Not surprisingly Rex got a vigorous response and soon the debate was raging. Many people provided valid objections to the idea that there are such things as best practices, but Rex had no intention of backing down.
In response to criticism that “best practice” is just a marketing term Rex wrote;
It’s not a marketing term. “Best practices” is a widely used management term. By refusing to use this term in its common meaning, you’re just removing yourself from mainstream discourse.
Yes, I’d agree with the first part of that, but not in a way that would make Rex feel comfortable because the reasons for my agreement undermine Rex’s position. It is a weaselly and damaging management term, however popular it might be. The second part, about dissenters “removing themselves from mainstream” is a non-sequitur. Disagreement and disengagement are very different things.
“Best practices” certainly is a widely used management term, and thoughtful testers do need to engage with it. We must not remove ourselves from the mainstream. However, by refusing to use it “in its common meaning” we are bringing much needed clarity of language and thought to the problem.
“Best practices” may be widely used but it is also bollocks. I’d like to offer just some of the reasons why.
”Best practices” hinder experts
My first objection is that the idea of “best practice” constrains practitioners. Beginners need the rules and formal structure that “best practice” and standards provide. Experts do not, and their creativity is stifled by “best practices” that are usually defined by people with less experience and skill.
I touched on this in an article I wrote about testing standards a few years ago.
I referred in that article to a talk that Lloyd Roden gave at Starwest 2009. I’ve just found this video of Lloyd’s talk on YouTube. It is under nine minutes long and well worth watching. It’s had only eight views so far and deserves many more.
”Best practices” foster mediocrity
If experts are constrained and frustrated then that leads on to my second objection to “best practice”. The term implies that certain methods and techniques cannot be improved upon and are required in all circumstances. Paradoxically “best practice” encourages mediocre conformity.
Practitioners have to conform to an industry norm and are discouraged from improving upon “best practice”. If we have already achieved “best” then how can we get better? Any deviance must be inferior. That, I’m afraid, may be utter nonsense, but it is the subtext to much of what goes on in reality.
Dilbert nails “best practices” in this classic strip, “stop making mediocrity sound bad”.
Don’t dismiss Dilbert’s view as being cynical and unfair, at odds with serious professional opinion. Read this.
I have always had difficulties with the term “best practice.” Who is to say which practice is best, which is almost as good, which is really not good enough? The members of the standards committee have been appointed (who appoints them, anyway?) to define best practice at a point in time, but as I stated previously the best sinks to “just okay” practice with the passage of time. A standard is obsolete the day it is published.
Is a standards committee empowered to describe what they believe are generally the best methods, tools and techniques as evidenced by what most organizations are doing? If so, the committee is describing standard practice that has been overtaken by best practice, however defined. The process of standardization drives the thought process to the middle. Carried forward over time, standard practice is mediocrity.
This isn’t a tract from the “context-driven/RST” camp. It is an extract from an article by Steven Ross of Risk Masters Inc entitled “Just okay practice” in ISACA Journal, vol 2, 2013. This is the official magazine of the Information Systems Audit and Control Association, of which Ross is a former president.
Unfortunately the article is available online only to members. Is it a controversial view? I doubt it. Two months after it was published the only comments are ones that agree with the writer.
Context comes first, practices come second
Although Steven Ross was talking in general about standards the article was prompted by a specific concern about the effect of standards on information security practice. So do the auditors think differently when it comes to software development?
I don’t think so. Try this.
Internal auditors should not expect organizations to fully implement PMBOK, PRINCE2, COBIT, or any other large set of best practices. Rather, they should expect to see that these practices have been customized and integrated into the organization’s project management methodology.
“Not … fully implement… best practices”, “customized”. This pragmatic statement comes from “Global Technology Audit Guide 12 – Auditing IT Applications”, an official research paper issued by the Institute of Internal Auditors to its members.
COBIT (Control Objectives for Information and Related Technologies) is the governance framework for IT created by ISACA. The latest version, COBIT 5, makes it clear that “best practices” are neither mandatory nor inflexible. They should be tailored to each organisation’s objectives and needs. Understanding the context comes first. Choosing, refining and deploying the techniques come second.
Does anyone believe “best practice” means what it says?
Clearly “best practice” doesn’t mean exactly what it says. “Best” is only good practice in a particular context. That is probably not contentious, and I doubt if supporters of “best practice” such as Rex Black would contest the point.
However, in practice many influential people would dispute the point and they do expect “best practice” to mean exactly what it says.
Whatever the defenders say, it is used loosely as a marketing term. It is used to persuade clients that the highest professional standards will be deployed. Clients can also insist on suppliers complying with “best practice” in the naïve belief that this will protect them.
During the Twitter debate Suresh Nageswaran made a very revealing comment in defending “best practice” with the analogy of checks one should perform before driving.
Before car starts, checking tire pressure, fuel,coolant, water is best practice. Cars have numerous points of failure. This practice will reduce the chances of running into them. Ergo best practice. “Best practice” reduces risk in the path to achieving a goal.
Rex Black backed up Suresh saying that he was “exactly right”.
I think he was exactly wrong. It would be best practice to perform such checks before a journey only if there is time available and the consequences of failing to reach the destination on time were sufficiently serious to justify the delay.
Given the reliability of modern cars the risk does not justify performing these checks every time. If you have to get to work on time it would be prudent to trust in the reliability of your vehicle and perform checks at leisure. It is dangerous nonsense to insist that whatever reduces risk is “best practice”.
However, if we neglect to perform the checks then we are guilty of ignoring a “best practice”. In business neglecting documented and agreed “best practice” might get the lawyers interested. So clients and suppliers agree to use “best practice”. It suits both to pretend that it raises quality and protects them.
If you use words loosely don’t be surprised when people believe you mean what you say. “Best practice” can’t be treated as innocuous management terminology when it shapes contracts and introduces damaging inflexibility to working practices.
If you mean that a particular technique is a good practice in certain contexts then say that. Don’t pretend it is a best practice. If the auditors are careful to qualify the term shouldn’t we also be cautious about how we use “best practice”? Some lawyer might just believe you actually mean it! Why on earth would we want to use a term that suggests we are negligent if we don’t follow “best practice”?
Postscript – I intended to leave the matter at that, but I was challenged in a comment by Suresh Nageswaran (see below) that “best practice” is an important form of protection for clients and users. Thinking back on my own experience I reflected that this wasn’t the case, and I decided to write a second article explaining why I’ve found the idea of “best practice” unhelpful.