Skip to main content

Item 1A: Risk factors — boilerplate vs real risk

Item 1A (Risk Factors) is a graveyard of clichés. Every 10-K contains dozens or hundreds of risk factors, many of which are identical across companies: "We face significant competition," "We depend on key personnel," "We may not successfully execute our strategy," "Regulatory changes could adversely affect our business." This boilerplate is SEC-mandated—companies must disclose risks—but the sheer volume of generic language can obscure the actual threats to the business. Reading Item 1A is an exercise in signal extraction: sorting through pages of mandatory disclosure to find the risks that are unique to this company and actually material. The risks that are new this year, the ones management didn't mention last year but are disclosing now. Those are the risks that matter.

Quick definition: Item 1A (Risk Factors) is the mandatory SEC section where companies disclose all material risks to their business, financial condition, and stock price. It contains both boilerplate (risks nearly all companies face) and company-specific risks. A skilled reader can sort through the boilerplate to identify emerging threats that could reshape the investment thesis.

Key takeaways

  • Item 1A is mandatory; every 10-K has it. But 50<80% is boilerplate that applies to most companies in the industry.
  • The valuable risks are the new ones (appearing this year but not last year), the specific ones (unique to this company), and the material ones (could significantly impact stock price).
  • Risk factors are not ranked by severity; they are typically listed in no particular order (though some companies group them by category).
  • A company that discloses a risk factor is not admitting a material weakness—it's acknowledging a potential threat. Disclosure is legally required and doesn't mean the risk is imminent.
  • Changes in risk factors year-over-year are more valuable than the list itself. A company that newly discloses "customer concentration with our largest customer" or "cybersecurity vulnerabilities" is signaling an emerging problem.
  • Real risks often appear first in Item 1A before they appear in MD&A or financials. Reading Item 1A can give you early warning of problems.
  • Common red flags: (1) A risk factor that describes a recently announced regulatory investigation, (2) A new risk related to a major customer (they may be threatening to leave), (3) A risk about supply chain or manufacturing (production disruption), (4) A risk about litigation or legal proceedings.

Why companies disclose risks

The SEC requires Item 1A as part of the disclosure regime. Companies must tell investors about material risks. "Material" means a risk that could significantly affect the company's financial condition, operations, or stock price.

But companies also have an incentive to over-disclose risks. Why? Because if a company doesn't disclose a risk that later materializes, shareholders can sue for fraud or omission. The company (and the executives who signed the 10-K) could face legal liability. So companies err on the side of disclosure, listing risks that are unlikely but possible.

This incentive explains why Item 1A contains so much boilerplate. A company would rather list a generic risk ("We face competition") than risk a lawsuit by omitting a specific competitive threat that later emerges.

Structure and organization

Item 1A typically contains 20<100+ risk factors, depending on company complexity. Some companies organize them by category (Business Risks, Financial Risks, Operational Risks, Regulatory Risks, etc.). Others list them in loose priority order (most material first). Many just list them randomly.

Each risk factor is a brief paragraph or two (100<500 words) describing the risk and its potential impact. The tone is formal and cautious: "If [risk event] occurs, it could [adverse consequence]."

Example risk factor: "If we fail to successfully develop and commercialize new products in a timely manner, our revenue growth and market share could decline. Product development requires significant R&D investment, management attention, and technical talent. If we cannot attract and retain engineering talent or if our R&D efforts do not yield successful products, we may lose market share to competitors with more successful product pipelines."

This is boilerplate. Nearly every software or hardware company discloses this.

Real risk factor (hypothetical): "In 2023, we began manufacturing key components at a sole facility in Taiwan. In the event of political instability, trade restrictions, or natural disaster affecting Taiwan, our manufacturing could be disrupted, and we could incur significant costs to relocate production. We do not have adequate insurance to cover such disruption."

This is specific, material, and actionable. It describes a real vulnerability unique to the company's supply chain.

