Research & Insights
Frameworks

How to Read 10-K Risk Factors: Spotting New Disclosures vs. Boilerplate

By Jeremy Browder · Senior Equity Research EditorUpdated ~4 min read
10-KSEC FilingsDue Diligence

The risk factors section of a 10-K is the most-skipped useful document in equity research. It's long, hedged, and 90% recycled. But the 10% that's new — the freshly added paragraph, the quietly deleted sentence, the reordered bullet — is where management is telling you what's actually changed about the business. Here's how to extract it efficiently.

Why Most 10-K Risk Factors Are Boilerplate

Risk factors exist primarily for legal defense. If something bad happens and shareholders sue, the company wants to point to page 14 of the 10-K and say: we warned you. That incentive structure produces two predictable outputs:

  1. Sticky, comprehensive language that gets copied forward year after year so nothing important is ever omitted.
  2. Defensive vagueness — "adverse economic conditions," "cybersecurity incidents," "changes in consumer preferences" — that covers every conceivable bad outcome.

Reading the section linearly, front to back, is therefore mostly a waste of time. A consumer-staples 10-K will warn you about commodity prices, FX, and shifting tastes; a software 10-K will warn you about competition, talent, and cyber. You already knew that.

The signal lives in what changed year over year. Companies and their counsel are reluctant to add or subtract language without a reason, because every edit creates legal exposure either way. So edits are deliberate. Your job is to find them.

The Year-Over-Year Diff: Your Highest-ROI Move

The single most productive thing you can do with a 10-K's risk factors is run a redline against the prior year. There are a few ways to do this:

  • Free/manual: Pull both 10-Ks from EDGAR, paste each risk factors section into a diff tool (Draftable, DiffChecker, or even Word's Compare Documents).
  • Paid platforms: Bloomberg, AlphaSense, and Bamsec all surface YoY filing diffs natively.
  • AI tools: Several research copilots now do this automatically, though always spot-check.

What you're looking for falls into four buckets:

1. Net-new risk factors. A brand-new headline risk is the loudest signal in the document. When a company adds an entirely new section — say, on a specific regulatory regime, a new customer concentration, or a litigation matter — they've decided the risk crossed a threshold of materiality. Worth a deep read.

2. Materially expanded language. If a paragraph went from four sentences to twelve, something changed. Common triggers: a new product line, an acquisition, a geographic expansion, or a recent incident that lawyers want to acknowledge.

3. Deleted or shrunk language. Less obvious but often informative. A company that removes references to a specific competitor, business line, or geography is signaling that exposure has been wound down or divested. Various U.S. companies have revised their 10-Ks to reflect geopolitical shifts and strategic retrenchments.

4. Reordering. The SEC requires risk factors to be ordered by importance. When a risk moves from page 30 to page 12, management is telling you the relative weight of their concerns has shifted. Most readers miss this entirely.

What Actually Counts as a New Risk Factor

Not every edit matters. Filter aggressively:

  • Ignore cosmetic edits. Replacing "may" with "could," or splitting one paragraph into two, is usually counsel cleaning up. No signal.
  • Ignore macro updates everyone made. When interest rates shift significantly, every company adds language on interest expense. When generative AI arrived, every company added an AI section. Sector-wide additions tell you about the zeitgeist, not the company.
  • Focus on idiosyncratic additions. If a single semiconductor company adds a paragraph on inventory obsolescence while peers don't, that's a tell. If a single bank adds language on commercial real estate exposure that peers omit, also a tell.
  • Cross-reference with the MD&A. New risk factors that aren't reflected anywhere in Management's Discussion & Analysis are sometimes pure legal CYA. New risk factors that do show up in MD&A or the earnings call are real.

A useful mental model: risk factors are a confession, but a hedged one. The MD&A is where you confirm whether the confession is currently affecting the P&L.

Patterns Worth Memorizing

A few recurring patterns earn their keep across many filings:

  • Customer concentration creep. Language quietly moving from "no single customer represents more than 10% of revenue" to naming a specific customer — or to disclosing two or three — is a flag for revenue fragility. Common in suppliers to hyperscalers and EV makers.
  • Litigation specificity. Generic "we are subject to legal proceedings" becoming "we are defendants in a matter relating to [X]" means the company's lawyers now believe the case is reasonably likely to be material.
  • Going-concern adjacent language. Phrases about "our ability to continue funding operations," "compliance with debt covenants," or "access to capital markets" appearing in risk factors for the first time should immediately send you to the cash flow statement and the debt footnotes.
  • Regulatory naming. Risk factors that move from "applicable regulations" to naming specific agencies (FTC, DOJ, CFPB, state AGs) or specific rules usually mean active inquiries, not theoretical ones.

What to Watch Next

  • Build a diff workflow. Before reading any new 10-K, run a YoY redline of the risk factors section. Two minutes of setup saves you an hour and finds more signal.
  • Triangulate with the proxy and the earnings call. New risk factors often correspond to new compensation metrics, new board committees, or new analyst questions. If three documents are pointing at the same thing, it's real.
  • Track risk-factor reordering across multi-year windows. The risks that drift toward the top of the list across two or three filings are the ones management is actively trying to manage — and the ones most likely to show up in guidance.
  • Don't read risk factors as predictions. They are disclosures, not forecasts. The job is to identify what management now feels obligated to warn about — then decide for yourself whether the market has priced it.

Related research

FrameworksMay 25, 2026
Reading Form 4 Filings: Which Insider Buys Predict Returns

Not all insider buys are signal. Here's how to separate informed open-market purchases from option exercises, 10b5-1 noise, and reflexive CEO PR buys.

FrameworksMay 25, 2026
Segment Reporting Changes: What Management Is Hiding

When a company restructures its segment reporting, it's rarely cosmetic. Here's a framework for spotting what's being buried — and what to do about it.

FrameworksMay 25, 2026
When to Trim a Winner: A Three-Lens Framework

Trimming a winner is harder than buying one. Here's how to separate thesis decay, valuation stretch, and position-size risk — and act on the right one.