Risk Identification in Cloud-based Software Development Projects

Risk Management in Software Development Projects

Managing project risks is a usual area of responsibility for any project manager. It makes sense, anyway to recall the main definitions of the risk before discussing any specifics related to the cloud software projects.

According to the ISO 31000:2009, risk is "the effect of uncertainty on objectives".

PMBOK's definition is "Risk is an uncertain event or condition that, if it occurs, has a positive or negative effect on the projects objectives."

So the risk is all about uncertainty and it's effect.

Does cloud nature add more uncertainty to the software development project?

Of course, cloud infrastructure itself has its own associated risks (most discussed are security risks in the public cloud, for example). However, I would like to look into the software development project's risks that are introduced when the software under development is intended to run in the cloud.

First of all there are two basic types of the clouds, risks for the projects relying on them are different let's consider the risks by type.

Risks introduced to the project by the private cloud 

Let's go through the main (in my opinion) uncertainty sources one by one. Each of them can introduce multiple risks.

1. Low "maturity level" of the in-house cloud infrastructure. How comfortable is the organization with its cloud infrastructure? Is this the first project to really rely on it?
2. Insufficient cloud skill level of internal IT stuff. Will it be possible to rely on IT specialists to resolve the possible problems?
3. Unknown/weak SLA. What are the real service levels for the cloud? Will it be enough to address the project goals?
4. Other cloud tenants' priority within the organization. Will your resource and communication needs  get enough priority for the project to succeed?

Risks introduced to the project by the public cloud 

Let's proceed with the public cloud, I have three specific points (again, each can mean multiple risks caused by it):

1. External CSP (Cloud Services Provider) dependency. Yes, after all this is a one more 3-rd party you depend upon. Public clouds blackouts are still possible, your link to the CSP is critical too.
2. Unclear costs, complicated calculations. Modern public clouds (like Amazon Web Services) are notorious for their hard to calculate prices (yet fully transparent post factum), so your budgeting can be not very easy.
3. Some unexpected limitations can apply. This can be any technical thing like allowed traffic amount for your load testing or CPU steal time for some server instance types.

Summary

Of course the level of the cloud risks is dependent on how confident you are in the cloud-related development skills of your team and the cloud infrastructure you use. Yet it looks like for the private cloud risks are mostly dependant on the level of the cloud adoption/maturity within the organization, so if this is not the first project relying on the same private cloud, chances are much higher. For the public cloud experience matters too, but part of the risks is fully external.

As soon as we can see the cloud uncertainty sources (to identify the cloud development risks), we can come up with the plan how to mitigate them. The risk management plan should address those cloud risks and further they should be monitored and kept under control.