It's clear to me that code reviews are not enough. They give you a false sense of confidence. It is just enough to make you feel like you don't need something else.
The missing links are context and engagement. The best clarification I can think of for this comes from Scrum. They use the (unfortunate) example of hens vs. pigs. When it comes to breakfast, the pigs are fully committed. The hens, well… just aren't.
Here's an example that I think will help to illustrate my point. In this instance, my code was under review. I was the pig. Everyone else was a hen. They are interested, but their engagement is inherently limited. They don't know the decision process. They don't know the whys. This task was not assigned to them. Conversely, they had other things assigned to them, which implies higher priority. And, maybe most importantly, they were not present in any of the design consideration meetings. Actually, for this code I was somewhere between a chicken and a pig. I wasn't in any of those meetings either. Another developer wrote it in isolation and I was enhancing.
It was only a few lines of code. We were displaying some information about important tables on an admin dashboard. We both missed the fact that the basic sql statement to gather each table's count was hard coded to the 'users' table. This was an artifact of abstracting the single table into a loop of tables. This is a simple example. But, that's just it. Code reviews don't even hack it for the simple stuff. How are they supposed to be effective for a whole story? After the fact?
But because those are performed as a check-in guard rather than as the code is being written, it is always more expensive to incorporate the feedback than to ignore it. So many suggestions don’t get implemented and learning happens at a slower pace than possible. -- Arlo Belshee, http://arlobelshee.com/post/thats-not-agile
During a code review it's almost impossible to discuss whys. There is no reason to bring them up.
You see small snippets of the entire puzzle.
You can check for coding style but it's difficult to check coding concepts.
It’s very hard to give them the time and energy they require to be somewhat effective.
Reviewers need both the time to read the code and the time to keep up to date with all the details of the system; they can rapidly become the bottleneck in this process, and the process soon degenerates. - Mattias Karlsson, 97 Things Every Programmer Should Know.
Mattias goes on to share a model for Code Reviews that sounds good.
Are code reviews effective for you?