Scrolls
21 min read
On this page

Quality Management

Quality Management

You're going to hear people say "quality is QA's job." That's one of the most dangerous beliefs a team can hold. As a team leader, you are the person who sets the quality bar. Your team will rise — or sink — to whatever standard you actually enforce. Not the standard you talk about. The one you enforce.

Let's walk through what quality management looks like in practice.

Quality is Everyone's Job

Here's the mindset shift: quality isn't a phase. It's not something that happens after development, when someone in QA runs through a test plan. Quality is baked into every decision your team makes — how you write a ticket, how you design a solution, how you write code, how you review it, how you deploy it, how you monitor it after.

When a bug reaches production, the instinct is to ask "how did QA miss this?" The better question is "how did we build this in the first place?" Maybe the acceptance criteria were vague. Maybe the developer didn't think about the edge case. Maybe the reviewer rubber-stamped it. Maybe there were no automated tests. Quality broke down somewhere upstream of QA, and it almost always does.

Your job as TL is to make quality a shared value, not a gate. Everyone on the team should feel ownership over the quality of what they ship. That means:

  • Developers write tests for their own code
  • Reviewers actually review, not just approve
  • The team discusses edge cases during planning, not after a bug report
  • Everyone understands what "done" means (we'll get to that)

You set this tone. If you let sloppy PRs through because you're in a rush, your team learns that sloppiness is acceptable. If you consistently ask "what about this edge case?" or "where are the tests for this?" your team starts asking those questions themselves.

Code Reviews

Code reviews are one of the highest-leverage activities your team does. They serve three purposes, and most people only think about one of them.

1. Catching bugs. Yes, reviews catch bugs. But honestly, this is the least important function. Automated tests should catch most bugs. Reviews catch the things tests can't — logic errors, misunderstood requirements, architectural problems.

2. Knowledge sharing. This is the big one. When someone reviews code in a part of the system they don't usually touch, they learn. When they see how a senior engineer structured a solution, they learn. Code reviews are your single best tool for spreading knowledge across the team and reducing bus factor.

3. Maintaining standards. Reviews enforce consistency. Naming conventions, patterns, architectural decisions — these stay consistent because someone is looking at every change and saying "we do it this way here."

How to Do Reviews Well

Be timely. This is non-negotiable. If your team's PRs sit in review for two days, you've killed velocity. A PR that sits in review is work that's started but not finished — it's inventory, and inventory is waste. Aim for reviews started within a few hours, completed within a day.

Set the expectation: when a PR is ready for review, it goes to the top of the queue. Not "I'll get to it after I finish this feature." Reviewing is part of the work.

Look at the right things. Don't nitpick formatting (automate that with linters). Focus on:

  • Does this solve the right problem?
  • Is the approach sound? Would a simpler solution work?
  • Are there edge cases not handled?
  • Are there tests? Do they test the right things?
  • Will the next person who reads this code understand it?
  • Are there performance implications?
  • Does this match the team's patterns and conventions?

Give feedback that teaches. There's a huge difference between "this is wrong" and "this works, but here's a pattern that handles the edge case better — [link to docs or example]." The best review comments explain why, not just what.

Some practical tips:

  • Phrase suggestions as questions when possible: "Have you considered using X here?" is better than "Use X here."
  • When you see something done well, say so. "Nice approach to handling the retry logic" costs you nothing and reinforces good work.
  • Distinguish between blocking issues and suggestions. Use a convention — many teams prefix with "nit:" for non-blocking suggestions and "blocking:" for things that must change.
  • If a PR needs significant rework, have a conversation instead of leaving 40 comments. Jump on a call, talk it through, then have the author revise.

PR size matters. Large PRs get bad reviews. It's human nature — when someone opens a 1,500-line diff, they skim. When they open a 150-line diff, they actually read it. Encourage small, focused PRs. If a feature is big, break it into a series of smaller PRs that build on each other.

Testing Strategy

The testing pyramid is one of those concepts that everyone knows and almost no one follows. Here's the shape and why it matters:

        /  E2E  \          ← Few: slow, brittle, expensive
       /----------\
      / Integration \      ← Some: moderate speed, moderate cost
     /----------------\
    /    Unit Tests     \  ← Many: fast, cheap, reliable
   /--------------------\

Unit tests (the base). These test individual functions, methods, or components in isolation. They're fast — you should be able to run hundreds in seconds. They're cheap to write and maintain. They give you precise feedback: "this function broke." You want a lot of these.

