Managing Risk and Quality In Today’s EconomyMargo VisitacionVice PresidentForrester Research

3Entire contents © 2008  Forrester Research, Inc. All rights reserved.

Software Quality Assurance is as much

about business risk as it is about software

performance

4Entire contents © 2008  Forrester Research, Inc. All rights reserved.

Agenda

• Why quality, why now

• Why should business drive QA?

• Dynamic QA – processes for the 21st century

• Today’s quality assurance organization

• How to prepare for adaptation and adoption

5Entire contents © 2008  Forrester Research, Inc. All rights reserved.

Why Quality, Why Now?

• Poor software quality costs over $60B per year

• Finding, repairing defects = approximately 35% of project budget

• Developers generally find only about 50% of their own bugs

• Typical testing only finds 75% of potential defects

6Entire contents © 2008  Forrester Research, Inc. All rights reserved.

Poor internal quality is a major contributor to high maintenance spending

33%

33%

67%

67%

2007*

2008

Source: Enterprise And SMB Software Survey, North America And Europe, Q3 2007*Source: Forrester Business Technographics September 2006 North American and European Enterprise Software Survey

Base: 680 North American and European enterprises*Base: 451 North American and European enterprises

“Approximately what percent of your software budget will go to new initiatives and projects versus ongoing operations and maintenance?”

7Entire contents © 2008  Forrester Research, Inc. All rights reserved.

•Customer tolerance for defects lower each year – quality can affect spending in the long term

•IT spending forecasts are being recast – and it’s not a pretty picture – absent quality can trend toward budget cuts in the wrong places

Why Quality, Why Now?

8Entire contents © 2008  Forrester Research, Inc. All rights reserved.

Why Should Business Drive QA?

Drivers:

Reduced bandwidth compromises successReduced bandwidth compromises success

Meeting shifting market objectives – Meeting shifting market objectives – lower tolerance for wastelower tolerance for waste

Reduce frustration from IT “not getting it right”Reduce frustration from IT “not getting it right”

Business domain expertise trumps allBusiness domain expertise trumps all

9Entire contents © 2008  Forrester Research, Inc. All rights reserved.

Business Drivers Require Greater Examination of Risk in QA Practices

►Internal quality: The way an application is constructed

►Will the application perform as required?

►Have we done everything to prevent security leaks?

►Have we considered liability?

►External quality: The way an application behaves

►Are we getting expected outputs?

►Is the application usable?

►Are we as defect-free as possible?

10Entire contents © 2008  Forrester Research, Inc. All rights reserved.

Traditional QA Practices

From Quality Assurance Versus Quality Control, December 2004

11Entire contents © 2008  Forrester Research, Inc. All rights reserved.

Agile Practices Take Development to the 21st Century

1 month

12Entire contents © 2008  Forrester Research, Inc. All rights reserved.

Making Quality More Adaptable - Dynamic QA

Business determinesobjectives, sets

requirements

QA determines“testability”

CollaborativeDetermination

QualityCriteria

Continuous BuildsApplication Design and

Test Development

QA advises BAs & DEV on testing criteria

and quality thresholds

Integrated Quality

Processes

UATPost

Mortem

13Entire contents © 2008  Forrester Research, Inc. All rights reserved.

Planning, Strategies and Resource Allocations

• Quality planning is more than determining what you’re going to test

– Business determines highest risks and values

– Include How, Why and Value

– Metrics, acceptance and performance criteria determined at kick off

– Analysis criteria for application lifecycle

• Strategies extend to resources

– Leverage internal IP

– Make best use of outsourcing

– Earlier analysis and inspections to bake quality in and optimize resource usage

14Entire contents © 2008  Forrester Research, Inc. All rights reserved.

Key Actions in Dynamic QA

• Test management

– Test planning/strategies

– Analysis and quality design

– Resource planning and allocation

– Prioritization

– Risk adjusted testing

• Visibility

– Collaboration

– Defect and change management

– Expectations management

15Entire contents © 2008  Forrester Research, Inc. All rights reserved.

Prioritization and Risk Adjusted Quality Processes

Taking a portfolio view of quality• Align emphasis with business objectives, technical

complexity• Prioritize based upon objectives, resources and risks• Ensure that processes include internal and quality • Metrics must show coverage, business

acceptance, value to stakeholders

• Risk measures must be prioritizedbusiness exposure, liability, complexityability to deliver• Business must sign off on risk levels at the test planning stage and validate at theacceptance stage• Test planning must be based upon risks to business and ability to support

Include risk assessments in making decisions about qualityTech Imp

H

H

M

Bus Imp

M

L

L L

M

Requirement

XXXX

XXXX

XXXX

XXXX

16Entire contents © 2008  Forrester Research, Inc. All rights reserved.

Visibility and Collaboration

• Role appropriate dashboards

• Universally understood metrics

• Standard measures

• Relative contextual information

• Easy to access

• Code complexity

• Adherence to standards

• Defect removal efficiency

• Mean time to detect

• Mean time to repair

• Stakeholder quality

17Entire contents © 2008  Forrester Research, Inc. All rights reserved.

Investing in Quality Can Reduce Risk, Cost and Raise Value

Average

• Defect Potential – 1.00 (Requirements)

• Average Defect Removal Efficiency – 85%

• Delivered Defects - .75 (per FP)

Best in Class

• Defect Potential – 0.40 (Requirements)

• Average Defect Removal Efficiency – 96%

• Delivered Defects - .13 (per FP)

• ROI - > $15 for every $1 spent

Capers Jones 2008

18Entire contents © 2008  Forrester Research, Inc. All rights reserved.

