Why can defect metrics create behavioral risk?

author: Verified Expert

• Related article: cia-software-defect-root-cause-controls-map
• Related question-bank placeholders: ["quality-metric-behavioral-risk", "recurring-defect-remediation"]
• Question: Why can defect metrics create behavioral risk?
• Question detail:
• Management tracks defects by developer and wants to use those counts for accountability. Why might that be risky?
• Answer:
• Metrics influence behavior. If defect counts are used mainly to blame individuals, people may avoid difficult work, underreport issues, delay logging defects, overestimate tasks, or spend time arguing about attribution instead of fixing root causes.
• Internal audit should ask whether the metric supports the control objective. A better metric set may track severity, recurrence by defect class, escaped defects, test coverage, age of unresolved defects, root-cause themes, and whether remediation actions prevent repeat issues.
• The point is not to remove accountability. The point is to align accountability with the process that produces quality.