What Experienced Investors Actually Look For in Risk Factors
Most retail investors skip the Risk Factors section of a 10-K. The common reason is that it reads like a lawyer wrote it, which is true, because a lawyer did. Every public company is legally motivated to list as many plausible risks as it can think of, partly to inform investors and partly to make it harder for a shareholder to later sue and claim they were blindsided.
The reaction to that is usually one of two things. You read it carefully and come away terrified of every stock on earth, because every risk section makes it sound like the company could fail any second. Or you skip it entirely and miss the handful of genuinely useful signals buried in there.
Experienced investors do a third thing, which is read selectively and diff against prior years. Here is what they are actually looking for.
Signal 1: specificity
Generic risks are everywhere. "Our business could be adversely affected by an economic downturn" is in every 10-K on the planet. It tells you nothing.
Specific risks are different. "Our lease on the Austin manufacturing facility, which produced 34 percent of our North American output in 2025, expires in December 2026 and has not yet been renewed on satisfactory terms" is a real thing a human wrote about a real situation. When you find a risk factor written at that level of specificity, it is almost always worth paying attention to, because it means the company decided the risk was specific enough to warrant concrete language.
Specificity is a signal that a risk is current, not hypothetical.
Signal 2: what's new this year
This is the most useful exercise and the one almost no one does.
Pull up last year's 10-K alongside this year's. Compare the list of risk factor headings. Three things can happen:
- A risk that appeared last year is gone. The company considers it no longer material. Sometimes that is a legitimate resolution (a lawsuit settled, a regulation clarified). Sometimes it just means the company got tired of disclosing it.
- A risk is the same but the language changed. Small edits can matter. "We believe our current supply chain is resilient" softening to "we are working to improve supply chain resilience" is the kind of change professionals notice.
- A risk is brand new. This is where you spend your time. New risk factors reflect what management started worrying about in the past twelve months.
If the same company added three new risks this year about customer concentration, cyber security, and regulatory scrutiny, you have learned a lot about what is actually on management's mind.
Signal 3: the order
Most 10-Ks put risks in rough order of importance, with the most material ones first. This is not a rule, and companies shuffle the order from year to year. But when a risk jumps from the middle of the list to the top, that is often a deliberate signal.
Likewise, watch for the first three or four risks in the section. Companies get the order reviewed by legal and management. The first few are usually the ones they think a reasonable investor would most want to know.
Signal 4: customer concentration
A lot of mid-cap companies have risks that look like "a significant portion of our revenue is derived from a small number of customers." Then, in the MD&A or footnotes, you find that one customer is 27 percent of revenue.
Customer concentration is not automatically bad. Some excellent businesses have concentrated customers (Apple's suppliers, defense contractors with the US government, certain specialized industrial companies). But a company whose top three customers are 60 percent of revenue has a different risk profile than one whose top three are 8 percent. The 10-K tells you when that matters.
Signal 5: regulatory language
Pay attention to risks phrased around specific pending regulations or investigations.
"We are currently subject to an investigation by the [specific agency] regarding [specific practice]" is in a different category from "changes in regulation could affect our business." The former is a current fact. The latter is boilerplate.
Some sectors (financials, pharma, biotech, crypto-adjacent firms) are so regulation-sensitive that reading this sub-section is arguably the most important part of their entire 10-K.
Signal 6: what management doesn't want to call a risk
This one is harder to spot and comes with reading practice. Sometimes the 10-K lists a risk in careful language that avoids committing to any specific fact. "We compete in a dynamic environment" is avoiding the word "intense." "Our gross margins may fluctuate" is avoiding the phrase "margins compressed last year and may continue to."
When you read enough 10-Ks, you start noticing where companies are declining to be specific. Compare that with the MD&A, which is where they have to discuss what actually happened. The gap between those two sections is usually instructive.
What to actually do
A practical routine that takes maybe fifteen minutes:
- Pull up the current 10-K's Risk Factors section.
- Pull up the prior year's.
- Compare headings. Flag new risks, removed risks, and materially rewritten risks.
- Read the top four or five risks in full. Skim the rest.
- Note any risk that is unusually specific (a named customer, a named facility, a named regulation, a named case).
- Write down the three risks that seem most real to you, in your own words.
You will be better informed than 95 percent of the people who own the stock.
What EarningsLens surfaces automatically
One of the things the AI summary on EarningsLens is actually good at is this kind of diff. It reads both filings, highlights additions and deletions in the risk factors, and gives you a readable summary of what changed. That said, even with a good summary, it is worth opening the filing yourself once you see a flagged risk. The quote in context usually tells you more than a summary of it.
One caveat: AI tends to be generous about what counts as a "material change." Some of what gets flagged will be minor rewording. You still have to exercise judgment. But as a way to go from 80 pages of risk factors to a list of fifteen things worth looking at, it saves a lot of time.