top of page
Search

Test Debt Is Now a Board-Level Risk

  • Writer: Pregasin Pillay
    Pregasin Pillay
  • 5 days ago
  • 4 min read

Most boards have never heard the phrase "test debt." They will.

It builds quietly. A testing step skipped here, a regression suite left unmaintained there, a deployment rushed to hit a deadline. On its own, none of it looks serious. In aggregate, it creates exactly the kind of fragility that turns a routine system change into an incident.

The question is no longer whether test debt exists in your organisation. It almost certainly does. The question is whether your board knows about it before something breaks.


What happened in December 2025 should get your attention

In December 2025, NZ Police notified the Privacy Commissioner of a privacy breach caused by a technical issue in their Incident Management Tool. A software defect meant that redacted documents weren't being processed correctly, potentially exposing sensitive information in legal disclosure packages. Police paused the tool and applied a technical fix, but the damage to affected parties had already occurred.

This wasn't a cyberattack. It was a system error. And it is far from an isolated case.

Serious privacy breaches notified to the NZ Privacy Commissioner rose 43% in 2024/25, a record year following the previous record year. Privacy Commissioner Michael Webster has been explicit: many organisations lack the basic policies and practices to manage privacy impacts before they become incidents.

Change management failures and system errors sit at the heart of a significant share of these breaches.


This is not just a New Zealand problem

In July 2024, a single CrowdStrike update took down 8.5 million Windows machines globally, grounding flights, disabling emergency services, and causing an estimated $10 billion in damage. The root cause was a missing array bounds check. A basic software craftsmanship failure that cleared every stage of the deployment pipeline. By the following earnings season, executives had moved on.

This is the pattern. Brief panic, then nothing changes.

Globally, security debt now affects 82% of organisations, up from 74% the previous year, with critical security debt impacting 60% of those. High-risk vulnerabilities are up 36% year-on-year. This isn't a fringe problem. It's the norm.


Why test debt escapes governance

Testing has historically been framed as an operational hygiene task, something that slows projects down, something leaders only notice when it fails. That framing is now commercially dangerous.


Three things have shifted the stakes:

Integration complexity. Even mid-sized councils and utilities now run dozens of SaaS tools connected by APIs and data pipelines. A single configuration change can break a customer portal, billing workflow, or maintenance system. The interdependencies are rarely mapped and almost never fully tested.

Legacy modernisation pressure. Old platforms fail in ways that are hard to predict. Regression testing on legacy environments is slow and painful, so teams skip it. The debt compounds.

Board accountability for resilience. Under the NCSC's updated guidance, boards are accountable for resilience and incident response, not just cybersecurity posture, but recovery capability. Unverified backups, untested failover procedures, and brittle environments are governance issues, not delivery details.


The 2026 State of Testing Report from PractiTest identifies a clear industry shift: organisations are moving away from measuring testing volume toward managing quality as a strategic function. Boards that only hear about testing failures after incidents are already behind.


What test debt looks like from the top

Boards don't need to understand test scripts. They do need to recognise the warning signs:

  • Production incidents traced to configuration or data issues, with no clear root cause analysis

  • Release windows that stretch from days to weeks because testing is unpredictable

  • Business units conducting their own shadow testing because they don't trust the systems

  • Change programmes that consistently "discover" problems late, pushing out delivery dates

  • No clear visibility over what is actually tested across core systems and critical integrations

If these patterns exist, test debt is already constraining strategy execution. It is not a future risk. It is active now.

Four practical steps

1. Build a current-state baseline. Map what is tested, how, and by whom. Most organisations don't have this documented. You cannot govern what you cannot see.

2. Prioritise coverage by business risk. Revenue systems, customer-facing processes, regulatory obligations, and safety-critical workflows come first. Not everything needs the same level of attention.

3. Fix test environments before you modernise. Many organisations attempt transformation while testing on brittle legacy infrastructure. Fixing the testing environment first reduces rework, increases delivery confidence, and often uncovers risk that was already there.

4. Move testing into governance reporting. Testing needs to shift earlier in delivery cycles, but it also needs to surface at board level. Testing health indicators belong in risk reporting packs alongside financial and cyber risk.

Organisations that address test debt early shorten change cycles, reduce production incidents, and make modernisation programmes more predictable.

Where MomentumIQ fits

Not every organisation needs a full-time quality engineering function. Most mid-market organisations need experienced people, for a defined period, to assess the problem honestly and build a path forward that their own teams can own.

MomentumIQ works with senior specialists across strategic advisory, fractional QA leadership, and targeted delivery support. If you need someone to sit inside your organisation and drive testing maturity without creating a permanent dependency, that is how we work.

We also bring genuine innovation in test automation. Our self-healing test automation capability reduces the maintenance burden that kills most automation programmes. Tests that adapt to UI and workflow changes rather than breaking every release cycle. For organisations spending more time fixing tests than running them, this changes the cost equation significantly.

If test debt is already affecting your delivery confidence, the right starting point is a clear picture of where you actually stand. MomentumIQ can help you build that baseline, identify the highest-risk gaps, and decide what to address first.

Get in touch or book a no-obligation conversation with our team.


MomentumIQ background.png
bottom of page