If you have a decent development process, you most probably have code reviews. But it appears many people (especially management) believe that code reviews make sure the end product is good, and bug-free. This has nothing to do with reality, as you can probably guess. The purpose of code reviews is to:

• make sure coding style is consistent throughout the application
• basic things are done properly. For example – don’t use Strings for numbers, don’t synchronize access to singletons, use StringBuilder inside loops, etc.
• no code duplication exists
• layer boundaries are preserved – no database access in the view layer, no UI code in the service layer, etc.

By doing that, code reviews try to minimize the possibility of generating a lot of technical debt. That debt in turn may lead to problematic development of new features and maintenance. But preventing this does not guarantee the product will be good. It certainly does not mean that it will be as if the code was written by the reviewer. The code review cannot (and should not) catch problems with the business logic and the program flow. Exceptions flying all over is something not easily detectable by the reviewer. Depending on the structure this should be caught by QA, the developers themselves or in most cases – both.

So, when management asks you “how come the product is crap if we had code reviews?”, you can say “how come my car breaks all the time if all parts were inspected when built?”.