Unlikely, high impact<\/b><span style=\"font-weight: 400;\">: We should test it.<\/span><\/li>\n<li style=\"font-weight: 400;\"><b>Very likely, low impact<\/b><span style=\"font-weight: 400;\">: If there is time, we could test it.<\/span><\/li>\n<li style=\"font-weight: 400;\"><b>Unlikely, low impact<\/b><span style=\"font-weight: 400;\">:<\/span><span style=\"font-weight: 400;\"> If we want to throw money down the drain, we&#8217;ll test this. That is, the test is\u00a0too expensive\u00a0for the value it provides.\u00a0So, we won\u2019t test it.<\/span><\/li>\n<\/ol>\n<p><a href=\"http:\/\/abstracta.us\/wp-content\/uploads\/2018\/01\/Screen-Shot-2018-01-24-at-3.52.12-PM-min.png\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-9689\" src=\"http:\/\/abstracta.us\/wp-content\/uploads\/2018\/01\/Screen-Shot-2018-01-24-at-3.52.12-PM-min.png\" alt=\"basic risk matrix\" width=\"407\" height=\"316\" \/><\/a><\/p>\n<p style=\"text-align: center;\"><span style=\"font-weight: 400;\">(<\/span><a href=\"https:\/\/eight2late.wordpress.com\/2009\/07\/01\/cox%E2%80%99s-risk-matrix-theorem-and-its-implications-for-project-risk-management\/\" target=\"_blank\" rel=\"noopener noreferrer\"><span style=\"font-weight: 400;\">image source<\/span><\/a><span style=\"font-weight: 400;\">)<\/span><\/p>\n<p><span style=\"font-weight: 400;\">This is associated with the <\/span><a href=\"https:\/\/en.wikipedia.org\/wiki\/MoSCoW_method\" target=\"_blank\" rel=\"noopener noreferrer\"><span style=\"font-weight: 400;\">MoSCoW method<\/span><\/a><span style=\"font-weight: 400;\">: Must (high probability and impact), Should (high probability, medium impact), Could (medium probability, low impact), Wont (low probability and impact). The <\/span><span style=\"font-weight: 400;\">following image<\/span><span style=\"font-weight: 400;\"> shows a matrix to conduct a risk analysis with this method (and no, it is not in the same order as the previous matrix):<\/span><\/p>\n<p><a href=\"http:\/\/abstracta.us\/wp-content\/uploads\/2018\/01\/Screen-Shot-2018-01-24-at-3.50.51-PM-min.png\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-9688\" src=\"http:\/\/abstracta.us\/wp-content\/uploads\/2018\/01\/Screen-Shot-2018-01-24-at-3.50.51-PM-min.png\" alt=\"MoSCow Method Matrix\" width=\"592\" height=\"397\" \/><\/a><\/p>\n<p style=\"text-align: center;\"><span style=\"font-weight: 400;\">(<\/span><a href=\"http:\/\/benjacobs.io\/work\/byron-hamburgers\/\" target=\"_blank\" rel=\"noopener noreferrer\"><span style=\"font-weight: 400;\">image source<\/span><\/a><span style=\"font-weight: 400;\">)<\/span><\/p>\n<p><span style=\"font-weight: 400;\">You can also go for a more refined version of the matrix<\/span><span style=\"font-weight: 400;\">:<\/span><\/p>\n<p><a href=\"http:\/\/abstracta.us\/wp-content\/uploads\/2018\/01\/Updated-Risk-Matrix-min.jpg\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-9687\" src=\"http:\/\/abstracta.us\/wp-content\/uploads\/2018\/01\/Updated-Risk-Matrix-min.jpg\" alt=\"complex risk matrix\" width=\"498\" height=\"261\" \/><\/a><\/p>\n<p style=\"text-align: center;\"><span style=\"font-weight: 400;\">(<\/span><a href=\"https:\/\/www.pivotpointsecurity.com\/blog\/using-matrix-models-for-risk-assessment\/\" target=\"_blank\" rel=\"noopener noreferrer\"><span style=\"font-weight: 400;\">image source<\/span><\/a><span style=\"font-weight: 400;\">)<\/span><\/p>\n<h2><span class=\"ez-toc-section\" id=\"How_to_Make_Your_Very_Own_Software_Testing_Risk_Matrix\"><\/span><strong><span style=\"color: #00b674;\">How to Make Your Very Own Software Testing Risk Matrix<\/span><\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><span style=\"font-weight: 400;\">Here are the steps to make your own software testing risk matrix in order to lay out a solid testing plan:<\/span><\/p>\n<p><span style=\"font-weight: 400;\"><strong>#1<\/strong> &#8211; Think about the factors that affect the probability of an incident or bug appearing. <\/span><\/p>\n<p><span style=\"font-weight: 400;\">For example:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">The complexity of the solution<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Dependence on external systems<\/span><\/li>\n<\/ul>\n<p><b>#2 \u2013<\/b> <span style=\"font-weight: 400;\">Think about the factors that generate a negative impact on the business, in case the functionality has problems.