Integration tests (the middle). These test how components work together. Does your API correctly talk to the database? Does your service correctly call the external API? These are slower and more complex to set up, but they catch a category of bugs that unit tests can't — the "each piece works fine individually but they don't work together" bugs.

End-to-end tests (the top). These test the full user journey. Open the browser, click buttons, fill forms, verify results. They're slow, expensive to maintain, and brittle (they break when the UI changes even if nothing is actually wrong). You want few of these, covering your most critical user paths.

Why the Pyramid Shape Matters

If you invert the pyramid — lots of E2E tests, few unit tests — you get a test suite that's slow, fragile, and expensive to maintain. Your CI takes 45 minutes. Tests fail randomly because of timing issues. Developers stop trusting the tests and start ignoring failures. That's worse than having no tests at all, because you have all the cost and none of the benefit.

When to Automate vs. Manual Test

Automate anything that:

  • You'll run more than a few times
  • Is regression-prone (it broke before, it'll break again)
  • Is tedious and error-prone for humans (checking 50 form validation rules)
  • Needs to run on every commit

Keep manual testing for:

  • Exploratory testing (poking around to find things you didn't think to test)
  • UX and visual review (does this actually look right and feel right?)
  • One-off verification of complex scenarios
  • Usability — automated tests can't tell you if the flow is confusing

A good rule of thumb: manual testing finds new bugs, automated testing prevents old bugs from coming back.

Definition of Done

"Is this ticket done?" might be the most loaded question in software. Without a clear definition, you'll get a range of answers:

  • "I pushed the code" — that's code complete, not done
  • "It passed QA" — closer, but is it deployed?
  • "It's in production" — better, but is anyone watching it?

Your team needs a shared, explicit Definition of Done. Write it down. Put it somewhere visible. Here's a solid starting point:

  • Code is written and self-reviewed
  • Automated tests are written and passing
  • Code review is approved
  • QA has verified (if applicable)
  • Deployed to production
  • Monitoring confirms no errors or regressions
  • Documentation updated (if applicable)

The specifics will vary by team. The point is that everyone agrees. When someone moves a ticket to "Done," everyone knows exactly what that means.

Enforce it. When you see tickets moved to Done that don't meet the definition, move them back. Do it consistently and the team will internalize it. Let it slide and the definition becomes meaningless.

Acceptance Criteria

Vague tickets create vague implementations that create bugs, rework, and arguments about whether something "works." Clear acceptance criteria prevent all of that.

"As a user, I can reset my password" is a user story, not acceptance criteria. It tells you the what but not the how well. Good acceptance criteria answer the edge cases:

Weak:

As a user, I can reset my password.

Strong:

  • User receives a password reset email within 60 seconds of requesting it
  • The reset link expires after 24 hours
  • The reset link can only be used once
  • Password must meet complexity requirements (8+ chars, 1 uppercase, 1 number)
  • If the email doesn't exist in our system, we still show a success message (security: don't leak which emails are registered)
  • After 5 failed reset attempts from the same IP in 10 minutes, rate limit the requests
  • After successful reset, invalidate all existing sessions for that user
  • Show clear error messages for each validation failure

See the difference? The second version anticipates edge cases, error states, security concerns, and performance expectations. A developer working from the second version will build something much closer to what you actually need — the first time.

Writing good ACs takes practice. Involve your developers in the process. They're often the ones who think of edge cases that product doesn't. During refinement or planning, ask: "What could go wrong here? What happens if the input is invalid? What happens under load?"

Balancing Speed vs. Quality

"Should we ship fast or ship with quality?" is a false choice. It sounds like a trade-off, but the teams that ship the fastest are almost always the teams with the best quality practices. Here's why: rework is slow. Debugging production issues is slow. Hotfixes are slow. Context-switching between new features and firefighting is slow.

The way to ship fast with quality:

Small PRs. Smaller changes are easier to review, easier to test, easier to roll back if something goes wrong. A team doing 5 small PRs a day ships faster than a team doing 1 giant PR a week, and with fewer bugs.