Sorting boilerplate from real risk

Here's how to distinguish boilerplate from material, specific risks:

Boilerplate risks

  • Generic competition: "We face intense competition." Every company discloses this; it's usually not actionable.
  • Generic economic risk: "Economic downturns could reduce customer demand." True, but true for all companies.
  • Generic talent risk: "We depend on key personnel; if they leave, we may struggle to replace them." Common and typically well-managed.
  • Generic technology risk: "Rapid technological change could make our products obsolete." True but not specific.
  • Generic regulatory risk: "Changes in regulations could increase costs." Yes, but which regulations? For which business?

These risks are disclosed because the law requires it and because litigation risk is real. But they tell you little about what management actually worries about.

Real, specific risks

  • Named customer concentration: "Customer A represents 18% of revenue; loss of this customer would materially impact revenue." Specific and quantified.
  • Disclosed investigation or litigation: "We are under investigation by the FTC regarding marketing practices; if the investigation concludes with a finding of wrongdoing, we could face fines, injunctions, or reputational damage." Real, material, with tangible consequences.
  • Supply chain vulnerability: "We source 40% of materials from suppliers in Region X; geopolitical tensions or tariffs could increase costs by 10<15% annually." Specific, quantifiable, and material.
  • Product concentration: "Our flagship product accounts for 65% of revenue; if demand for this product declines, revenue could fall significantly." Real concentration risk.
  • New regulatory environment: "Recently enacted regulations require us to restructure our business model by 2026; failure to comply could result in penalties or operating restrictions." New, material, with a specific deadline.
  • Cybersecurity breach: "We operate in an industry targeted by sophisticated cyberattacks; a significant breach could result in data loss, customer churn, and reputational damage." Specific to the industry and the company's exposure.

These risks are material because they are specific, quantifiable, and could meaningfully impact the business.

Year-over-year risk factor changes: the real signal

The most valuable insight from Item 1A comes from comparing risk factors across years. If a risk is disclosed in the 2023 10-K but was not disclosed in the 2022 10-K, something has changed. Either:

  1. The company newly identified a risk that wasn't previously apparent.
  2. The company is newly facing a risk (e.g., a new competitor entered, a regulatory change was enacted).
  3. Management believes the risk has become material enough to disclose.

All three scenarios are signals worth investigating.

Example: If a company's 2022 10-K doesn't mention "customer concentration with Customer A" but the 2023 10-K does, one of the following has happened:

  • Customer A has recently become a major customer (growth signal).
  • Customer A's share of revenue has crossed the materiality threshold.
  • Management believes Customer A has become a flight risk.
  • Customer A has notified management it may reduce orders or terminate the relationship.

Any of these is material. A new risk disclosure is worth investigating.

Similarly, if a risk factor disappears from the 10-K year-over-year, that signals the risk has subsided. For example, if "We are under investigation by [regulator]" appeared in 2022 but not 2023, the investigation likely resolved or was dismissed.

Real-world examples

Apple's disclosed risks (2023 10-K)

Apple discloses standard risks (competition, technology change, supplier concentration) but also real, material risks:

  • Geographic concentration: Apple notes that "significant revenue is generated in China and from sales of products manufactured in China," creating exposure to geopolitical tensions, tariffs, and supply disruption. This is material and specific.
  • Product concentration: The 10-K discloses that iPhone represents a significant portion of revenue. Decline in iPhone demand would materially impact revenue. Specific and material.
  • Supply chain: Apple notes that it sources key components from limited suppliers and is exposed to disruptions in Taiwan and other regions. Given geopolitical tensions, this is material and actionable.
  • Regulatory: Apple discloses risks from App Store regulation (specifically, the DMA in Europe and app review policies), which could impact Services revenue. New and material.

