Org Health Checks for Salesforce
Overview
An org health check is a repeatable assessment of how well a Salesforce org is operating across security, data quality, automation, performance, and delivery operations.
Use this guide to run baseline assessments, prioritize technical debt, and create remediation plans that are actually shippable.
Health Check Cadence
- Monthly: operational checks (failed jobs, integration errors, user friction).
- Quarterly: architecture and automation drift reviews.
- Release cycle: pre-release and post-release risk checks.
Assessment Domains
1) Security and Access
- Review profiles vs permission set strategy.
- Check for over-privileged integration users.
- Validate least-privilege on sensitive objects and fields.
- Verify MFA, session policy, and IP restrictions for privileged users.
2) Data Quality and Model Integrity
- Identify duplicate-prone entities and matching gaps.
- Review null/invalid rates for business-critical fields.
- Check external ID consistency for integration keys.
- Audit ownership and lifecycle fields (
Status,Stage, timestamps).
3) Automation Reliability
- Inventory Flows, Apex triggers, and scheduled jobs by object.
- Detect competing automations on the same records.
- Confirm bulk-safe design and recursion controls.
- Track top automation failures and mean time to recover.
4) Performance and Limits
- Monitor slow queries and non-selective filters.
- Track governor-limit exceptions by class/flow.
- Check async backlog (Queueables, Batch Apex, Platform Events).
- Review large-object/report performance hotspots.
5) Delivery and Operations
- Validate CI quality gates (tests, static checks, metadata validation).
- Check release rollback readiness and feature-flag strategy.
- Ensure observability exists for integrations and key automations.
- Confirm runbooks are current for incident response.
Scoring Model
Use a simple 0-3 score per domain:
0: High risk, immediate remediation required.1: Significant gaps, remediation in current quarter.2: Acceptable baseline with targeted improvements.3: Strong baseline, routine monitoring only.
Example output:
| Domain | Score | Owner | Next Action |
|---|---|---|---|
| Security | 1 | Security Lead | Replace profile-based admin access with perm-set groups |
| Data Quality | 2 | Data Steward | Add duplicate rules for Person Accounts |
| Automation | 1 | Salesforce Dev Lead | Consolidate record-triggered flows on Case |
| Performance | 2 | Architect | Add selective indexes and query fixes |
| Operations | 1 | Release Manager | Add post-deploy smoke suite |
Recommended Artifacts
- Risk register with severity, owner, due date.
- Top 10 debt backlog sorted by business impact.
- 90-day remediation plan with measurable outcomes.
- Before/after metrics (error rates, cycle time, adoption).
Common Failure Modes
- Treating health checks as one-time audits instead of recurring discipline.
- Generating findings without clear owners and due dates.
- Focusing only on code while ignoring process and governance debt.
- Deferring data quality fixes until after major releases.
Related Patterns
- Monitoring and Alerting - Metrics and alert design
- Release Governance - Release risk controls
- Permission Set Architecture - Access design strategy
- Data Quality Stewardship - Data quality operating model