What are risk factors in a 10-K filing?

Risk factors in a 10-K (Item 1A) are disclosures of the material risks that could adversely affect the company's business, financial condition, or results of operations. The SEC requires any company filing a 10-K or 20-F to include a risk factor section, and the SEC has periodically pushed back against companies that use the section primarily as boilerplate liability protection rather than genuine investor disclosure. Risk factors range from highly company-specific (a single customer representing 40% of revenue) to broad macroeconomic risks (inflation, interest rates) that affect all businesses.

How many risk factors does a typical 10-K have?

Large-cap companies typically disclose 30–60 individual risk factors across Item 1A. S&P 500 companies average approximately 30 pages of risk factor text. The length has grown significantly since Sarbanes-Oxley (2002) — companies added risks out of liability protection concerns even when the incremental disclosure value was low. The SEC issued guidance in 2020 encouraging companies to organize risks by category, remove risks that are no longer material, and avoid generic language that could apply to any company.

Which risk factors are the most important to read?

For most investors, the highest-priority risk factors are: (1) Going concern or liquidity risks — if the company explicitly doubts its ability to continue operating. (2) Customer concentration — if one or a few customers represent >10% of revenue. (3) Key person risks — if the business depends critically on one or two individuals. (4) Regulatory/legal — if a pending enforcement action or litigation could be material. (5) Any risk factor that is new or materially expanded from the prior year's filing — new language almost always reflects a real change in the business environment.

How do I find new risk factors that were added since last year?

The most reliable method is to download the current and prior year 10-K in plain text and use a diff tool to compare Item 1A sections. New headers, new paragraphs, and materially expanded existing sections will be immediately visible. SEC EDGAR provides plain text versions of all filings. Some AI-powered tools, including TL;DR Filing, can automatically surface and summarize changes in risk factors between filing periods without manual comparison.

What is the difference between boilerplate and substantive risk factors?

Boilerplate risk factors are generic disclosures that could apply to virtually any company: 'economic downturns could reduce demand for our products,' 'we may face competition from larger companies with greater resources,' 'our stock price may be volatile.' These are real risks, but they provide little information specific to this company's actual situation. Substantive risk factors are specific: named customers accounting for specific percentages of revenue, named litigation with specific potential liability amounts, specific regulatory proceedings, specific technological dependencies. The most important thing to read in risk factors is the company-specific detail, not the generic industry-level language.

Back to Blog

Investor Guide May 20, 2026

Top Risk Factors in SEC Filings: What Every Investor Needs to Know (2026)

Item 1A of every 10-K contains the company's risk factor disclosures — some are boilerplate filler that every company uses, others are specific signals of real business fragility. Knowing the difference separates informed investors from ones who skim past the section entirely.

The risk factor section of a 10-K is both the most important and most often skipped section in the filing. It's most important because the SEC requires companies to disclose every material risk that could affect the business — and material risks, fully understood, are what determine whether a company can sustain its earnings and stock price over the long term. It's most often skipped because it has grown into a dense thicket of legalistic language, much of it generic, that many investors have learned to dismiss as lawyer-driven boilerplate.

The professional analyst's skill is distinguishing which disclosures are genuinely informative from which are standard coverage. That skill is teachable. This guide covers the 12 most common and most consequential risk categories in 10-K filings, what makes each one substantive versus boilerplate, and how to read them efficiently.

How to read this guide:

Risk categories 1–4 are company-structure risks — specific to this company's size, concentration, and key dependencies. Read these first for any new investment.
Categories 5–8 are operational and financial risks. Important for understanding resilience under stress scenarios.
Categories 9–12 are external environment risks. Often more boilerplate, but new language or specific disclosures here can be highly material.

#	Risk Category	Where It Appears	Priority
1	Going concern / liquidity	Item 1A + Auditor's report	Critical
2	Customer concentration	Item 1A, Note disclosures	Critical
3	Key person / management dependence	Item 1A	High
4	Regulatory and legal / enforcement	Item 1A, Item 3	High
5	Cybersecurity and data privacy	Item 1A, Item 1C	High
6	Competition and pricing pressure	Item 1A	Situational
7	Supply chain and vendor concentration	Item 1A, MD&A	Situational
8	Intellectual property and technology	Item 1A	Situational
9	Macroeconomic and interest rate	Item 1A, MD&A	Situational
10	International and geopolitical	Item 1A	Situational
11	Climate and ESG	Item 1A, Item 1C (new 2024)	Situational
12	Debt, dilution, and capital structure	Item 1A, balance sheet	High

Category 1: Going Concern and Liquidity Risks Critical

The most consequential risk disclosure in any 10-K is explicit acknowledgment that the company may not be able to fund its operations. Going concern language appears in two places: the auditor's report (where the auditor expresses "substantial doubt") and in management's own risk factor disclosures, where language like "we have incurred net losses since inception and may continue to do so" or "our cash on hand may not be sufficient to fund operations for the next 12 months without additional financing" signals the same concern.

