"Where's your risk-based test plan?"
It's the spreadsheet. The one with fourteen tabs, colour-coded, last opened at the project kickoff and untouched since.
As a consultant for the last 20 years, I've watched "risk-based testing" curdle into exactly this: a document so thorough nobody reads it, updated once, then quietly abandoned the moment the sprint got real. We confused doing the paperwork with doing the thinking.
Here's the thing James Bach has been saying for decades, and his heuristic approach to risk-based testing nails it: risk is a way of deciding where to point your attention — not an artefact to maintain. The moment the register becomes the deliverable, you've lost the plot. You're now testing the spreadsheet.
A risk register nobody updates is like the fire evacuation map laminated to the office wall: reassuring, official, and completely irrelevant the second there's actual smoke.
So here's how to do it without the spreadsheet swallowing the work:
- Ask two questions, out loud, with the team: what could go wrong here, and how badly would it hurt? That conversation is the artefact. Write down the answers, not a taxonomy.
- Rank by exposure, not by how nervous something makes you. The scary-looking feature isn't always the risky one. The boring little payments change usually is.
- Re-rank constantly. Last sprint's top risk is this sprint's regression test.
- Keep it on a single page. If it doesn't fit on a postcard, it's fear with a header row, not a strategy.
- Let testers follow the smell. The sharpest risk insight rarely comes from the matrix — it comes from someone who's been poking at the thing all afternoon.
Risk-based testing isn't a document you produce. It's a conversation you keep having.
What's the riskiest thing in your next release — and is it actually in the spreadsheet?
into your process?
A QA Health Check audit finds the gaps in 1–2 weeks. From £1,200.