QA Module 01: Think Like a Risk Engine

1

The QA time pressure problem — and what it costs

There's a specific pressure most QA professionals in insurance delivery know intimately. The project is running late. The development team overran their sprint. UAT starts in two weeks. And the test team — which was scoped for six weeks of testing — now has four. Something gets cut. Usually it's edge cases, regression depth, and the less visible integration paths.

That's not a failure of QA professionalism. It's a structural problem with how testing gets resourced and scheduled in most delivery projects. But the consequences are real: defects that slip through into production, claims processed incorrectly, policy data corrupted, regulatory reporting that produces wrong numbers. In insurance, a testing gap isn't just a quality problem — it's a financial and compliance risk.

AI doesn't fix the scheduling problem. What it does is dramatically compress the time it takes to produce the analytical work of QA — test strategy development, risk identification, coverage analysis, test case generation — which means when you do have limited time, you're applying it to actual testing rather than to writing the documentation that describes what you're going to test.

❌ Traditional test strategy

1–2 days

Risk identification, coverage mapping, entry/exit criteria, environment planning — from a blank document under time pressure

✓ AI-assisted test strategy

2–4 hrs

AI generates the framework and risk landscape; you apply domain knowledge, validate against actual project context, and refine the coverage decisions

The right frame for QA AI assistance

AI makes you more thorough — and thoroughness is the entire job. A QA professional who uses AI to generate a comprehensive risk landscape isn't automating quality; they're ensuring that no significant risk area goes unconsidered under time pressure. The testing judgment — what to prioritise, how deep to go, what an acceptable risk means for this client in this regulatory environment — remains entirely yours.

2

Risk-based testing with AI — identifying what matters most

Risk-based testing is the professional standard — not testing everything equally, but identifying the areas where failure is most likely and most consequential and concentrating effort there. Most experienced QA professionals do this intuitively. AI makes it explicit, systematic, and fast.

For a Guidewire implementation, risk identification has specific dimensions that AI can work through comprehensively:

Risk dimension	What to look for in a Guidewire implementation	Typical risk level
Data migration accuracy	Policy data converted from legacy — wrong premium calculations, missing endorsements, incorrect effective dates, lapsed policies shown as active	High
Rating engine correctness	Rating factors, territory codes, discount logic, surcharge rules — wrong premium calculated for new or renewal quotes	High
Integration touchpoints	Claims ↔ Policy, Billing ↔ Policy, broker portal ↔ PolicyCenter, third-party MVR/credit/postal integrations	High
Regulatory compliance outputs	FSRA statutory filings, GISA reporting, policy document wording, required disclosure language on quotes and renewals	High
Business rule implementation	Underwriting rules, eligibility restrictions, payment plan logic, cancellation and reinstatement workflows	Medium
User workflow and navigation	CSR and broker portal workflows — can users complete core tasks without errors? Are validation messages clear?	Medium
Performance under load	Quote generation, batch renewal processing, end-of-day jobs — does the system perform acceptably under production volumes?	Medium
UI and document generation	Policy documents, renewal notices, certificates of insurance — correct data, correct wording, correct formatting	Lower

AI can generate a risk landscape like this for any specific implementation area in minutes — and more importantly, it can rank risks by likelihood and consequence and suggest where your testing effort should concentrate. What it doesn't know without you telling it: the specific decisions made in this client's design that increase risk in areas that are usually lower risk, the history of data quality issues in the legacy system, and the regulatory environment specific to this insurer's book of business.

Knowledge Check

You're building a test strategy for a Guidewire PolicyCenter go-live. You use AI to generate a risk assessment and it identifies 12 risk areas. The project manager tells you testing time has been cut and you need to prioritise. Which approach to prioritisation is most professionally sound?

Correct approach on both counts. AI's risk ranking is a useful starting framework but it doesn't know this specific project's risk profile — where the config is most complex, the data quality history, the regulatory exposure of this particular insurer's product mix. Your professional judgment shapes the final prioritisation. Equally important: documenting what you're not testing and getting that accepted by the PM and sponsor. When something slips through from a de-prioritised area, you need a formal record that the coverage decision was made with full stakeholder awareness — not just a verbal conversation.

Option 3 is the professional standard. AI ranking is a useful starting point but doesn't know the specific risk profile of this project. Blindly following AI prioritisation ignores your domain knowledge. Testing everything equally under time pressure means everything gets shallow coverage — usually worse than conscious prioritisation. Letting stakeholders determine testing priority without professional QA input is a coverage risk, not a governance solution. The key discipline: document explicitly what is and isn't being covered, and get that accepted formally so the decision has appropriate ownership.

3

Building the test strategy — structure, scope, and entry/exit criteria

A test strategy document serves two purposes: it guides the testing team's work, and it creates a formal record of the coverage decisions and quality standards applied to the project. In insurance IT, where regulatory audits can demand evidence of testing rigour, having a well-documented strategy matters beyond just the internal project value.

AI can produce a structured test strategy document from a project description in minutes. The strategic decisions — what constitutes acceptable quality, what risks the business will accept, what the entry and exit criteria should be — those remain yours and your stakeholders'. But the scaffolding that makes a strategy document comprehensive and consistent is something AI handles well.

Prompt — test strategy for a Guidewire PolicyCenter implementation

Role / context I'm a QA lead on a Guidewire PolicyCenter implementation for a mid-size Ontario P&C insurer. This is a migration from a 15-year-old custom policy admin system to PolicyCenter for personal lines (auto and home). Go-live is planned in 14 weeks. Testing phases: SIT (system integration testing), UAT, and regression before go-live.