For investors, the key questions on liquidity risk disclosures are:

Is the company cash-flow positive from operations, or does it depend on external financing to continue?
What is the runway? "Cash sufficient to fund operations through [date]" tells you exactly how much time the company has before it needs to raise capital or generate revenue.
Is this language new since the last filing? A first appearance of going concern language is a significantly higher signal than one that has appeared for 3+ years in a development-stage company.
What is the resolution path? Does management describe specific financing plans, customer contract signings, or operational changes — or is the plan vague?

Boilerplate vs. substantive: "We may require additional capital in the future" is boilerplate — most growth companies include this. "Our cash on hand of $4.2 million is expected to fund operations through approximately Q3 2026 without additional financing, and we have no committed financing facility" is substantive and highly specific. The specificity is the signal.

Category 2: Customer Concentration Risk Critical

Customer concentration is one of the most underestimated structural risks in smaller public companies. SEC rules require companies to disclose in their financial statement notes any customer that represents 10% or more of revenue. Item 1A must include a risk discussion if the loss of any customer would be material to the business.

The disclosure varies in specificity. Some companies name their concentrated customers explicitly: "Amazon accounted for 31% of our revenue in fiscal 2025." Others use anonymized references: "Customer A and Customer B accounted for 22% and 18% of revenue respectively." Either way, when a single customer or small group of customers represents a dominant share of revenue, the company's entire income stream is contingent on the renewal of those contracts.

What to investigate beyond the disclosure:

Contract duration and renewal terms — is there a long-term contract, or is this a month-to-month or annual relationship?
The customer's own financial health — a concentrated customer in financial distress could represent a receivables write-off AND a revenue loss simultaneously
The diversity trajectory — is concentration increasing or decreasing over the last 3 years?
Whether the concentrated customer is an arms-length third party or a related party

Rule of thumb: A single customer exceeding 20% of revenue in a company without long-term contracts is a material structural risk. Exceeding 40% is an existential dependency. Professional investors typically apply a discount to these companies even when current performance is strong.

Category 3: Key Person and Management Dependence Risk High

The key person risk factor discloses that the company's operations, strategy, or customer relationships depend significantly on specific individuals — typically the CEO, a founder, or a handful of senior executives. The risk is straightforward: if those individuals leave, become incapacitated, or are terminated, the company loses the specific expertise, relationships, or institutional knowledge they embodied.

Key person disclosures that deserve serious weight typically contain specific language about: whether the company has key-person life insurance on the individual, whether there is a succession plan, whether specific customer relationships are personal to the executive, or whether the individual holds unique technical expertise that can't be easily replicated.

The SEC's 2020 Human Capital Resources disclosure requirement (Item 1, not 1A) added a companion obligation — companies must now describe their human capital resources, including strategies for retaining key talent. Comparing what a company says in Item 1 about its talent strategy versus what it discloses in Item 1A about key person risk can reveal a meaningful gap between management's self-presentation and its actual structural dependencies.

Red flag within the risk factor: Language stating the executive has "no employment agreement" or that the company has "not obtained key person life insurance" on an individual described as critical to the business represents a concrete, specific structural vulnerability, not just generic risk-factor coverage.

Category 4: Regulatory, Legal, and Enforcement Risk High

Regulatory risk disclosures split into two types: prospective regulatory risk (laws that could change or new regulations being contemplated) and current regulatory exposure (ongoing investigations, pending litigation, enforcement proceedings). The former is often boilerplate; the latter is always substantive.

Current regulatory exposure is disclosed in both Item 1A and in Item 3 (Legal Proceedings). The Item 3 disclosure is required to be more specific — it must describe any pending legal proceedings that are material, including the nature of the proceeding and potential relief sought. Cross-reading Item 1A risk language against Item 3 specifics reveals when a company is being vague in risk factors about a proceeding that has already been specifically disclosed elsewhere.

