Updating risk factors in 2023: Key risks and developments
Recent economic, social, and political developments may require updating of the risk factors disclosed in a registrant’s 2022 Annual Report on Form 10-K.
When updating risk factors, registrants should assess material risks to the company and its business which may include, among others, risks related to the economy, climate change, human capital, the Russia-Ukraine conflict, increasing cybersecurity threats, and the unpredictability surrounding artificial intelligence. These risks should not be considered in a vacuum, as they are developments that may impact a registrant’s discussion of its business and its Management’s Discussion and Analysis of Financial Condition and Results of Operations (MD&A).
Many financial analysts and large banks are forecasting a recession in 2023, citing concerns about the potential for inflation, rising interest rates, and a slowdown in global growth. The Federal Reserve is also expected to shift its monetary policy in 2023, with plans to start tapering its bond purchases and continuing increases to interest rates. Given these predictions, many companies have supplemented their risk factors to include specific language related to inflationary and general global economic downturn concerns. These discussions are occasionally combined with risks related to the COVID-19 pandemic, rising interest rates, the Russia-Ukraine conflict and supply chain disruptions.
A recession or slowed economic conditions could lead to decreased consumer spending and lower profits, while rising interest rates could increase borrowing costs and make it more difficult for companies to access capital. Inflation may also present a significant risk for companies, as it can lead to increased costs and reduced purchasing power for consumers.
In addition, as a result of a slowing economy and long-term effects of pandemic shutdowns, companies across a wide range of industries have been affected by supply chain disruptions. The pandemic and global geopolitical factors have led to shortages of raw materials, components, and other inputs, making it difficult to maintain production levels and meet customer demand.
Finally, some companies, particularly in the technology sector, have experienced historic layoffs, which may present litigation risks, reduced employee engagement, risk from increased labor market competition and trade secret and intellectual property theft.
When drafting disclosures, registrants should consider these potential risks and review the steps the company is taking to prepare for a potential recession, including by diversifying their revenue streams, reducing debt, and strengthening their balance sheets. They should also consider the potential impact of rising interest rates on their borrowing costs and may consider hedging strategies to mitigate these risks. Additionally, registrants should consider the potential impact of inflation and supply chain disruptions on their business, which could increase costs and disrupt operations, and draft appropriate disclosures and risk factors accordingly.
Physical and transitional risks of climate change
Climate change is a rapidly growing concern for public companies, and the Securities and Exchange Commission (SEC) has proposed climate change disclosures to help investors better understand climate transition risks and risks associated with the physical impacts of climate change. The proposed rules would require companies to disclose information on a diverse range of topics related to climate change, including:
- Physical risks: Registrants would be required to disclose the physical risks they face from extreme weather events, including severe storms, drought, wildfires, and flooding.
- Transition risks: Registrants would be required to provide disclosures on transition risks related to the shift into a low-carbon economy and the associated costs of retrofitting facilities with green technology, in addition to investments in renewable energy and energy efficiency.
- Greenhouse gas emissions: Registrants would be required to disclose their total emissions of greenhouse gas and their emission intensity (emissions per unit of revenue).
- Governance: The SEC is increasingly interested in Environmental, Social, and Governance (ESG) reporting, and the proposed rules would require registrants to disclose information about their governance practices related to climate change, including the responsibilities of the board of directors in overseeing climate change risks and opportunities (and the metrics used to evaluate such risks and opportunities).
In addition to the rules proposed by the SEC, the Corporate Sustainability Reporting Directive adopted by the European Parliament in 2022 will require companies to prepare more robust sustainability reporting, detailing how sustainability issues such as climate change and human rights impact the business and how the company’s operations in turn affect people and the planet. These new disclosures, along with the evolving global ESG regulatory landscape, may present increased compliance costs, regulatory or enforcement risks as well as increased competition from market participants who have adopted more robust ESG reporting and sustainable business practices.
While the climate rules proposed by the SEC have not yet been adopted, adoption is rumored to occur in the coming months. The SEC has been scrutinizing climate-related disclosures by registrants, and, in September 2021, issued a sample comment letter to public companies regarding climate change, which solicits additional risk factors related to transition risks and litigation risks. Registrants should therefore be mindful of the SEC’s attention to climate-related disclosures and begin taking steps to prepare for new SEC requirements by assessing their climate-related risks, opportunities, and governance procedures.
