Risk Mapping

Developing a strategic approach to risk and mitigation planning.

The Quality Engineering Sub-Department helps facilitate the risk mapping process. This requires the participation of Product Management, Development, UX, and the Quality team to develop a strategic approach to risk and mitigation planning.

Goals

Utilise the Risk Map as a tool to:

  • Understand the risks the counterpart team faces
  • Increase transparency on mitigation plans
  • Effectively allocate limited resources
  • Collaborate strategically in improving Quality

Risk Management

Risk Management is the process of identifying risks and their impact to all areas of the business and the organization. Identifying these risks could greatly assist teams in making and carrying out decisions that will minimize their adverse effects. By focusing attention on the risks and committing the necessary resources to control and mitigate them, a team will better protect itself from uncertainty as well as increase product stability, quality and performance.

The Risk Management cycle consists of six phases:

  • Awareness
  • Identification
  • Evaluation
  • Control
  • Implementation
  • Monitoring

How to build a Risk Map

General Risk Map

To raise awareness and start identifying risks, first create two lists - Areas and Facets. Example:

Area
Team
Product
Infrastructure
UX
Quality
Community
Customers
Facet
Expertise
Performance
Test Coverage
Migrations
Scalability
Stabilility
Experience
Data

Combine Areas and Facets to produce a table where each cell is an associated risk. Example:

Areas Team Product Infrastructure UX Quality
Facets —— —— —— —— —— ——
Expertise Concentrated domain knowledge Insufficient SETs
Performance Burn out Often miss SLO/SLAs Outages Flaky tests
Test Coverage Test environment is hard to reproduce
Migrations Customers migrate with difficulties from previous product/platform Database migrations often causes outages
Scalability Downgrade of Quality efforts to meet demands

After naming the risks by integrating different Areas and Facets to help brainstorm, the next phase - Evaluation - requires understanding which impact it may cause and estimations on each risk’s impact level and probability of ocurrence. The product of these two dimensions will determine the risk’s score (the higher the score the higher the priority).

General Risk Map, an Example

Map key

  • Impact - what happens if the risk is not mitigated or eliminated
  • Impact level - Rate 1 (LOW) to 5 (HIGH)
  • Probability - Rate 1 (LOW) to 5 (HIGH)
  • Priority - Impact x Probability. Address highest score first.
  • Mitigation - what could be done to lower the impact or probability
Risk Area Risk Description Impact Impact level Probability Priority Mitigation
Team/Stability Burn out Low productivity and attrition 5 2 10
Team/Scaling Inefficient team member onboarding Prolonged low productivity 3 2 6
Team/Expertise Concentration of knowledge Missed SLO/SLA 4 3 12
Customer Broken promises Reduced GMAU 5 2 10
Customer Eroded trust with the community Fewer community contributions 5 1 5
Product/Scope Not enough knowledge about how the product is being used Reduced [METRIC] 3 3 9
Product/Scope Increase of security vulnerabilities due to having many different areas of the product Loss of confidence / revenue 5 1 5
Product/Data User metrics and activity metrics are incomplete and hard to track Inaccurate sensing data 4 3 12
Quality Downgrade quality to meet maturity targets Escaped bugs 5 3 15
Quality Uncertain test coverage Difficult to prioritise test effort 3 3 9
Feature/Performance Low performance due to _____ Low customer satisfaction, reduced [METRIC] 5 4 20
Feature/Testability Hard to drive real world test scenarios Escaped bugs 4 4 16
Feature/Dependencies Cross-group work not being prioritised in a timely manner Delayed deliverables, reduced customer satisfaction, reduced team productivity 3 3 9

Teams can iterate on this exercise by expanding it to their Product Categories or even to the Feature level, having a more granular understanding of the risks.

Risk Control

After evaluating the risk impact and probability, the Control and Implementation phases require to create mitigations for each risk in order to reduce the negative effects of its impact. Mitigations are strategies for planning work around the impact area. Some strategic ways to deal with risk are:

  • Risk avoidance - used when the consequences are deemed too high to justify the cost of mitigating the problem.
  • Risk acceptance - accepting a risk for a given period of time to prioritize mitigation efforts.
  • Risk transfer - allocates risks between different teams, consistent with their capacity to protect against or mitigate the risk.
  • Risk monitoring - keep track of projects and the associated risks for changes in the impact of the associated risks.

Tracking and monitoring risks and the work being done towards their mitigation is up to the team preferred workflow.

Risk Mapping Tool

The Risk Mapping Tool helps teams easily visualize risks and planned mitigations. Teams may implement this if desired to avoid having to manually create a risk map. It supports the risk mapping process which enables teams to be more transparent, collaborative and efficient when it comes to strategically improve overall quality in a productive way.

Setting up the Risk Mapping Tool is not a requirement, but may be helpful for quick visualizations of risk status. If metrics are in place to measure risk status, the Risk Mapping Tool can more easily expose these.

The Risk Mapping Tool belongs to the Projects maintained by Quality and could be a part of the Quad-Planning process feeding into the Test Engineering practices by facilitating the test planning process with an initial risk analysis.

To install the Risk Mapping tool, please follow the README instructions.

If desired, a team or group could also manually input these in a visual risk map. Here’s an example of a complete visual risk map.

Last modified June 27, 2024: Fix various vale errors (46417d02)