Compliance with Sarbanes-Oxley (SOX) and related regulations requires senior executives at public companies to re-examine their internal systems and controls. SOX compliance has focused on financial controls, accurate revenue recognition, and reliable balance sheet information, all of which are essential to sound corporate governance and risk minimization. But what are the real risk factors behind corporate performance and business success?
In spite of the ballyhooed scandals such as Enron and Worldcom that led to the SOX legislation, wrongdoing on that scale is comparatively rare. The greater risk -- and indeed the greater opportunity for consistency and transparency-arises from prosaic day-to-day business activities. How an organization develops software is particularly important in this regard -- since the success of most organizations depends on how well they create and adapt the software on which their business processes or products depend. (Outsourcing is no panacea. You may outsource the work and outsource many of the headaches, but problems in the resulting software can still put your organization at risk.)
Most B2C companies today derive a substantial portion of their sales from their web site, so downtime at the web site because of software glitches can cause enormous losses. Consider, for example, that Amazon.com averaged almost $800,000 per hour in sales for 2004, so any glitch, regardless of duration, produces significant loss. Glitches in business software can be equally devastating. In mid-2004, for example, Hewlett-Packard suffered very disappointing quarterly results due in large part to problems in supply-chain and order-processing software, according to the then-senior management. In other cases -- as in the outage at salesforce.com, a firm that hosts applications for other businesses -- the cost does not translate immediately into lost sales but into a perception by existing and prospective customers of increased risk.
Whatever the cause, business stoppages due to software errors are very, very expensive. Large companies with multiple product lines can recover from these software errors, but smaller firms sometimes suffer setbacks that require years to recover from completely.
Because the cost of these failures is so high, senior management is well served by systems that provide precise, objective, real-time data on the quality of the company's software and the effectiveness of its software-development activities.
Most companies today provide real-time data on internal processes only for their manufacturing activities, as this area has a long tradition of monitoring quality via real-time quantitative measures. However, the metrics from a factory floor have few counterparts in software development. This is due to the substantially different nature of the processes: Manufacturing aims to perform the same activity repeatedly with every result being the same, whereas software development attempts to create individual (and hence differentiated) deliverables with as few defects as possible. The question then arises, what metrics can senior management track to monitor the quality of in-house software? And how much data is really needed?