Automated tests. They cost time upfront and save multiples of that time later. Every test you write is a bug you'll never have to debug in production at 2 AM.

Feature flags. Decouple deployment from release. Deploy code to production behind a flag, then turn it on gradually. This lets you deploy small changes continuously without exposing half-finished features to users.

Incremental rollouts. Roll out to 1% of users, then 10%, then 50%, then 100%. If something breaks at 1%, you've affected very few users and you can fix it before going wider.

CI/CD pipeline. Automate your build, test, and deploy process. If deploying is a manual, scary, multi-hour process, you'll deploy less often, which means bigger deployments, which means more risk. Make deploys boring.

The teams that truly move fast are the ones that can deploy confidently 10 times a day because they have the quality infrastructure to catch problems early.

Technical Debt Awareness

Technical debt is a useful metaphor, but only if you treat it like actual debt. Real debt has these properties: you take it on intentionally, you know how much you owe, and you have a plan to pay it back. Most technical debt in most codebases has none of these properties. It's more like accidentally dropping your credit card and someone else running up charges you don't know about.

Intentional debt is fine. "We're going to hardcode this for now because we need to ship by Friday. We'll make it configurable next sprint." That's a conscious trade-off. Write it down. Create a ticket. Put it in the backlog.

Unintentional debt is dangerous. "Why is this service so slow?" "Oh, three years ago someone put a database query inside a loop and nobody noticed." That's the kind of debt that compounds silently until it's a crisis.

Your job as TL:

  • Make debt visible. When your team takes shortcuts, acknowledge it explicitly. "We're taking on debt here. Let's make sure we track it."
  • Track it. Have a label or tag for tech debt tickets. Keep them in the backlog, not in someone's head.
  • Pay it down regularly. Dedicate some capacity every sprint to tech debt. 10-20% is common. If you don't proactively pay it down, it'll eventually force you to — in the form of outages, rewrites, and grinding slowdowns.
  • Communicate it upward. Your manager and product partners need to understand that debt exists and has consequences. "If we don't address the authentication service debt this quarter, we'll struggle to ship the SSO feature next quarter." Make it concrete.

Not all debt is equal. Debt in a core, frequently-changed part of the codebase is much more expensive than debt in a stable, rarely-touched corner. Prioritize accordingly.

When Quality Slips

Quality doesn't collapse overnight. It degrades gradually, and by the time it's obvious, you're already deep in the hole. Learn to spot the early warning signs:

Increasing bug reports. Not just more bugs, but more dumb bugs. Things that should have been caught in review or testing. If you're seeing bugs that make you think "how did this ship?", your quality practices are slipping.

Longer stabilization periods. If it takes three days of bug fixes after every release to get things stable, that's a red flag. Healthy teams deploy and move on.

"It works on my machine." This phrase should set off alarm bells. It means your environments are inconsistent, your tests don't cover what matters, or your developers aren't testing in realistic conditions.

Regression bugs. The same bug comes back after being fixed. This means you're fixing symptoms without tests to prevent recurrence.

Fear of deploying. If your team gets anxious about deployments, or if deploys only happen on Tuesday mornings when "nothing important is going on," something is wrong. Deploys should be routine and low-stress.

Review shortcuts. PRs getting approved in under a minute. Reviews with only "LGTM" as a comment. Two people approving each other's PRs immediately (rubber-stamp reviews).

How to Course-Correct

  1. Acknowledge it. Don't ignore the signals or blame individuals. Bring it up with the team: "I've noticed we're shipping more bugs lately. Let's talk about what's happening."
  2. Find the root cause. Are people rushing because of deadline pressure? Did you lose a senior engineer who was doing thorough reviews? Did the codebase grow more complex without the test suite keeping up?
  3. Pick one or two things to fix. Don't overhaul everything at once. Maybe you start with enforcing test coverage on new code. Or you implement a stricter review checklist. Small, sustained improvements beat big transformation efforts.
  4. Measure. Track bug counts, deployment frequency, time to fix bugs, whatever metric reflects the problem. Make progress visible.

The Business Value of Quality

Let's talk about money, because that's the language that gets leadership's attention.