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">For example:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Functionalities that operate with sensitive data<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Most used features<\/span><\/li>\n<\/ul>\n<p><b>#3 \u2013<\/b> <span style=\"font-weight: 400;\">Then, you implement this method in different ways, thinking about the testing techniques to apply or the functionalities to be tested, etc. <\/span><\/p>\n<p><span style=\"font-weight: 400;\">For example, you can place the different functionalities or put &#8220;security tests&#8221;, &#8220;performance tests&#8221;, etc in the different quadrants. It could also be applied to decide what features will need which types of tests. Another example\u00a0is using it to define how much time you should devote to exploratory testing for each functionality.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Here is an example of how we like to set up our matrix at Abstracta, in which the quadrants are according to risk, and we incorporate the MoSCoW technique:<\/span><\/p>\n<p><a href=\"http:\/\/abstracta.us\/wp-content\/uploads\/2018\/01\/photo-5.jpg\"><img decoding=\"async\" class=\"aligncenter wp-image-9692 size-large\" src=\"http:\/\/abstracta.us\/wp-content\/uploads\/2018\/01\/photo-5-1024x768.jpg\" alt=\"software testing risk matrix with MOSCoW\" width=\"1024\" height=\"768\" \/><\/a><\/p>\n<p><span style=\"font-weight: 400;\">Something that we have found interesting, is that from this risk matrix, the Definition of Done (DoD) could be separated out, distinguishing different DoDs according to the criticality of the user story\/functionality. Then, for some stories labeled category 3 (the \u201cCoulds\u201d), certain types of tests may be defined, automation with how much coverage, etc. Then, for another item categorized as a 1 (\u201cMust\u201d) there will be a different DoD, with other associated tasks that are more demanding in terms of quality control.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">This technique can also be very useful for a retrospective, focusing on quality tasks.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Have you used the software testing risk matrix or similarly, yet different, <a href=\"https:\/\/www.softwaretesttips.com\/requirements-traceability-matrix\/\" target=\"_blank\" rel=\"noopener noreferrer\">requirements traceability matrix<\/a> before?<\/span><\/p>\n<hr \/>\n<h2><span class=\"ez-toc-section\" id=\"Recommended_for_You\"><\/span><strong>Recommended for You<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><a href=\"http:\/\/abstracta.us\/blog\/software-testing\/the-software-testing-wheel\/\">The Software Testing Wheel<\/a><br \/>\n<a href=\"https:\/\/abstracta.us\/blog\/devops\/much-talk-around-devops-culture\/\">Why So Much Talk Around DevOps Culture?<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>So much to test, so little time? Here&#8217;s how to create a software testing risk matrix for maximum results. When it comes to testing software, it can be a bit overwhelming when you get started. One resource that one can turn to is the software&#8230;<\/p>\n","protected":false},"author":5,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[636],"tags":[251],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v14.0.2 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>The Software Testing Risk Matrix | Abstracta<\/title>\n<meta name=\"description\" content=\"To know what aspects of your software should be tested first, we&#039;ll show you how to create a software testing risk matrix. Get the most out of testing!\" \/>\n<meta name=\"robots\" content=\"index, follow\" \/>\n<meta name=\"googlebot\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta name=\"bingbot\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/abstracta.us\/blog\/testing-strategy\/software-testing-risk-matrix\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"The Software Testing Risk Matrix | Abstracta\" \/>\n<meta property=\"og:description\" content=\"To know what aspects of your software should be tested first, we&#039;ll show you how to create a software testing risk matrix. Get the most out of testing!