Volkswagen's disclosed risks (2023 Form 20-F, non-U.S. filer)

Volkswagen's risk disclosures include:

  • Semiconductor shortage: Ongoing supply chain vulnerability for advanced chips used in EVs. Specific and material to the EV transition.
  • EV transition costs: The cost and timeline of transitioning from combustion engines to electric. This is existential to the business and highly material.
  • Regulatory: Tightening emissions standards globally and potential regulatory penalties. Material.
  • Competition from Tesla and Chinese EV makers: Specific, material, and a competitive threat.

What's missing from risk disclosures (Wirecard, 2016–2019)

Wirecard, a German payments company that committed one of the largest accounting frauds of the 2010s, disclosed standard risks in its 10-K but did not disclose:

  • That its cash balances were fictitious (hidden through offshore accounts).
  • That a major customer and revenue stream didn't exist.
  • That management was involved in a Ponzi scheme.

Why? Because these were frauds, not legitimate risks. Management was hiding them, not disclosing them. This is an important caveat: Item 1A shows the risks management knows about and acknowledges. It does not show the risks management is hiding or unaware of. Frauds, by definition, are not disclosed in risk factors.

But Wirecard's risk disclosures were suspiciously generic. They read like boilerplate without specific operational or competitive risks. This, combined with red flags in cash flow (see: Chapter 13 on red flags), was a warning sign.

Common mistake: treating all risks as equally material

Companies list 50<100 risk factors. If you treat them as equally important, you'll be paralyzed by the volume. Instead, prioritize:

  1. Newly disclosed risks. If it's new, something changed.
  2. Specific, quantified risks. "We depend on Customer A, which represents 20% of revenue" is more actionable than "We depend on customers."
  3. Risks with material financial impact. "A 10% increase in raw material costs would reduce gross margin by 3 percentage points" is more material than "We face inflationary pressure."
  4. Risks with near-term deadlines. "Compliance with new regulation X is required by 2026" is more urgent than "Future regulatory change could affect us."
  5. Risks affecting the competitive moat. "Patent expiration in 2025 could enable generic competition" is more material than "We face competition."

Distinguishing between acknowledged and hidden risks

A risk disclosed in Item 1A is an acknowledged risk—management knows about it and has decided it's material enough to disclose. This is helpful but doesn't mean the risk is imminent or fully understood by management. Management may be underestimating the impact.

A risk not disclosed may be:

  1. Not yet recognized by management. Management is unaware or underestimating the threat.
  2. Considered immaterial by management. Management believes the risk is small and does not warrant disclosure.
  3. Being hidden by management. Fraud or intentional omission (rare for large public companies with auditor scrutiny).

As an investor, your job is to identify risks management has missed or underestimated. This requires reading Item 1A carefully but also reading between the lines. If Item 1A is silent on a competitive threat that seems obvious (e.g., no mention of a new entrant in the market), that silence is itself a signal.

Common mistakes when reading Item 1A

Mistake 1: Skipping Item 1A entirely. Risk factors are valuable. Many investors skip them because they're long and often boilerplate. But new or worsening risks can shift your investment thesis significantly.

Mistake 2: Treating all risks as equally important. Not all risk factors are equally material. Prioritize new risks, specific risks, and risks with material financial impact. Skim generic risks.

Mistake 3: Not comparing year-over-year. The most valuable insight from Item 1A is identifying risks that are newly disclosed or have worsened. Compare this year's 10-K to last year's to spot changes.

Mistake 4: Assuming disclosure implies materiality. A company that discloses a risk is not admitting the risk is material. The company is acknowledging the risk exists. You need to assess whether it's material to the investment case.

Mistake 5: Missing the absence of disclosure. If a risk seems obvious (e.g., for a healthcare company dependent on a single drug, the risk of patent expiration) but is not explicitly disclosed, that omission is noteworthy. It suggests either management is not thinking about the risk or is downplaying it.