Human capital issues
As we will discuss more in an upcoming DLA Piper alert on human capital disclosures, human capital is a critical factor for the success of any company. The COVID-19 pandemic brought new challenges for companies in terms of managing their workforce and continues to impact day-to-day operations. The “work from home” concept which resulted from the pandemic has led to increased risks related to employee engagement, retention, and productivity.
The shift to remote work has resulted in a number of challenges for companies, including the potential for decreased employee engagement, isolation, and burnout. Additionally, the pandemic also led to an increase in the number of employees quitting their jobs, a phenomenon referred to as the Great Resignation, or declining to work overtime or go above and beyond at work, a phenomenon sometimes referred to as quiet quitting. The reasons behind these trends are varied, but include, among other factors, the entry of Generation Z into the workforce, corporate cultures that lack work-life balance, increased mental health issues among the workforce, and a desire by many employees for change of career or lifestyle influenced by a year or more working from home.
Overall, registrants should continue to evaluate the challenges and risks associated with managing a modern workforce in 2023. While many challenges of the pandemic are behind us, companies should consider what risk factors remain appropriate and material to the company today. Specifically, companies should consider addressing the risks of decreased employee engagement, retention, productivity, and increased mental health issues among employees, in addition to more conventional human capital risks, such as risks related to workforce harassment or labor disputes.
Registrants should also consider the risks associated with social media, including the potential for employees to share sensitive information on social media platforms or engage in behavior that may reflect poorly on the company. While social media activity by employees may provide benefits like increased brand awareness, even positive social media posts have the potential to create controversy, as seen in the criticism from investors and the general public of leisurely “day in the life” TikTok videos posted by younger, social media-savvy technology sector employees. Registrants should consider whether employee social media activity could present a material risk to the company and, if so, consider addressing these risks in the company’s risk factors.
Finally, as we mention in “Economic Risks” above, some companies, particularly in the technology sector, have experienced historic layoffs, which may present unique threats like increased litigation risks, reduced employee engagement, risk from increased labor market competition and trade secret and intellectual property theft.
The Russia-Ukraine conflict presents a significant geopolitical risk for registrants. The conflict has disrupted business operations and supply chains, as well as creating regulatory and reputational risks to many registrants. Additionally, in December 2022, the SEC issued a sample comment letter to public companies regarding Russia's invasion of Ukraine and related supply chain issues, which solicits additional risk factors related to the Russia-Ukraine conflict, in particular, those related to cybersecurity. Registrants should therefore be mindful of that the SEC will be scrutinizing these disclosures.
A chief concern for registrants is the potential disruption to supply chains, due to the imposition of sanctions on Russia. These sanctions may impact the ability of companies to do business with Russian companies or access Russian products. The ongoing conflict could lead to increased sanctions, trade barriers, and other restrictions on business activities that may affect supply chains and make it more difficult for companies to access key markets. When drafting risk factors, registrants should consider whether these sanctions have had or may have an impact on their business operations.
Another concern is the potential for reputational risks as a result of the conflict, as companies may be perceived as supporting one side or the other, or as being complicit in human rights abuses or corruption. Registrants should consider the potential impact of these risks and the steps being taken to mitigate them, such conducting due diligence on their business partners, diversifying supply chains, and implementing robust compliance and anti-corruption policies when drafting their risk factors.
Disclosures regarding cybersecurity are an increasing concern for the SEC as the business landscape becomes more automated and technologically driven. In 2022 the SEC proposed new cybersecurity disclosure and governance rules to help investors understand cyber-related risks. The proposed rules would require disclosures on a range of topics related to cybersecurity, including:
- Supply chain security risks: The SEC would require disclosures concerning the risks associated with any of the registrant’s third-party vendors and any measures in place to account for these risks.
- Cybersecurity risk management and mitigation: Registrants would be required to disclose information about any practices in place to manage and mitigate risk, including any insurance policies, incident response procedures and personnel, technical controls, and any governance practices related to cybersecurity.
- Cybersecurity incidents: Registrants would be required to disclose information about cybersecurity incidents they have faced, including the nature of the incident, the impact on the company, and any measures taken to address the incident.
