Let's peek in on a discussion in a bug triage meeting.
Tim, the marketing manager, is shaking his head. "That's a high on the severity scale. It's really bad, guys. You have to make it a high."
Jordan, the development manager, is barely containing her frustration. Her eye is starting to twitch as she replies, "No, Tim. That's not all that bad. It's an inconvenience, I agree, but there's an easy workaround."
"Inconvenience?!?" Tim says a bit more loudly than he intended. "You call not being able to print an inconvenience?!? That's a disaster!"
"Yes, I call not being able to print from one particular type of printer without installing an upgraded driver from the vendor's website an inconvenience. The user just needs…"
"I know what the user needs," Tim cut in. "The user needs to be able to print out of the box! You can fix this in our code, right?"
Jordan nods, "Yes, but we'd just be working around the vendor's…"
"Then fix it." Tim stood over Jordan, glaring.
"But it's a medium at best!" Jordan objected. "The user isn't losing any data, doesn't have to reboot, isn't crashing. They just have to update a driver."
This argument could continue forever. I've seen many arguments like this go on and on. What's really happening here? Why are Tim and Jordan about to be at each other's throats?
Priority Is Business; Severity Is Technical
Tim is looking at business priority: "How important is it to the business that we fix the bug?" Jordan is looking at technical severity: "How nasty is the bug from a technical perspective?" These two questions sometimes arrive at the same answer: a high severity bug is often also high priority, but not always. Allow me to suggest some definitions.
Severity is levels:
- Critical: the software will not run
- High: unexpected fatal errors (includes crashes and data corruption)
- Medium: a feature is malfunctioning
- Low: a cosmetic issue
Now you see why Jordan was arguing that the Print bug was a medium: a feature was malfunctioning.Priority levels:
- Now: drop everything and take care of it as soon as you see this (usually for blocking bugs)
- P1: fix before next build to test
- P2: fix before final release
- P3: we probably won't get to these, but we want to track them anyway
And now you can see why Tim was so adamant that the issue was a high. From his perspective, it was a P1 matter. They're both right. It's of medium severity, but P1 to fix.
Priority Is Relative; Severity Is Absolute
Further, the priority might change over time. Perhaps a bug initially deemed P1 becomes rated as P2 or even a P3 as the schedule draws closer to the release and as the test team finds even more heinous errors. Priority is a subjective evaluation of how important an issue is, given other tasks in the queue and the current schedule. It's relative. It shifts over time. And it's a business decision. By contrast, severity is an absolute: it's an assessment of the impact of the bug without regard to other work in the queue or the current schedule. The only reason severity should change is if we have new information that causes us to re-evaluate our assessment. If it was a high severity issue when I entered it, it's still a high severity issue when it's deferred to the next release. The severity hasn't changed just because we've run out of time. The priority changed.
Priority and Severity Don't Mix
In response to Johanna's column last week, some people suggested using both severity and priority to come up with a composite risk number. While this intuitively sounds like a way to resolve the priority-severity divide, I suggest using such an approach with extreme caution. It's multiplying apples by oranges in an attempt to quantify bananas. Risk is yet a third type of information. The risk associated with any bug depends on the severity of the issue, certainly. But it also depends on the likelihood that the user will run into it as well as the possible losses that might occur. I don't attempt to quantify all this when assessing the severity of an issue. In fact, I think that in most cases assessing the risk of a single issue takes more time than it's worth. Only for potentially poisonous bugs involving dangerous fixes do I really want to weigh the risk of fixing it against the risk of not fixing it.
Establish Work Precedence
The best way to avoid confusion about what comes first is to ensure everyone in the organization takes their cues for work precedence from priority and nowhere else. Developers fix P1 defects first. Testers verify P1 fixes first. Technical writers document P1 issues first. Everyone works in priority order: the priority reflects importance to the business. Saying, "This bug is more severe than that one so I'll work on it first" is as bad as saying, "I like this bug more, so I'll work on it first." The severity rating is technical information used by managers as a piece of the formula in determining the priority rating. The priority rating is the final word on the order in which the work is done by programmers, testers, and everyone else. The ultimate lesson here, regardless of the terms or levels you use to categorize your bugs, is that any classification scheme will only be effective if everyone agrees on definitions. So perhaps that's the very first question to ask when an argument is brewing about severity, priority, or risk: "Help me understand exactly what information you're using from each defect record and how you're using it?"
Clarify Your Ranking for System Problem Reports, By Johanna Rothman