\" \/>\n<meta property=\"og:url\" content=\"https:\/\/abstracta.us\/blog\/testing-strategy\/software-testing-risk-matrix\/\" \/>\n<meta property=\"og:site_name\" content=\"Blog about AI-powered quality engineering for teams building complex software | Abstracta\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/AbstractaQA\/\" \/>\n<meta property=\"article:published_time\" content=\"2018-01-25T00:13:11+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-05-05T21:20:36+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/abstracta.us\/wp-content\/uploads\/2018\/01\/Copy-of-steve-jobs-2.png\" \/>\n\t<meta property=\"og:image:width\" content=\"560\" \/>\n\t<meta property=\"og:image:height\" content=\"315\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@fltoledo\" \/>\n<meta name=\"twitter:site\" content=\"@AbstractaUS\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"https:\/\/abstracta.us\/blog\/#website\",\"url\":\"https:\/\/abstracta.us\/blog\/\",\"name\":\"Blog about AI-powered quality engineering for teams building complex software | Abstracta\",\"description\":\"AI-powered quality engineering\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":\"https:\/\/abstracta.us\/blog\/?s={search_term_string}\",\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/abstracta.us\/blog\/testing-strategy\/software-testing-risk-matrix\/#primaryimage\",\"inLanguage\":\"en-US\",\"url\":\"http:\/\/abstracta.us\/wp-content\/uploads\/2018\/01\/Screen-Shot-2018-01-24-at-3.52.12-PM-min.png\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/abstracta.us\/blog\/testing-strategy\/software-testing-risk-matrix\/#webpage\",\"url\":\"https:\/\/abstracta.us\/blog\/testing-strategy\/software-testing-risk-matrix\/\",\"name\":\"The Software Testing Risk Matrix | Abstracta\",\"isPartOf\":{\"@id\":\"https:\/\/abstracta.us\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/abstracta.us\/blog\/testing-strategy\/software-testing-risk-matrix\/#primaryimage\"},\"datePublished\":\"2018-01-25T00:13:11+00:00\",\"dateModified\":\"2025-05-05T21:20:36+00:00\",\"author\":{\"@id\":\"https:\/\/abstracta.us\/blog\/#\/schema\/person\/7421e539de0357d3adb0c69ed469a1c2\"},\"description\":\"To know what aspects of your software should be tested first, we'll show you how to create a software testing risk matrix. Get the most out of testing!\",\"breadcrumb\":{\"@id\":\"https:\/\/abstracta.us\/blog\/testing-strategy\/software-testing-risk-matrix\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/abstracta.us\/blog\/testing-strategy\/software-testing-risk-matrix\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/abstracta.us\/blog\/testing-strategy\/software-testing-risk-matrix\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"item\":{\"@type\":\"WebPage\",\"@id\":\"https:\/\/abstracta.us\/blog\/\",\"url\":\"https:\/\/abstracta.us\/blog\/\",\"name\":\"Home\"}},{\"@type\":\"ListItem\",\"position\":2,\"item\":{\"@type\":\"WebPage\",\"@id\":\"https:\/\/abstracta.us\/blog\/testing-strategy\/\",\"url\":\"https:\/\/abstracta.us\/blog\/testing-strategy\/\",\"name\":\"Testing Strategy\"}},{\"@type\":\"ListItem\",\"position\":3,\"item\":{\"@type\":\"WebPage\",\"@id\":\"https:\/\/abstracta.us\/blog\/testing-strategy\/software-testing-risk-matrix\/\",\"url\":\"https:\/\/abstracta.us\/blog\/testing-strategy\/software-testing-risk-matrix\/\",\"name\":\"Risk-Based Testing: The Software Testing Risk Matrix\"}}]},{\"@type\":[\"Person\"],\"@id\":\"https:\/\/abstracta.us\/blog\/#\/schema\/person\/7421e539de0357d3adb0c69ed469a1c2\",\"name\":\"Federico Toledo, Chief Quality Officer at Abstracta\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/abstracta.us\/blog\/#personlogo\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/6de7ec6536c4028b5c02ad4ec1b9af0d?s=96&d=blank&r=g\",\"caption\":\"Federico Toledo, Chief Quality Officer at Abstracta\"},\"description\":\"Co-founder and COO of Abstracta\",\"sameAs\":[\"https:\/\/twitter.com\/fltoledo\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","_links":{"self":[{"href":"https:\/\/abstracta.us\/blog\/wp-json\/wp\/v2\/posts\/9686"}],"collection":[{"href":"https:\/\/abstracta.us\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/abstracta.us\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/abstracta.us\/blog\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/abstracta.us\/blog\/wp-json\/wp\/v2\/comments?post=9686"}],"version-history":[{"count":19,"href":"https:\/\/abstracta.us\/blog\/wp-json\/wp\/v2\/posts\/9686\/revisions"}],"predecessor-version":[{"id":14220,"href":"https:\/\/abstracta.us\/blog\/wp-json\/wp\/v2\/posts\/9686\/revisions\/14220"}],"wp:attachment":[{"href":"https:\/\/abstracta.us\/blog\/wp-json\/wp\/v2\/media?parent=9686"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/abstracta.us\/blog\/wp-json\/wp\/v2\/categories?post=9686"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/abstracta.us\/blog\/wp-json\/wp\/v2\/tags?post=9686"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}