SEC investigation disclosures are a particular signal. Companies are required to disclose receipt of SEC subpoenas or formal orders of investigation in 8-Ks under Item 8.01 (Other Events) — though disclosure timing and completeness have been subject to SEC enforcement actions. When Item 1A language about regulatory risk appears alongside 8-K disclosures of SEC inquiries, the combination is a highly concentrated signal requiring investigation before any position is initiated or maintained.

Category 5: Cybersecurity and Data Privacy Risk High

The SEC adopted new cybersecurity disclosure rules effective December 2023 that added Item 1C to the 10-K — a dedicated cybersecurity section requiring companies to describe their risk management processes, board-level governance of cybersecurity risk, and material cybersecurity incidents. This change elevated cybersecurity from a generic risk factor topic to a mandatory, dedicated disclosure item.

In Item 1A, cybersecurity risk factors run from boilerplate ("we face cyber threats that could disrupt operations or expose customer data") to highly specific. The specific disclosures that warrant serious attention are:

Prior material cybersecurity incidents — any company that has experienced a material breach in the last 2-3 years and discloses ongoing remediation costs, regulatory investigations, or pending litigation from the incident
Industry-specific regulatory exposure — companies in healthcare (HIPAA), financial services (GLBA, FFIEC), or payment processing (PCI DSS) face cyber breach penalties that are quantitatively larger than general businesses
Third-party vendor dependency disclosures — companies that explicitly disclose reliance on cloud providers, payment processors, or IT vendors for security, where a vendor breach could cascade into the company's operations
Nation-state and advanced persistent threat language — appeared increasingly in defense contractors and critical infrastructure companies; represents a qualitatively different threat profile than commodity ransomware

Category 6: Competition and Pricing Pressure Risk Situational

Competition risk factors are the most generic in most 10-Ks. "We operate in intensely competitive markets with well-capitalized competitors" tells an investor almost nothing specific. The substantive versions name specific competitive dynamics: loss of specific customer accounts to a named competitor, pricing pressure in a specific product category, or a specific technological development (a competitor's new product, an open-source alternative) that threatens the company's revenue model.

When reading competition risk factors, the most useful analytical move is comparing them against the gross margin trend in the financial statements. A company disclosing "increasing pricing pressure" in Item 1A but showing stable or improving gross margins over three years has competition risk, but not one that is currently materializing. A company disclosing the same language alongside gross margins that have declined 400 basis points over two years is disclosing a risk that is actively affecting financial results — that combination is material.

Category 7: Supply Chain and Vendor Concentration Risk Situational

Supply chain risk became a dominant Item 1A category after the 2020-2022 global supply disruptions, and it remains material for manufacturing, retail, and technology hardware companies. The disclosures that matter most are:

Single-source suppliers: Companies that disclose reliance on one supplier for a critical component with no alternative source are structurally exposed — a supplier financial failure, capacity constraint, or relationship disruption could halt production
Geographic concentration: Supply chain concentrated in a specific country or region (historically Taiwan for semiconductors, China for manufacturing across many industries) carries both operational and geopolitical risk that is now more extensively disclosed than pre-2020
Logistics and freight dependencies: Companies that disclose material exposure to ocean freight rates or specific carrier relationships have a cost-of-goods risk that is directly tied to factors outside their control

Category 8: Intellectual Property and Technology Risk Situational

IP risk factors are company-specific and most important in technology, pharmaceutical, and consumer brand businesses. The signals that matter are: pending patent litigation (named adverse parties or specific patent claims in dispute), disclosure that core patents are approaching expiration, or disclosure that the company's core product depends on licensed third-party IP where the license may not be renewable on acceptable terms.

For pharmaceutical companies, patent expiry disclosures are quantitatively the most important item in the entire risk section — the transition from branded to generic competition typically reduces revenue from an affected product by 80-90% within 12 months. The patent expiry dates are usually disclosed directly, giving investors precise timing for when exclusivity ends.

Category 9: Macroeconomic and Interest Rate Risk Situational

Macro risk factors are the most boilerplate category in most 10-Ks. "A downturn in economic conditions could reduce demand for our products" is true of virtually every business and provides no insight specific to this company. The substantive versions are more specific: a quantified sensitivity analysis showing the revenue or cost impact of a 100 basis point change in interest rates, disclosure of exposure to variable-rate debt, or explicit discussion of pricing power in inflationary environments.

Companies with high operating leverage (high fixed costs relative to revenue) are more exposed to macroeconomic downturns than companies with variable cost structures. The risk factor won't usually say this directly — you have to read it in conjunction with the operating leverage visible in the financial statements.