The cost of bugs escalates dramatically depending on when they're caught:

  • Bug caught during code review: ~30 minutes to fix (the author fixes it before merging)
  • Bug caught in QA: ~2-4 hours (reproduce, debug, fix, re-test)
  • Bug caught in production: ~8-16 hours (alert, investigate, diagnose, fix, deploy hotfix, verify, write post-mortem)
  • Bug found by a customer: all of the above plus customer support time, potential data issues, and trust damage

That's roughly a 10-30x multiplier in cost from "caught in review" to "caught in production." The math is straightforward: investing in catching bugs early is dramatically cheaper than fixing them late.

Rework cost. Studies consistently show that 20-40% of development effort in low-quality teams goes to rework — fixing bugs, re-implementing features that didn't meet requirements, cleaning up incidents. That's like having a 5-person team but only getting the output of 3-4. You're paying for 5 engineers and getting 3.

Customer trust. This one's harder to quantify but arguably the most important. Every bug your customer encounters erodes trust. Every outage makes them consider alternatives. Every data inconsistency makes them question your reliability. Trust takes months to build and minutes to destroy. You won't see "lost customer trust" in your sprint metrics, but your company's revenue will feel it eventually.

Developer morale. Engineers don't want to work on buggy, fragile systems. Constant firefighting burns people out. High-quality codebases attract and retain good engineers. Low-quality codebases drive them away. The cost of replacing an engineer is typically 6-12 months of their salary when you factor in recruiting, onboarding, and the ramp-up period.

When you're justifying quality investments to leadership, use these numbers. "We want to spend 2 weeks improving test coverage" doesn't resonate. "We're currently spending 30% of our capacity on rework and incident response. Investing 2 weeks in test coverage will reduce that to 15%, effectively giving us 1 extra engineer's worth of capacity" — that resonates.

Real-World Scenarios

Scenario 1: The Team That Ships Fast and Ships Well

Team Alpha has a strong quality culture. Every PR gets a thoughtful review within a few hours. They have solid test coverage — not 100%, but the critical paths are covered. They deploy multiple times a day using feature flags. They spend about 15% of each sprint on tech debt.

A new feature request comes in. During planning, they write detailed acceptance criteria, including edge cases. The developer breaks the work into three small PRs. Each PR has tests. Each gets reviewed and merged within a day. The feature is deployed behind a flag, rolled out to 5% of users, monitored for a day, then rolled out fully.

Total time: 1.5 weeks from start to full rollout. Bugs in production: zero. Time spent on rework: zero.

Scenario 2: The Team That Shipped Fast and Broke Everything

Team Beta is under pressure to hit a deadline. They skip reviews ("just approve it, we'll clean it up later"). They skip tests ("no time, we need to ship"). They deploy the whole thing at once on Friday afternoon.

Monday morning: the support queue is on fire. Three critical bugs. One data corruption issue. The team spends the entire week firefighting instead of working on the next feature. The product manager is upset because the next milestone is now at risk. The team is demoralized.

Total time for the feature: 1 week to build, 1.5 weeks to stabilize. Bugs in production: multiple, including a data issue that required manual cleanup. Time spent on rework: more than the original development time.

They "shipped fast" but ended up slower. The deadline pressure that caused them to cut corners created more deadline pressure for the next feature.

Scenario 3: The Team That Over-Engineered Quality

Team Gamma takes quality very seriously. Perhaps too seriously. Every PR requires three reviewers and takes a week to get through review. They aim for 100% code coverage and won't merge anything below that threshold. They write E2E tests for every user flow, and their test suite takes 90 minutes to run. Any tech debt gets addressed immediately — no shortcuts allowed.

They ship one small feature per month. Product is frustrated. Users are asking for features that competitors already have. The code is beautiful and well-tested, but the product is falling behind. Two engineers leave because they're bored — they feel like they spend more time on process than building things.

Quality is important, but it exists to serve the product, not the other way around. The goal is shipping valuable software to users reliably. Quality practices are a means to that end, not the end itself.

Common Mistakes

No code reviews at all. Some teams skip reviews "to move faster." This always catches up to you. Knowledge gets siloed, code quality diverges, bugs pile up. Reviews are not optional.

Testing only happy paths. Your tests all pass because they only test the scenario where everything goes right. Real users don't follow the happy path. They enter invalid data, click things twice, lose their network connection, use a screen reader, open the same page in two tabs. Test the unhappy paths — that's where the bugs live.

