At the upcoming Better Software Conference & Expo (http://www.sqe.com/BetterSoftwareConf/) I will be delivering a 4-hour tutorial titled "Quantitative Techniques in Software Management". One of the topics in the tutorial shows attendees exactly how to perform risk analysis. One of the most important activities in software testing is Risk Management. Risk Management has three phases: Risk Identification, Risk Analysis, and Risk Control. Risk Identification is where you list things that can go wrong with your software testing effort. Risk Analysis is where you determine how likely each risk is, estimate the impact of each risk, and compute a priority for each risk. Risk Control is where you plan what to do for each risk. Here’s a simplified example from the tutorial. Suppose you identify three risks: Risk A, Risk B, Risk C. You decide to categorize risk likelihood on a three-point scale (low, medium, high). You decide to categorize risk impact on a two-point scale (low, high). Suppose you determine that Risk A has high likelihood but low impact. Risk B has low likelihood but high impact. Risk C has medium likelihood and high impact. What are the normalized priorities for each risk? Using Rank Sum Weights, Risk A has normalized priority = 0.5000 * 0.3333 = 0.1667. Risk B has priority 0.1667 * 0.6667 = 0.1111. Risk C has priority 0.3333 * 0.6667 = 0.2222. Therefore Risk C has the highest priority, followed by Risk A, then Risk B. The Better Software Conference & Expo runs from June 9 – 12, 2008, in Las Vegas. There are many excellent speakers and topics this year; check it out.