Investing in Quality Can Reduce Risk, Cost and Raise Value

0

20

40

60

80

100

120

Requirements Code Operations

Cost to Repair

19Entire contents © 2008  Forrester Research, Inc. All rights reserved.

Today’s QA OrganizationCharacteristics Description

Location

Reporting

Focus

Management

Make – up

Testers

More Mature – Development Organization or Operations/Service Delivery

To CIO or Head of Development Org. Peer to Development Mgmt

Increased Emphasis on Strategic Orientation – varied technical requirements

Shifting Skill Sets – Vendor, Relationship Mgmt

Leadership and IP – internalTesting resources –combination internal/outsourced

Increased technical expertise – testing requirements expanded

20Entire contents © 2008  Forrester Research, Inc. All rights reserved.

Keys to Adoption

• Universal language

– Glossaries

– Process

– Hand-offs

– Internal/External quality

• Business context

– Risk

– Testability

– Usability

– Performance

• Automate the process to open doors

– Eliminate barriers wherever possible

– Test management tools are key

– Leverage integration with other tools to support collaboration

• Educate the executives

– What’s in it for them

– Include metrics

21Entire contents © 2008  Forrester Research, Inc. All rights reserved.

Recommendations

• Make risk assessments part of test planning AND execution

• Encourage business to determine more than just requirements

• Empower QA to be active part of PROJECT lifecycle

• Raise the bar on QA career path to support risk and business driven testing

• Use tools to enable, not hide critical information

22Entire contents © 2008  Forrester Research, Inc. All rights reserved.

Thank you

Margo Visitacion

+1 856-334-8522

mvisitacion@forrester.com

http://www.forrester.com/rb/analyst/margo_visitacion

www.forrester.com

Achieve Insight. Deliver Excellence.

CAST Application Intelligence Platform

December 2008

CAST Application Intelligence Platform

Automated analysis of entire applications Immediate, unbiased quality assessment Executive level of synthesis & trending Drill down to root cause in the source code

Manage Risk at Less CostManage Risk at Less Cost

Transparency! Automated.

Analyzing the entire business application

Database

Data Management Layer EJB – Hibernate - Ibatis

DatabasesDatabasesFilesFiles

Web

Services

CICS Connector

Enterprise Applications

Legacy Applications

Middleware

Presentation Tier

Business Logic Tier

Data Tier

Only CAST can analyze thisOnly CAST can analyze this

Web / Client Server Applications ASP/JSP/VB/.NET

Application Logic Java, C++, … Frameworks Struts MVC, Spring

COBOLCOBOL

CICS Monitor (Cobol)

Tuxedo Monitor (C)

BatchShell Scripts

Deep structural analysis of software quality

Transferability

Changeability

Robustness

Performance

Size

Naming Conventions

Documentation

Architecture

Complexity

Package naming Class naming

Interface naming

Package comment

Class comment

Method comment

Package size

Class size (methods)Interface size

Class complexity (Inh. depth)

Class complexity (Inh. width)

Artifacts having recursive calls

Method complexity (control flow)

Maintainability

Security

ProgrammingPractices

File conformity

Dead code

Controled data access

Structuredness

Modularity

Encapsulation conformity

Empty code

Inheritance

Immediate ImpactImmediate Impact

Application Quality

On-Going ImpactOn-Going Impact

Ove

r 80

0+ a

rch

itec

tura

l an

d l

ang

uag

e-sp

ecif

ic c

od

e ch

ecks

Health FactorsQuality IndicatorsQuality Metrics Subset Application Quality

Multiple artifacts inserting data on the same SQL table

Coupling Distribution

SQL Complexity Distribution

Profile, assess, and benchmark applications and teams

Project #nProject #3

Project #2

Major global telecommunications company

230,000 employees, $100 billion revenue, 40 million accounts Billing & OSS Solutions

120 billion call records and 1 billion invoices per year Also, SAP, Siebel, all front end apps that power e-commerce sites

Running CAST one or two times per quarterly release Penalties in contracts based on CAST Aggregation of CAST metrics into C-level management dashboards

Parser Agent

Team #1

Team #2

Team #3

Team #4

Neutral & independent vendor unit is running the CAST AI Center for the customer

Project #1 • 150+ applications• 4 apps silos, with 50+ CAST consumers

plus management in each

CAST Dashboard

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

1.1 2.0 2.5

Vendor A

Vendor B

Vendor C

Vendor D

Vendor D facility

Insights for both buyers and vendors

Management visibility

Guidance for developer

• Ensure teams are working efficiently• Manage stability, security & project risks• Better relationships with outsourcers

• Ensure architectural compliance• Ensure projects are not at risk• Metrics – quality, quantity,

technical

• Immediate feedback regarding code qualityInternal and Outsourced Teams

Division CIO and VP, Apps Delivery

Project Managers, Architects and Quality Assurance

Java developers .NET developers DBAs

Solution Information What IT constituents need

Overall team and application KPIs

Overall team and application KPIs

Measure of conformance to standards &

architecture

Measure of conformance to standards &

architecture

Identify specific application

quality issues

Identify specific application

quality issues

Identify code-level style

and quality issues

Identify code-level style

and quality issues

CAST AIP

Q & A