10-K Business Description & Risk Factors

What Part 1 of the 10-K Reveals About a Business

Every public company must describe its business in Item 1 of the 10-K in plain language — how it makes money, what products and services it offers, how it segments its operations, where it competes geographically, and who its customers are. This isn't the investor presentation: management cannot cherry-pick metrics or omit segments that are struggling. Part 1 must cover the whole business.

Experienced analysts read the business description looking for three things. First, the revenue mix by segment — how does the company actually generate its revenue, and how has that mix changed from last year? A company that describes itself as "a technology company" in its investor deck but whose 10-K reveals that 60% of revenue comes from professional services is telling a different story in each document. The 10-K version is the one that matters.

Second, customer concentration. Part 1 must disclose when any single customer accounts for 10% or more of revenue. A company with 35% of revenue from one customer has a risk profile that a diversified customer base doesn't share. If that concentration disclosure appears or grows year over year, the business is becoming more, not less, exposed to a single relationship.

Third, competitive position. How does the company describe its own competitive advantages? What factors does it claim drive customer choice? Vague language — "we compete based on innovation and service quality" — appears in filings from companies that have no moat. Specific language — "we have the only patented formulation approved for X indication" — signals a real barrier. The specificity of the competitive positioning claim is itself a signal.

The geographic breakdown also matters. A company described as "US-focused" in the investor deck that discloses 40% international revenue in Part 1 is managing its currency and regulatory risk differently than its positioning implies. International revenue growth in a market with deteriorating currency is revenue that may not translate into dollars at the same rate it appears on the segment table.

How Analysts Read Risk Factors: Signal vs. Boilerplate

Item 1A is one of the most misread sections in a 10-K. Most investors either skip it entirely or read it for general alarm — scanning for scary language without distinguishing between the boilerplate that's present in every filing and the specific, new, or expanded risks that are actually informative.

The first 15 to 20 risk factors in almost every filing are legal-cover boilerplate. Cybersecurity risks. Macroeconomic risks. Regulatory change risks. Key personnel dependence. These are written by outside counsel to protect the company from shareholder litigation by establishing that you were warned. They say nothing specific about this company at this moment. You can skim them.

The real signal is in two places: the last 5 to 10 risk factors, which tend to be company-specific and industry-specific rather than universal, and anything that is different from last year. Risk factors that are unique to the company — involving specific customers, regulatory agencies, litigation, technology platforms, or business model dependencies — are worth reading carefully. The generic ones are not.

Length is also a signal. A risk factor that occupies three paragraphs is more important to the company than one that occupies two sentences. Companies do not volunteer words in 10-K risk factors — every sentence was reviewed by lawyers and added because the company believed the disclosure was necessary. A four-paragraph risk factor about a specific contract dispute or a regulatory investigation is a flag that something substantive is happening, regardless of how the language is framed.

The Diff Method: Finding What Changed Year Over Year

The highest-value technique for reading risk factors is simple: compare this year's list to last year's. Risk factors do not change without a reason. When a company adds a risk factor that was absent from last year's filing, it means management's legal team concluded that the risk is now material enough to require disclosure. Risk factors that are expanded — more words, more specificity — got that way because something changed in the underlying situation. Risk factors that moved earlier in the list were elevated in importance by management.

The mechanics are straightforward. Pull both 10-K filings from SEC EDGAR or the company's investor relations page. In Part 1A, read the headings of every risk factor in this year's filing. Find the same headings in last year's filing. Note anything that is new, anything that disappeared, anything that grew significantly, and anything that changed its position in the sequence. What you write down from that comparison is more valuable than anything in the risk factor section read in isolation.

A real-world pattern that has repeated across industries: a company adds a risk factor about "dependency on a single manufacturing facility" that was not present the prior year. That risk factor appears in the filing for two years. Then a fire or flood damages the facility, and the stock drops 30% in a day. The information was available in the 10-K. The investors who lost money never compared the risk factor sections year over year.

Another common pattern: a retail or consumer company that adds a new risk factor about "inventory management" or "excess inventory write-downs" in a year where inventory is building on the balance sheet. The 10-K is telegraphing a write-down. The timing is not immediate, but the direction is. Read the balance sheet alongside the new risk factor and check whether inventory growth is consistent with revenue expectations.

Red Flags in the Business Description

Five patterns in Part 1 and Part 1A have historically preceded material negative surprises. None of them is a definitive sell signal alone — each requires investigation before acting. But each is worth stopping for.

• Risk factors contradicting the business description. If Part 1 says "we maintain a strong competitive position" but Part 1A says "we face intense price competition that may prevent us from sustaining our margins," the two sections are telling different stories. The risk factor is the legally required disclosure. The business description is the pitch. When they conflict, the risk factor is more credible.
• More than 50 pages of risk factors. Companies that over-lawyer their risk sections are often managing disclosure around something specific. The volume itself is a signal that management's legal team believes significant liability exposure exists — otherwise, no rational company would want to generate that many potential admission points. Read the longest risk factors first.
• Segment revenue that doesn't match the company narrative. If the company promotes itself as a "high-growth SaaS business" but the 10-K shows that 55% of revenue is from legacy on-premise licenses declining at 8% per year, the narrative and the filing are describing different companies. The investor relations narrative is aspirational. The 10-K is audited.
• Customer concentration increasing year over year. A 10% customer that becomes a 15% customer and then an 18% customer is a business becoming structurally dependent on a single relationship. That relationship is also the most important renewal negotiation the company has. Increasing concentration without growing overall revenue means the rest of the customer base is shrinking.
• New risk factors with vague but ominous language. Risk factors that use phrases like "may become subject to regulatory investigations" or "certain customers have raised concerns regarding our data practices" without specifics are disclosures in the minimum compliance form. Something happened that required the disclosure. The company has disclosed as little as legally required. Ask what the minimum-disclosure form is hiding.

The Cross-Competitor Comparison Exercise

The most practical exercise for Part 1 and Part 1A is to compare the risk factors of two direct competitors in the same sector. The divergences are the signal.

If Company A lists customer retention as its first company-specific risk and Company B does not mention customer churn at all, you now have a question worth answering: is Company A more honest about its retention challenges, or does Company B have retention dynamics that are structurally different? Neither answer is automatically correct, but the asymmetry in disclosure is worth investigating. Check the revenue mix between one-time and recurring revenue for both, and look at customer count disclosures in each filing.

Similarly, comparing how two competitors in the same industry describe their competitive positioning tells you something about how each management team views the competitive landscape. If both companies describe the same factors as driving customer choice, the market may be less differentiated than either would admit in their investor presentations. If their descriptions of competition diverge significantly — one emphasizing technology, one emphasizing service — one of them is wrong about what customers actually buy, and you can sometimes find out which by checking gross margin trends.