Five Risk Assessments Where Automotive Giants Need To Improve To Compete With Startups

Monday, July 19, 2021

#Cybersecurity    #Functional Safety    #Automotive SPICE

Per LIFE Magazine (Nov, 1967), there were only two cars in the entire state of Ohio in 1895, and legend has it that they collided with each other. Regardless of whether this tale predated the era of “fake news”, its cautionary tale suggests we humans sometimes misjudge risk until facing the consequences. As chronicled by Lisa Bortolilotti in Ethical Theory and Moral Practice (2018), adults are likely to underestimate the probability that they’ll experience divorce, illness, job loss or such a car accident. But humans are not alone: Optimism Bias, the psychological effect first noted scientifically in 1980 that observed inappropriate beliefs of success, has since been noted in squirrels, birds and multiple other creatures. In fact, with recent medical advances in cognitive neuroscience, researchers have pinpointed the hardwired parts of the brain (e.g., amygdala, rACC) that create an “… intercommunicating neural network underlying the bias for positive predictions.” 



Now add market shifts such as electric vehicles, autonomous driving and connected technologies and the risk assessments become extremely important, especially as dozens of startups unencumbered by legacy perils attempt to steal the market away from the industry giants.


So here are several areas where companies have recently struggled with Optimism Bias along with recommendations to avoid the painful consequences. 



Most software-enabled industries right now would have cybersecurity on such a risk list, but it tops the automotive list due to threats on two fronts: vulnerabilities and revenue. For susceptibilities, a slow-crescendo history helped create the overconfidence: most of the attacks for decades were conducted by “white hat hackers” (a.k.a., researchers or do-gooders) with few malicious, real-world attacks. However, in the past five years the black hat (real) hackers have awoken and, per CNET’s Road/Show (2019), automotive “… has experienced a 94% year-over-year growth in hacks since 2016” with over 200 in-vehicle or offboard incidents in 2020 with 57% coming from bat hat hackers. 76% of automotive companies have admitted to having a cybersecurity event in the past 24 months.

As if those clean-up costs weren’t bad enough for the automotive Chief Financial Officers, the revenue side of the Income Statement is also under attack. Multiple regulatory agencies have recognized requirements within newly published standards as the basis for certification starting in 2022, and if corporations are unable to demonstrate a Cybersecurity Management System (CSMS) and a Software Update Management System (SUMS) they will lose the right to sell vehicles in those countries. Additionally per multiple studies, customers have stated hesitation regarding buying brands known to have been hacked,  so new vehicle sales could be impacted by both government and consumer alike.

Recommendation: Get a cybersecurity leader in place and then a solid improvement plan with objective and measurable milestones. Only 45% of automotive companies reported having an executive overseer versus 85% at banks and non-automotive tech companies. Investment has also severely lagged other industries. The only way to explain this deficiency despite over 400 executives listing cybersecurity in its top ten risks (Protiviti, 2020) is the Valence Effect of Optimism Bias, which can be paraphrased as “Bad things happen to other people regardless of my risky behavior.”




Per the Original Equipment Suppliers Association (OESA), from 2005 to 2013, there were typically 125-150 unique campaigns with vehicles like the 2011 Chevy Volt having a mere 10 million lines of code.



Recall Avoidance


From 2014 to 2018, the number of recalls doubled (e.g., 341 in 2018 which, at the time, was the most ever recorded) with “electronic defects [accounting] for the highest percentage (26%) of vehicles recalled in 2018: 6.3M vehicles.” Likely causational instead of just correlated, even pickup trucks were skyrocketing above 150M lines of code per vehicle in a short period of time. All of these recalls amount to cost: and average cost of $12 million per recall with an annual cumulative total anywhere from $20 to $30 billion per year.

Recommendation: Measure early and often. Most defects that require recalls can be traced back to either a mediocre “standard work” for design or manufacturing. Both arenas have strategies or methodologies to measure improvement, e.g., Functional Safety Assessments or Quality Management Systems.



All markets shift, which requires a business to change its offering or face decreased revenues. Regulations regarding fuel economy can massively impact the product’s market acceptance. According to Ward et al (2015), minimally but not exclusively the unpredictable future of fuel economy standards suggest it‘s time for U.S automakers to invest in agility practices that can help them compete globally. Various manufacturers and suppliers talk about “being Agile” to their investors or customers since statistics supposedly show 80% of Agile companies have experienced an increase in productivity, revenue growth or profitability, but fewer automotive firms truly have embraced the cultural shift. Many don’t use the system to plan, monitor and especially adjust their projects to meet the market due to confusion on how to marry the development system with complex standards and regulations. The original goal of nimbleness is never achieved.

 Recommendation: Watch out for the hype. Some consulting firms familiar with Agile nomenclature will attempt to sell mediocre, out-of-the-box solutions with catchy acronyms. Look for help on the ways of working that are designed around business success rather than terminology.




Standards organizations like IEEE have estimated a typical module (a.k.a. ECU or Electronic Control Unit) has approximately 100 million lines of code (MLOC). Given that estimates range to upwards of $35 per line of code depending upon the complexity, quality and maintenance required, that equates to $3-4B USD in just software for that one project. If we ignore the other opportunity costs from restarting each time (e.g., speed to market, better quality from reused code), the business risk of poorly-executed, throwaway architecture is staggering. As stated well by Kate Matsudaira, “Most software systems consist of parts and pieces that come together to perform a larger function. Those parts and pieces can be thought out and planned, and work together in a beautiful orchestra. Or they can be designed by individuals, each one as unique as the person who created it. The challenge is that if you want your software to last, uniformity and predictability are good things—unique snowflakes are not.”

Recommendation: Force the team and the architect to stop and consider alternatives that might save future costs. “Features are realized by functionality implemented in the product, which could be repackaged and reused if architected well,” states Peter Abowd, CEO of Kugler Maag Cie North America. Mortensen et al (2016) showed via case studies the possibility to reduce the number of architectures by 60%, which decreased direct material and labor costs while not compromising market offerings.


Risk Management


It seems like an ironic define-the-word-via-the-definition instance, but a lack of rigor on the Risk Management feeds the reign of Optimism Bias. Shockingly 27% of the companies assessed by Kugler Maag Cie in 2018-2020 for Risk Management were unable to demonstrate a systematic approach to the strategy, identification and monitoring of risks. This despite the fact that companies with a 5% or greater compound annual growth rate (CAGR) are twice as likely to report risk management as key to achieving their strategic goals (40% versus 20%).

Recommendation: Find an expert to help build the strategy around organizational ability. Having a mediocre plan for this important-but-not-urgent improvement plan will be risky in and of itself.


This article was originally published by Steve Tengler ( on on July 8, 2021


Do you need to improve your automotive product development, to increase efficiency, or to comply with ASPICE and Functional Safety? You are at the right place.