Mistake 6: Misinterpreting legal/compliance risks. A company under regulatory investigation or facing litigation discloses it in Item 1A. But disclosure doesn't mean guilt or material liability. Validate against Item 3 (Legal Proceedings) and MD&A to assess actual exposure and likelihood of material impact.

FAQ

Q: If a company lists 50 risk factors, how do I know which ones matter? A: Prioritize new risks, specific risks with quantified impact, and risks with material financial consequences. Skim generic risks. Then cross-check material risks against MD&A and the financial statements to see if the risk has manifested in recent results.

Q: If a company doesn't disclose a risk I think is important, does that mean the company doesn't see it as a threat? A: Not necessarily. Management may not have identified the risk, may underestimate it, or may be intentionally omitting it (though the last is unlikely for large public companies with external auditors). Your job as an investor is to think critically about risks management may have missed.

Q: Are risk factors ranked by severity or importance? A: No. Risk factors are typically listed in no particular order. Some companies group them by category (Operational Risks, Financial Risks, etc.), but within categories, there's no ranking. The fact that a risk is listed first doesn't mean it's most material; the fact that it's listed last doesn't mean it's least material.

Q: Can a company legally omit a material risk? A: No. Material risks must be disclosed. If a risk is material and the company omits it, shareholders can sue, and the SEC can pursue enforcement. But "material" is subjective, and companies and auditors disagree on what qualifies. Generally, if a risk could reasonably affect investment decisions, it should be disclosed.

Q: What is the difference between Item 1A (Risk Factors) and Item 1 (Business description)? A: Item 1 describes what the company does and its business model. Item 1A describes what could go wrong. Item 1 is about the business; Item 1A is about the threats to the business.

Q: If a company removes a risk factor year-over-year, does that mean the risk has been eliminated? A: Usually, yes. If a company disclosed "We are under investigation by [agency]" in 2022 but not 2023, the investigation likely resolved. But verify by reading MD&A or checking news. Sometimes a company simply omits a risk because it's become low-priority, not because it's resolved.

Q: How specific should a risk factor be? A: Specific enough to be actionable and material. Ideally, a risk factor quantifies the impact (e.g., "would reduce revenue by 15%") and identifies the trigger (e.g., "if this customer leaves"). Generic risks ("We face competition") are boilerplate; material risks are specific.

Q: Should I worry if a company lists "cybersecurity risk"? A: Every company in the digital age has cybersecurity risk. If the company has disclosed a specific cybersecurity threat or has experienced a breach, that's material. If it's a generic cybersecurity risk factor (boilerplate for tech/financial companies), it's less actionable. But read Item 1B (Unresolved SEC Staff Comments) and MD&A for any disclosed breaches or regulatory actions.

Material risk: A risk that could reasonably affect an investor's decision or the company's financial condition.

Boilerplate disclosure: Standard, generic language that applies to many companies and is included primarily for legal protection.

New risk factors: Risks disclosed in a 10-K for the first time, signaling an emerging or newly material threat.

Competitive threat: A specific competitor or type of competition that poses a material risk to market share or profitability.

Regulatory risk: The risk that changes in law, regulation, or regulatory enforcement could adversely affect the business.

Concentration risk: The risk that dependence on a limited set of customers, suppliers, products, or markets could materially impact the business if one or more is lost.

Summary

Item 1A (Risk Factors) is mandatory disclosure, but it's mixed with boilerplate. The skill is separating real, material risks from generic risks that apply to all companies. New risks (disclosed this year but not last) are especially valuable—they signal changes in the business environment or management's concerns. Comparing Item 1A across years reveals shifts in risk profile that can reshape investment thesis. While Item 1A shows acknowledged risks, it does not show hidden or unrecognized risks. That's where your critical reading of Item 1 (Business), the financials, and external research comes in. A 10-K reader who invests 30 minutes in Item 1A—especially in tracking year-over-year changes—gains early warning of problems that might not appear in financial metrics until quarters later.

Next

Item 1B: Unresolved SEC staff comments