"We'll fix it later" culture. Sometimes you do need to ship now and fix later. But if "later" never comes — if your backlog is a graveyard of "we'll fix it later" tickets — you don't have a culture of pragmatic trade-offs. You have a culture of accumulating untracked debt. Be honest about whether "later" is a real commitment or a comfortable lie.

Rubber-stamp reviews. If your review process is "open the PR, glance at the diff, click approve," you have the overhead of reviews with none of the benefit. This is often a symptom of PRs being too large (nobody wants to review 2,000 lines), reviews being seen as a chore rather than valuable work, or the team not understanding what good reviews look like.

Perfectionism blocking delivery. The flip side of "we'll fix it later." Some engineers (and some TLs) won't ship anything unless it's perfect. Perfect is the enemy of good. If the code works, is tested, is reviewed, and handles the known edge cases, ship it. You can improve it in the next iteration.

Blaming individuals for quality issues. "Who wrote this bug?" is almost always the wrong question. The right question is "what process failed that let this bug reach production?" Was the ticket unclear? Was the review rushed? Were there no tests for this scenario? Quality issues are system problems, not people problems. Fix the system.

No monitoring after deployment. Deploying and walking away is like lighting a campfire and going to sleep without checking if the sparks caught the tent. Always watch your metrics after a deploy. Error rates, latency, key business metrics. If you don't monitor, you won't know something is wrong until a customer tells you — and they'll be unhappy when they do.

Wrapping Up

Quality management isn't about being the quality police. It's about building a team culture where everyone cares about what they ship. It's about having the right practices — reviews, tests, clear definitions, monitoring — so that quality is built in, not bolted on.

Your role as TL is to set the bar, provide the tools and practices to meet it, and hold the team accountable — including yourself. You don't need to be perfect. You need to be consistent. Consistently review code thoughtfully. Consistently ask about edge cases. Consistently track debt. Consistently deploy with confidence.

The teams that do this well are the ones that ship the fastest, have the happiest engineers, and build the products that users trust. Quality and speed aren't at odds. They're the same thing, viewed from different angles.

Common Pitfalls

  • Treating quality as QA's responsibility rather than a shared team value. When bugs reach production, the question should be "how did we build this?" not "how did QA miss this?" Quality breaks down upstream of QA almost every time.
  • Allowing rubber-stamp code reviews. PRs getting approved in under a minute with only "LGTM" as a comment means you have the overhead of reviews with none of the benefit. This is often caused by PRs being too large or reviews being seen as a chore.
  • Inverting the testing pyramid. Relying on slow, brittle end-to-end tests while having few unit tests produces a test suite that takes too long, fails randomly, and erodes developer confidence in the pipeline.
  • Letting "we'll fix it later" become a culture rather than an occasional trade-off. Intentional debt with a plan to pay it back is fine. A graveyard of untracked "fix it later" tickets is a slow-motion quality collapse.
  • Pursuing perfectionism that blocks delivery. Requiring three reviewers per PR, demanding 100% code coverage, and refusing to merge anything that is not architecturally pure slows delivery to a crawl and drives engineers away. Quality exists to serve the product, not the other way around.
  • Not monitoring after deployment. Deploying and walking away means you will not know something is wrong until a customer complains. Always watch error rates, latency, and key business metrics after every deploy.

Key Takeaways

  • Quality is not a phase or a gate. It is baked into every decision the team makes, from how tickets are written to how code is monitored in production.
  • Code reviews serve three purposes: catching bugs, sharing knowledge across the team, and maintaining coding standards. Timeliness is non-negotiable; PRs should be reviewed within hours, not days.
  • Follow the testing pyramid: many fast unit tests at the base, some integration tests in the middle, and few end-to-end tests at the top. Inverting this creates a slow, fragile suite.
  • A shared, explicit Definition of Done ensures everyone agrees on what "finished" means. Enforce it consistently.
  • Strong acceptance criteria, with edge cases, error states, and performance expectations, prevent the most common quality failures before development even begins.
  • Speed and quality reinforce each other when done correctly. Small PRs, automated tests, feature flags, incremental rollouts, and CI/CD enable both fast delivery and high reliability.
  • The cost of bugs escalates roughly 10-30x from "caught in review" to "caught in production." Investing in early detection is dramatically cheaper than fixing issues late.