I have seen Risk-Based Testing treated like a formality and like a real craft. One produces green statuses, the other produces confidence people can explain.
My checklist for Risk-Based Testing is not meant to turn testing into box-ticking. It exists so pressure does not erase the few important questions that protect matching depth of testing to impact, change size, and uncertainty. It gets expensive when the team spends equal energy everywhere and still misses the one area that could truly hurt users.
A good checklist keeps important risk visible when the room gets busy.
Before I Start
- Make the change area explicit
- Write down the most expensive failure in one sentence
- Confirm which teams trying to move fast without gambling blindly should review open risk
- Choose the environment that will tell the truth fastest
During the Check
- Exercise the normal path that should protect matching depth of testing to impact, change size, and uncertainty
- Run an awkward-path example based on a low-traffic admin tweak gets more attention than the payment flow it can accidentally break
- Watch for mismatches between visible success and hidden state
- Capture the one detail that will matter during sign-off later
Before I Close the Work
I finish by asking whether the evidence would still make sense to someone who was not present during testing. For this topic, the evidence I want usually looks like risk ranking, change analysis, and an explicit reason for what is out of scope.
If the answer is yes, the checklist did its job. If the answer is no, I am not done yet. That is usually when confidence becomes visible enough to share, not just feel.