Q21 of 38 · Test design
Explain risk-based prioritisation for choosing which test designs to apply.
Short answer
Short answer: Score each area by likelihood of failure × business impact. Apply the most rigorous test design (decision tables, pairwise, combinatorial, stress) to the high-risk top tier; lighter techniques (smoke, EP/BVA) to mid-risk; almost nothing to low-risk. Document the choices so they're defensible.
Detail
This is risk-based testing applied at the test-design level rather than the test-execution level. The same risk model that decides "which tests to run" also decides "what test design rigor to apply".
The framework: for each feature or area, score likelihood (complexity, recency of change, history of bugs, dependency count) and impact (revenue, regulatory, data integrity, reputational). Risk = L × I.
Then map risk tiers to test design intensity:
| Risk tier | Likelihood × Impact | Test design |
|---|---|---|
| Critical | High × High | Decision tables, exhaustive combinations, property-based, race condition tests, fuzzing, security review |
| High | Mix | Decision tables or pairwise for combinations, EP/BVA on inputs, exploratory session |
| Medium | Mid × Mid | EP/BVA, smoke regression, error guessing |
| Low | Low × Low | Smoke only, deferred to ad-hoc / exploratory |
Worked example: a payments platform.
| Area | L | I | Risk | Test design |
|---|---|---|---|---|
| Payment authorisation | 5 | 5 | 25 | Decision tables for declined-by-issuer rules; race conditions; chaos for downstream timeouts; security/fuzz |
| Currency conversion | 3 | 4 | 12 | EP/BVA on amounts; decision table for currency pair rules; targeted exhaustive on supported currencies |
| Receipt email | 1 | 2 | 2 | Smoke render + 2 locales; defer i18n exhaustive |
| Admin dashboard search | 1 | 1 | 1 | Smoke; defer test design effort |
That table is the test design plan — it tells the team what to invest in and what to skip, with the rationale visible.
Why this matters at senior level: defensibility (when a bug ships and the post-mortem asks "why didn't we catch it?", the risk tiering is the answer); stakeholder buy-in (publishing the model invites stakeholders to challenge tier assignments); avoiding waste (junior teams apply uniform rigour everywhere).