Bit of background first. At my new organisation, the current policy is that any risk & impact assessment for a change should be performed by the BA in concert with the developer doing the work, liasing with architecture where appropriate.

A new BA lead has joined and is now proposing that the risk and impact analysis is performed by QA after testing has begun.

Aside from making absolutely no sense at all, could someone with knowledge of PRINCE2 let me know where this suggests this kind of analysis should occur in the process? The guy quotes PRINCE2 like it's scripture and my understanding was this advocated pre-dev analysis too!