How to compare 10-K risk factors year over year
- Risk factors read in isolation are near-useless - they are written to be comprehensive and defensive. Their signal comes almost entirely from what changed since last year's 10-K.
- A newly added risk factor is the most valuable: it means management and their counsel decided a risk crossed the threshold of needing disclosure. A removed one, or one that quietly expanded, matters too.
- Most of the year-over-year churn is noise - reordering, boilerplate refresh, legal hedging. The skill is filtering that out so the substantive changes stand out.
- Diffing one company is an afternoon. Diffing a watchlist every filing season is a workflow - the same comparison applied to every name, with the changes surfaced automatically.
Item 1A of a 10-K - the risk factors - is the section most analysts skim and most retail investors ignore, because read once it is a wall of defensive, everything-could-go-wrong boilerplate. That is exactly why it is undervalued. The signal is not in this year's risk factors; it is in the differencebetween this year's and last year's. A company adds, removes, and rewrites these paragraphs deliberately, with legal review, and those edits are one of the few places management tells you what it is worried about before the numbers show it. Here is how to read that difference.
Why compare risk factors year over year?
A risk factor written for a single filing is designed to be comprehensive - it lists every plausible risk so the company is protected if any of them materializes. That comprehensiveness is what makes it low-signal on its own: almost everything is in there. But the document is revised each year, and revisions cost legal time and create liability. So when a company changes a risk factor, it is making a deliberate choice. The year-over-year diff strips away the static boilerplate and leaves you with the deltas - and the deltas are where the information is.
What a change actually tells you
Not all changes mean the same thing. Four types are worth separating:
| Change | What it usually signals |
|---|---|
| New factor added | A risk crossed the threshold of needing disclosure - the highest-value signal. Something changed in the business, the industry, or the regulatory picture. |
| Factor removed | A risk management no longer considers material. Sometimes genuine resolution; sometimes a tell that they have stopped worrying about the wrong thing. |
| Factor expanded | An existing risk got more words, more specifics, or moved higher in the list. Emphasis is shifting - often the quiet precursor to a new disclosure. |
| Factor reworded | Usually boilerplate refresh and noise - but occasionally a softening or hardening of language that changes the meaning. |
The one to prioritize is the newly added factor. Companies do not add risk language casually; a new Item 1A paragraph is management and counsel agreeing that something is now material enough to disclose. That is a prompt to investigate, paired with the same company's cash flow statement and MD&A - the kind of cross-read covered in how to screen a 10-K for red flags.
How to diff two 10-Ks by hand
The manual process is straightforward, if tedious:
- Pull both filings. Get this year's and last year's 10-K from EDGAR and isolate Item 1A from each.
- Align the sections. Risk factors usually carry short bold headers. Match them up between years so you are comparing like with like, not just running a raw text diff that trips on reordering.
- Classify each change. New, removed, expanded, or reworded - using the table above.
- Read only the substantive ones. Discard the boilerplate churn and spend your attention on the added and expanded factors.
- Corroborate. A new risk factor is a lead, not a conclusion. Check it against the financials, the MD&A, and recent 8-Ks before it changes your view.
The traps that produce false signals
Most of what a naive diff surfaces is noise, and knowing the noise is half the skill:
- Reordering. Companies reshuffle risk factors; a factor moving position is not a change in substance unless the content changed too.
- Boilerplate refresh. Law firms update standard language across all clients. A cybersecurity or macro paragraph getting reworded the same way industry-wide is not company-specific signal.
- Defensive CYA. Some additions are pure litigation insurance added after a peer got sued, not a company-specific worry.
- Splitting and merging. One factor split into two, or two merged into one, looks like an add or a remove but is neither.
Filtering these out is why a plain character-level diff is not enough. You want a comparison that aligns by topic and flags meaningful additions, not one that lights up every time a paragraph moves.
Doing it across a watchlist, not one filing
For a single name you cover closely, the manual diff is worth the afternoon. The problem is filing season: forty companies report inside a few weeks, and the year-over-year risk-factor comparison is exactly the work that gets skipped under time pressure - which is when the newly added risk factor slips through unread.
That is what a pipeline is for. On Cutonce you can pull each name's current and prior 10-K, align Item 1A, and have an AI node surface the added and materially expanded risk factors across your whole watchlist - so instead of reading forty filings twice, you read a shortlist of what actually changed. You still decide what a change means; the pipeline just makes sure you never miss one because it was in the eleventh filing you ran out of time to open.
Note: none of this is investment advice. A changed risk factor is a prompt to investigate, not a signal to trade. Always read the underlying filing on EDGAR, and treat any change flagged by a tool - or summarized by an AI - as a claim to verify against the primary source.
Frequently asked
Why compare 10-K risk factors year over year? Because a risk factor in isolation is written to be exhaustive and defensive, so it carries little signal on its own. What carries signal is the change: a risk factor that is newly added, removed, or materially expanded tells you what management and their lawyers now believe is worth disclosing that they did not a year ago.
What does a newly added 10-K risk factor mean? It means the company's management and counsel judged that a risk rose to the level of requiring disclosure since the last annual filing. It is not proof of trouble, but it is a deliberate signal about what they now see as material - and worth investigating before it becomes a surprise.
Can you automate comparing risk factors across filings? Yes. Pulling each year's Item 1A, aligning the sections, and flagging what is new, removed, or reworded is a mechanical text-diff problem well suited to a pipeline - especially across a watchlist, where doing it by hand every filing season does not scale. The judgment about what a change means stays with the analyst.