Task Generate a test strategy document structure and draft content for the following sections: test objectives, scope and out-of-scope, test approach (phases and types), risk-based prioritisation rationale, entry and exit criteria for each phase, defect management approach, and test environment requirements.

Context — project specifics Key risks identified: data migration accuracy (converting 180,000 in-force policies), rating engine correctness (custom surcharge rules for Ontario auto), integration with existing ClaimCenter instance and a third-party broker portal. Regulatory: FSRA auto filing requirements apply. Out of scope for this phase: commercial lines, billing system migration (BillingCenter goes live in Phase 2). Team: 3 QA resources plus 2 business SMEs for UAT.

Format Structured document with headers. For entry/exit criteria: table format with criteria type, criterion description, and responsible party. Flag any section where I need to confirm specific details with project stakeholders before finalising. Keep language professional and suitable for client-facing use.

What you add before sending to the client

The AI-generated strategy will be structurally solid and cover the standard ground. Before it becomes a client deliverable, you add: the specific data quality findings from your initial migration assessment, any known constraints from the development team about what's testable in each environment, the agreed defect severity definitions for this client, and the exit criteria thresholds the business has actually signed off on. These come from your project knowledge — not from AI.

Knowledge Check

Your AI-generated test strategy includes the exit criterion: "95% of planned test cases executed with no open Critical or High defects at go-live." The business sponsor pushes back and says they want "100% of test cases executed." How should you respond?

Correct. Exit criteria are a professional and business decision that must be explicitly agreed — not a QA default or an AI recommendation. The right response is to explain the rationale (risk-based coverage beats raw case count), discuss what residual risk is acceptable, reach an agreed position, and document it with the sponsor's formal acceptance. This protects both the project and the QA professional: when something goes wrong post-go-live, the coverage decision was made with full stakeholder awareness, not unilaterally by QA. AI can help you draft the explanation — the conversation is yours.

Option 1 is the right professional response. Exit criteria must be formally agreed — silently accepting a stakeholder preference or ignoring the disagreement both create problems. The professional response is to explain the rationale, discuss acceptable residual risk, agree a documented threshold, and get formal sponsor sign-off. This isn't about overruling the sponsor — it's about ensuring they understand what they're signing off on. When something does go wrong post go-live, that documented agreement is what protects everyone.

4

Coverage analysis — finding the gaps before testing starts

One of the most valuable QA applications of AI is coverage analysis: given a set of requirements or a functional specification, what areas of the system are covered by the existing test cases — and what's missing? Doing this manually is painstaking and time-consuming. AI can do it in minutes and surface gaps systematically.

AI coverage analysis — from requirements to gap identification in minutes

Prompt — coverage gap analysis

Role / context I'm a QA lead reviewing test coverage for a Guidewire PolicyCenter personal auto quote and bind workflow. I have a functional requirements list and an existing test case suite.

Task Analyse the requirements I'll paste below against the test cases I'll provide. Identify: 1) requirements that have clear test coverage, 2) requirements with partial or weak coverage, 3) requirements with no test coverage at all, and 4) test cases that don't trace to any documented requirement (orphaned tests).

Requirements [paste requirements list here] Test cases: [paste test case list or titles here]

Format Four sections matching the four analysis areas. For uncovered requirements, rate the risk of leaving them untested (High/Medium/Low) based on the functional area. End with a recommended action list prioritised by risk level.

Knowledge Check

AI coverage analysis identifies that your test suite has no test cases covering the PolicyCenter integration with the third-party MVR (motor vehicle record) lookup service. This integration is used on every new auto quote. You have three days until SIT begins. What is the correct response?

Correct on all counts. An integration that fires on every auto quote with no test coverage is a critical gap — not something to quietly note and proceed with. Escalating to PM and tech lead is the right professional move. Using AI to rapidly generate test scenarios is exactly the right use of the tool in a time-pressured situation. The environment check is critical — you need to know if MVR responses can be mocked or simulated in SIT before designing cases around specific response scenarios. This is the integration between professional judgment (escalate immediately) and AI leverage (fast scenario generation) that defines good QA practice.

Option 4 is the right approach. An integration that runs on every auto quote is high-risk — a gap here means every new business quote could behave unexpectedly in production. Third-party integration is absolutely in QA scope — the integration point is what you're testing, not the third party's internal logic. Deferring to UAT means business users discover issues at UAT, which is late and expensive. Generating AI test cases without checking what's testable in the SIT environment could produce cases that can't actually be executed. Escalate, then plan the testing with environment constraints in mind.

5

Module summary

✅

Risk-based thinking with AI

AI generates a comprehensive risk landscape fast. You apply project-specific knowledge — design complexity, data quality history, regulatory exposure — to produce the final prioritised risk register that guides coverage decisions.

✅

Test strategy scaffolding

AI produces structured test strategy documents from project descriptions. You add the project-specific details, agreed exit criteria, and client context before it becomes a deliverable. Document what isn't being tested — formally.

✅

Coverage gap analysis

Paste requirements and test cases into AI for systematic gap identification. Act on critical gaps immediately — escalate, generate scenarios, confirm what's testable in the available environment. Never silently accept a critical coverage gap.

✅

Exit criteria ownership

Exit criteria are professional and business decisions — not AI recommendations. Get them explicitly agreed, formally documented, and accepted by sponsors before testing begins. That documentation protects you when hard go/no-go conversations happen.

Ready for Module 02

Module 02 — Test Cases at Scale — moves from strategy into execution: generating comprehensive test case suites from requirements, writing effective test cases for complex Guidewire workflows, and using AI to ensure edge case and boundary condition coverage that time pressure usually sacrifices.

✓

Module 01 Complete

Think Like a Risk Engine is done. Continue to Module 02: Test Cases at Scale.

Back to Pathway Continue to Module 02 →