If you think code reviews are about finding bugs, you're doing them wrong...

We all know that code reviews are important, and we are familiar with the benefits, common suggestions, and best practices. So, you don't need another post telling you about them. Instead, here's why code reviews may not be what you think they are.

1️⃣ They are less about code and more about risk.
Imagine this. A PR comes across your review list. It's small, 10 lines, looks harmless, just an API call in a loop. You approve, it's in production, and a day later, your cloud bill spikes by $60,000. Turns out that loop was calling the API 300 times per user. Your approval is now the most expensive click of your career.

Code reviews are about risk, not just code. Instead of just asking
❓ “Does this work?”
You also need to ask:
❓ “What’s the worst that could happen if we ship this?”
❓ “If it fails, how big is the blast radius?”
❓ “Can we roll back if we need to?”

2️⃣ They are more about the product and less about policing the code.
Many things can lead to a product failure, for example, missing or broken features, bad architecture, or vulnerabilities that expose sensitive data. Reviews should guard against those things, not for the sake of the code but for the product. Ask yourself,
❓ ‘Will these code changes make the product better?’

3️⃣ They are more about shared ownership and less about individual approval.
When you hit “Approve,” you’re not just saying, “Looks good to me.” You’re saying, “I’ll take responsibility if this goes wrong in production.” After all, there are now two people who fully understand this code: the person who wrote it and you, who reviewed it. So before you hit approve, ask yourself:
❓ “Do I understand what’s going on?”
❓ “Could I defend this in a post-mortem?”

4️⃣ Code reviews are more cultural than technical.
Code reviews are more about the human element and team dynamics than purely technical aspects. Technical correctness is still needed; however, the way feedback is delivered, received, and used will impact team culture, learning, and code quality more.

If code reviews are done well, they build a culture based on trust, shared responsibility, and a willingness to challenge ideas, and in the end, that culture will outlive the code itself… unless you’re using FORTRAN, then your code will probably outlive the sun.

The best code reviews protect products, spread knowledge, and shape cultures, bug hunts are just a fun side effect.