Risk-based quality management is a new approach to risk mitigation in the end-to-end quality effort which has a critical linkage to requirements and requirements traceability.
In developing requirements, you have to consider both the business and the IT risk of implementing new capabilities. The notion of being able to capture both dimensions of risk, by requirement, provides a powerful way to evaluate the criticality of the functionality to the business. If you look at each requirement individually and assess the type of process it represents (e.g. new functionality), the frequency of use, the number of users affected by the features, the impact to the business if that requirement fails, and the probability of failure, you can arrive at an objective assessment of the priority/risk associated with that requirement.
What would that allow you to do? Understanding the priority/risk associated with each requirement enables you to drive the right focus in the development/ validation effort. The weighting provides you the ability to make the right tradeoffs and channel your activities to ensure that the development, testing and validation resources are prioritized against the highest-risk, highest priority requirements for the business.
If you have an integrated system for tracking your testing efforts and you build and track your experience over time, you’ll also know how much time it takes you to test various requirements. Imagine how powerful it would be to balance the limited resources and time you have available for testing against that prioritized set of business requirements to ensure you have optimized your testing time and resources while minimizing business risk.
Equally important, when you consider the lifecycle of an application, it begins it’s “second life” when you put the application into production, link it to other applications and begin maintaining the application during the operations phase.
With risk-based quality management, you can unlock a new opportunity after the initial application deployment, while the application is in production. Requirements traceability is a critical capability to provide visibility to all of the tests, test assets, defects and related requirements associated with any individual requirement. By identifying which requirements are touched by the application when it changes and the risk levels associated with those requirements, combined with a profile of how long the quality cycle takes, you can build intelligence into your quality process and to enable process improvement throughout the lifecycle of the application.
For example, you can evaluate what has changed in an application and find that it touches a dozen requirements, four out of five of which are high-risk, high-priority requirements. Depending on the level of risk the business can tolerate and the amount of time you have for validation, you can develop a fairly precise estimate of how long a test cycle will take and where to focus your efforts. This allows you to pull together the critical information that project managers, QA directors and developers have needed for years.
Capturing an objective assessment of risk, tying requirements to downstream activities and pulling it into a set of integrated information across the application lifecycle gives you a level of visibility and estimation that was never possible before. This is the value of risk-based quality management.
4 responses so far ↓
1 William Makwinja // Jan 2, 2010 at 2:07 pm
I am in the process of writing a thesis for a University of Wales MBA and my chosen topic is “Risk Based Quality in Large projects in South Africa”. My background is in Aerospace and Defence. This background exposed me to requirement traceability matrixes and a lot of tools including DOORS, etc. I have also used critical levels (DO 198) to determine software development quality activities for commercial airborne software systems. Your article, though short cuts across all these and I believe that it is the way to go. I am very impressed with it and will certainly mention it in my thesis. I only wish you had expanded a lot more on the subject.
2 Tracy DeDore // Jan 12, 2010 at 3:28 pm
Hi William,
Thanks for the good news! I have much more data in this area if you are interested.
One reference is a whitepaper that is available on requirements.net: http://www.requirements.net/content/?id=36
We used to also have some recorded webinars out there but they’ve been archived off by now. Worst case, I have the script from one of the webinars from which I pulled a subset for the blog if you would be interested in that.
Best,
Tracy
3 William // Jan 31, 2010 at 2:56 pm
Tracy,
Thanks for the information. For some reason I could not link to this site until this afternoon.
Yes, I would be interested in any other information you have. I fi nd that there hasnt been much written about the topic amongst the journals I have access to.
Regards
William
4 Andreas Rønning // Feb 19, 2010 at 4:13 am
Hi,
I am also in the process of writing a thesis on this subject. It is called Risk Based Quality Monitoring in Projects and my focus are large scale development projects executed by Statoil ASA, a leading engergy corporation in the oil and gas industry. I appreciate this article as it is very relevant for my studies and will mention it in my work.
I was wondering if you have any experience in the application of risk based quality strategies in construction projects with high technology requirements, such as subsea systems for oil and gas production. There are certainly a lot of risk in such projects but it seems to me that the industry itself has not been able to establish a framework for the link to quality management. Can you suggest further reading on this subject?
It seems to me that the software industry has realized the potential in risk based quality management. I don’t see why construction industry should be any different.
Best regards,
Andreas Rønning
Stud.techn. NTNU - IPK
Leave a Comment