What is the difference between a cloud risk analysis and a product risk analysis? I’ve tried to create this list to show waht the differences are:
- The result of a cloud risk analysis is a 3D model of the risks. It gives insight in the damages and chance of failure per characteristic, object part and layer.
- The larger amount of stakeholders, like for IT the Enterprise architects, owner of the cloud layer, 3rd party service suppliers, and for the business Marketing and end services users.
- Within clouds, a service is the relevant object part as a part of a business process. Functionality, for example, is no longer formed by a number of subsystems but by services. The characteristic functionality can be subdivided into the various services and the totality of the object parts is the business process. The same reasoning applies to the remaining characteristics. To get a complete overview of all services and business processes, which fall within the scope of the cloud project, the object parts are arranged by characteristic in a table.
- Agreements on what are and what aren’t standard services (step 3). These standard services are not tested separately, but only in the end-to-end test. The 3rd party service supplier can be enforced to comply with a Statement of Work (SoW) where the expected quality of the service is agreed upon. The use of Quality Gates can help in getting transparency in the quality of the service.
- Functional testing is of lesser importance. As their supplier approves the functional requirements of the standard services, functionality is of lesser risk. But non-functional requirements are not sufficiently allocated in the tests of the supplier. Integration of the standard services in the cloud has the priority of test, for example performance, security and integration testing. Non-functional requirements should get a higher risk class compared with functional requirements.
- Chain risks are always determined in a cloud project, as a cloud consists of multiple layers they should always be tested at least once in an end-to-end test.
- Because of the greater complexity and dependence of standard services the risk classes of High, Medium and Low are not always sufficient. A more empirical method of risk classes is preferred, like for example numbers.