Registrants should consider their current cybersecurity risks, what procedures are currently in place to mitigate risks and consider bolstering their risk factors and taking further steps to prepare for the SEC’s proposed rule changes. Registrants who believe that their cybersecurity risk factors require updates should consider comparing their existing disclosures and disclosure controls and procedures against the SEC’s 2018 and 2011 cybersecurity disclosure guidance. As the SEC noted in its 2018 guidance, “it would be helpful for companies to consider the following issues, among others, in evaluating cybersecurity risk factor disclosure:
- the occurrence of prior cybersecurity incidents, including their severity and frequency
- the probability of the occurrence and potential magnitude of cybersecurity incidents
- the adequacy of preventative actions taken to reduce cybersecurity risks and the associated costs, including, if appropriate, discussing the limits of the company’s ability to prevent or mitigate certain cybersecurity risks
- the aspects of the company’s business and operations that give rise to material cybersecurity risks and the potential costs and consequences of such risks, including industry-specific risks and third-party supplier and service provider risks
- the costs associated with maintaining cybersecurity protections, including, if applicable, insurance coverage relating to cybersecurity incidents or payments to service providers
- the potential for reputational harm
- existing or pending laws and regulations that may affect the requirements to which companies are subject relating to cybersecurity and the associated costs to companies and
- litigation, regulatory investigation, and remediation costs associated with cybersecurity incidents.”
Artificial intelligence (AI) is a rapidly growing technology with the potential to transform many industries, but it also poses significant risks for registrants. The unpredictability of AI systems and the potential for unintended consequences is a major concern, as it could lead to unexpected disruptions in business operations, financial losses, and reputational damage.
Most significantly, AI has the potential to rapidly disrupt established industries, business models and practices. Notwithstanding the powerful potential of this new technology, a recent study by DLA Piper Corporate Data Analytics found that in the late 2021 and early 2022 reporting season, only 71 companies referenced risks related to the use of AI in their Forms 10-K, 10-Q and registration statements. Approximately 36 percent of the disclosures were made by small cap issuers, 34 percent by medium-cap issuers and 30 percent by large cap issuers. Of the companies disclosing AI-related risk factors, 74 percent were in the technology sector, 11 percent were in the financial services sector, 10 percent were in the insurance sector, 3 percent were in the health sector and 1 percent were in the industrials sector. We expect to see more companies address risks related to AI as the technology becomes more mainstream.
Additionally, companies that integrate AI into their operations should consider including risks associated with AI in their risk factors. One of the major risks associated with AI is the potential for bias in the data used to train AI systems. If the data used to train an AI system is biased, the resulting model may make inaccurate or unfair decisions, leading to negative consequences for customers, employees, or other stakeholders.
This is of particular importance for registrants that operate in regulated industries such as finance, healthcare and transportation, where the use of biased models could lead to regulatory fines and legal action. Registrants in the finance, healthcare and transportation sectors should consider their existing risk factors and the impact of AI on the operations of their business. Another risk associated with AI is the potential for unintended consequences from the use of AI systems. This could include accidents or mishaps caused by autonomous vehicles or drones, or negative impacts on employment as AI systems automate certain tasks.
AI has the potential to revolutionize the business landscape, but registrants should consider and account for the risks associated with this technology and the steps that the company is taking to mitigate them, such as by implementing robust governance and risk management processes for AI systems, and regularly testing and monitoring the performance of AI models to address any issues.
Hypotheticals and final thoughts
When updating risk factors, registrants should review hypothetical and forward-looking language closely and consider if the “hypothetical” risk has been realized and is no longer a potential risk or contingency, such as language that cyberattacks “may” occur when the company has experienced, or regularly experiences, cyberattacks. The SEC has recently pursued enforcement actions against companies that included hypothetical risk factor language when an event had actually occurred and was no longer hypothetical, arguing that this language was misleading to investors.
In addition to scrutinizing hypothetical risk factors and the risks discussed above, registrants should consider and account for other risks relevant to industry specific issues. In particular, registrants should consider whether recent regulatory developments and legislation, or proposed legislation, presents new material risks to the business. See our alert discussing recent regulatory developments that may impact a registrant’s public filings. When reviewing these topics, registrants should ensure that disclosures are tailored to the registrant’s circumstances and address the registrant’s specific material risks.
If a company has analyzed an important risk or a risk bearing on a topic of SEC scrutiny (such as risks associated with climate change and climate transition) and determined that the risk is not material to the business, disclosure teams should consider documenting the company’s materiality analysis, as the SEC has pushed issuers on materiality in recent comment letters.
By considering these key issues, registrants can better inform investors and protect themselves from regulatory scrutiny.
Return to our full set of alerts on key considerations for the 2022 annual reporting season. For more information, please contact the authors of this article or your DLA Piper relationship attorney.
Text to image AI generators: familiar legal questions about this novel, fast-growing...
24 January 2023 .5 minute read
Spies among us: State-sponsored actors want to steal your sensitive information
20 September 2022 .5 minute read