During Northwestern’s “Securities Regulation Institute,” there was an interesting discussion about whether AI tools supplant the need for the summary of risk factors placed in SEC filings because investors can easily summarize the risk factors using an AI tool. This also made me consider a slightly different question – one that may be relevant as the SEC considers taking aim at “information overload” – which is whether an AI tool could generate accurate risk factors for a particular company, making the entire exercise of company-created risk factors unnecessary.
We are in a new era where better information is more readily accessible to us all – and this question is interesting knowing that the SEC has prioritized taking action to limit the threats that companies fear from the prospect of shareholder litigation. As part of its Regulation S-K project, the SEC likely will touch upon the risk factor disclosure requirements of Item 105 of Regulation S-K. This is on top of relatively recent reforms – those changes became effective in 2020 – from the SEC designed to streamline risk factor disclosure and make that disclosure easier to comprehend.
Yet, I don’t think greater access to better information that comes from outside a company is a substitute from hearing from a company itself about which risks it faces today poses the greatest challenges, nor do I think companies are in favor of an arbitrary limit on risk factor length. I played around with ChatGPT for a couple of companies, asking AI about the risks those companies face – and then compared that to the latest risk factor disclosure for those companies in their Form 10-Ks. The 10-K disclosure was much more granular and felt far more valuable than what AI delivered.
I do think it’s useful for those drafting risk factors to conduct this AI exercise every so often to see what AI says about your company’s risks as it might have some good ideas for new – or modified – risks for you to consider. Play around with the proper prompts when you do this, including adding the context of “You are a retail investor considering buying stock in…” or “You are a financial analyst conducting research on…”
So while some more streamlining of risk factor disclosure might ultimately prove useful for investors, companies cannot forget the compliance nature of drafting disclosure for SEC filings, and the after-the-fact protection that risk factors may provide against shareholder litigation. There is real value in transparent disclosure about what might go wrong for a company. Or disclosure about things that have gone wrong and what the company can – and can’t – do about those things.
In both cases, the risk factors must be carefully drafted to be meaningful and to not create additional risks for the company. The onus is on drafters to ensure that risk factor disclosure are accurate and not part of a “kitchen sink” strategy that might bury the real risks in a sea of highly unlikely ones.
Here are five risk factor drafting tips for your consideration:
1. Be Descriptive for the All-Important Captions
- Captions are important to convey your message.
- Captions should clearly convey the essence of the risk using plain, active English.
- Longer captions should be used if they’re needed for clarity.
- Corp Fin sometimes comments on vague or generic captions.
2. Use Plain English in the Risk Factors
- Required under Item 503 of Regulation S-K and Rule 421(d), but works to your advantage to get the message across.
- Corp Fin expects short sentences, active voice and no legal jargon.
- Avoid generic, boilerplate risks. Corp Fin may comment on vague risks without company-specific consequences.
- Focus on the actual impact to the business if the risk materializes.
3. Order Risk Factors According to Magnitude; Reorder As Magnitude Changes
- List the most serious risks first. Ask “What keeps us up at night?”
- “Magnitude” is more than materiality – probability matters too.
- Reorder the risk factors each time you use them based on changes in risk nature or significance.
4. Categorize by Commonalties
- Risk factors can be grouped (e.g., company, industry, or security-related).
- Logical organization is required by Item 503(c).
- Each risk factor should naturally tie to its category if possible.
5. Avoid Mitigating Language and Don’t Generalize If Risk Has Occurred
- Risk Factors are not the place for “but we’re fine” disclaimers as it can undercut the legal protection of the disclosure.
- Mitigating disclosure belongs in the MD&A or in the “Business” section.
- If the risk has already occurred, describe the specific event and future risks – and consider whether it is something that should be discussed in the MD&A and/or Business section as a known, material trend or uncertainty.
Authored by
Broc Romanek