Category 10: International and Geopolitical Risk Situational

For companies with significant international revenue or operations, geopolitical risk disclosures became markedly more specific after 2022. The specific disclosures to track are: direct revenue exposure to countries subject to sanctions or heightened trade restrictions, disclosed exposure to tariff changes on imported components or exported products, and reliance on employees or contractors in countries where labor law changes or political instability could disrupt operations.

Companies operating in China face a particularly complex disclosure environment: the variable interest entity (VIE) structure used by most US-listed Chinese companies means US investors do not hold direct equity in Chinese operating entities, and this structural risk has been disclosed more specifically since the SEC's 2021 guidance. Any China-exposed company should have its VIE structure disclosure read carefully before investment.

Category 11: Climate and ESG Risk Situational

The SEC's climate disclosure rules (adopted March 2024, with legal challenges ongoing) added formal requirements for large accelerated filers to disclose material climate-related risks, governance, and in some cases, Scope 1 and 2 greenhouse gas emissions. Independent of those rules, many companies already disclosed climate risk in Item 1A, and this section has grown substantially in the last five years.

For most investors, climate risk factors are material in specific sectors: utilities (stranded asset risk from coal plants, physical risk from extreme weather events), real estate (physical risk from flood zones, wildfire corridors, and heat stress), insurance (catastrophe exposure), agriculture (crop yield variability), and coastal infrastructure. For most technology and services companies, climate risk factors remain largely boilerplate transition-risk language that has not translated into material financial impacts.

Category 12: Debt, Dilution, and Capital Structure Risk High

Smaller and growth-stage companies frequently disclose risks related to their capital structure: covenant restrictions on existing debt that limit strategic flexibility, the risk of dilution from anticipated future equity raises, or obligations under warrants, convertible notes, or earnout provisions that could significantly increase share count. These disclosures are often in Item 1A but require cross-referencing the financial statement notes for the specific terms.

The most important capital structure risk disclosures are:

Debt covenant disclosures that require maintenance of specific financial ratios — a company near a covenant threshold has constrained financing options and may face accelerated payment obligations if the covenant is breached
Convertible note or warrant disclosures — these create potential future dilution that is not reflected in the current share count used in EPS calculations
Rights offering or shelf registration disclosures — signals that equity issuance is being contemplated; the shelf registration authorizes issuance without specifying timing
Restricted payments and dividend limitations in existing credit agreements — signals that the company may not be able to return capital to shareholders even if earnings improve

Track Risk Factor Changes Automatically

TL;DR Filing surfaces new and materially changed risk factors across any public company's SEC filings — compare any two filing periods to see exactly what changed in Item 1A without manual document comparison.

Search any company →

How to Read Risk Factors Efficiently: A Professional Approach

Few experienced analysts read risk factors linearly from start to finish. The professional approach is:

Compare current vs. prior year first. New or materially expanded risk factors are almost always the highest-signal items. Use a text diff on the two filings (EDGAR provides plain-text versions) or use an AI tool to surface changes. The 30 pages of boilerplate that didn't change last year aren't worth re-reading.
Look for specificity. Any risk factor that includes a dollar amount, a percentage, a named party, a named product, or a specific date is substantive. Generic language without specifics is coverage — read it once and move on.
Cross-reference with financial trends. A risk factor disclosing margin pressure is more significant when gross margin has declined; a competition risk factor is more significant when the company has lost market share. The risk factor on its own is a legal disclosure; the risk factor + financial evidence of materialization is an investment signal.
Read the quantitative disclosures. Item 7A (Quantitative and Qualitative Disclosures About Market Risk) is the companion to risk factor discussions of interest rate, foreign exchange, and commodity price exposure. It contains the specific sensitivities — "$X million impact from a 100 basis point rate increase" — that the risk factor section mentions but doesn't quantify.
Track the 8-K history alongside Item 1A. Risk factors about "potential investigations" or "regulatory scrutiny" should be checked against the company's 8-K history. If there's a pending formal investigation already disclosed in an 8-K, the risk factor language is describing a current exposure, not a hypothetical one.

Time budget: For an initial investment review, budget 20-30 minutes on risk factors. Focus entirely on: (1) any risk that is new since last year, (2) going concern or liquidity language, (3) any risk factor with specific dollar amounts, percentages, or named parties. For quarterly monitoring of existing holdings, budget 5-10 minutes comparing current 10-Q risk factors against the prior annual filing.