There is a version of risk factor drafting that functions as disclosure. And there is a version that functions as decoration. The two can be indistinguishable to a first-time reader — both appear in the same typeface, behind the same heading, running to roughly the same number of pages. The difference only becomes visible when something goes wrong.
When a deal goes sideways, a regulatory examination arrives, or an investor files a complaint, the quality of the risk factor section stops being a formatting question and starts being a legal one. Risk factors that are specific, material, and linked to real consequences create a documented record that the issuer understood the dangers and disclosed them clearly. Risk factors that are generic, vague, and lifted from a three-year-old template in a different sector create a document that looks like disclosure without doing what disclosure is supposed to do.
This post covers the mechanics of risk factor drafting from the ground up: what they are legally required to do, why generic language is not just unhelpful but potentially dangerous, how to identify what belongs in the section versus what is organizational noise, the specific techniques that make individual risk factors defensible, and how to maintain that quality over time as the issuer and the risks evolve. If your offering documents still read like they were assembled from a curated selection of worst fears found in industry templates, I can help you rewrite them before they have to perform under pressure.
1. What Risk Factors Are Supposed to Do — and What They Actually Do in Most Documents
The Legal Framework: Item 105 and the Materiality Standard
Risk factor disclosure requirements for registered offerings are governed by Item 105 of Regulation S-K. The rule requires disclosure of the material factors that make the investment or offering speculative or risky, presented with logical organization under relevant headings and subcaptions that adequately describe each risk. In August 2020, the SEC modernized Item 105, replacing the old ‘most significant’ risk factors standard with a materiality standard and adding an organizational requirement: if the risk factor section exceeds fifteen pages, the issuer must include a concise summary of no more than two pages upfront.
The materiality standard is drawn from the Supreme Court’s established definition: information is material if there is a substantial likelihood that a reasonable investor would consider it important in making an investment or voting decision, or if disclosure would significantly alter the total mix of information available. Applied to risk factors, that standard has a direct consequence: a risk is material if a reasonable investor would want to know about it. A risk that does not meet that threshold does not belong in the section — and a section padded with immaterial risks actively harms the disclosure by burying the ones that matter.
The SEC was explicit about this problem when it modernized Item 105. The Commission noted that risk factor sections had grown increasingly lengthy and generic, and that the inclusion of risks that could apply to any registrant or any offering contributed to that bloat. The 2020 amendments were specifically designed to push filers toward registrant-specific, material disclosure and away from the industry-standard practice of accumulating every conceivable bad scenario in a single section regardless of whether it is real, current, or significant for this particular issuer.
What Risk Factors Can and Cannot Do for You Legally
Well-drafted risk factors create a documented record that certain specific dangers were identified and disclosed to investors before they committed capital. That record serves several functions across different legal contexts.
Under the Private Securities Litigation Reform Act (PSLRA), forward-looking statements are protected from private actions when they are identified as forward-looking and accompanied by meaningful cautionary language identifying important factors that could cause actual results to differ materially. The quality of that protection depends entirely on the quality of the cautionary language. Vague references to ‘various risks and uncertainties that could cause results to differ’ are meaningfully weaker protection than a specific, identified set of factors connected to the issuer’s actual business. The more directly the risk factor identifies the actual conditions that could cause the forecast to fail, the closer it comes to the meaningful cautionary disclosure that the PSLRA contemplates.
At the same time, risk factors do not create blanket immunity from securities fraud claims. The antifraud provisions of federal law — Section 10(b) of the Exchange Act, Rule 10b-5, and Section 17(a) of the Securities Act — prohibit material misstatements and omissions in connection with the purchase or sale of any security. A risk factor section cannot retroactively cure a statement elsewhere in the document that is false. And as the SEC made clear in its October 2024 enforcement actions against four cybersecurity companies, a risk factor that describes risks as hypothetical when the issuer knows those risks have already materialized is not disclosure at all. It is a half-truth — and the federal securities laws prohibit half-truths in risk factor disclosures the same as everywhere else.
| ⚠️ The Unisys Case: What Happens When Risk Language Does Not Reflect Reality In October 2024, the SEC charged four technology companies with making materially misleading cybersecurity disclosures in the wake of the SolarWinds Orion hack. Unisys settled for a $4 million civil penalty after the SEC found that the company’s 2020 and 2021 annual reports described cybersecurity risks as hypothetical ‘could’ events — risks that ‘could’ result in loss, unauthorized disclosure, or misuse of information — even though Unisys knew it had already experienced two SolarWinds-related intrusions that exfiltrated gigabytes of data. The SEC’s position, stated by the acting chief of the Crypto Assets and Cyber Unit, was direct: ‘In two of these cases, the relevant cybersecurity risk factors were framed hypothetically or generically when the companies knew the warned-of risks had already materialized. The federal securities laws prohibit half-truths, and there is no exception for statements in risk-factor disclosures.’ The lesson applies beyond cybersecurity. Any risk factor that uses conditional language — could, may, might — to describe a condition that the issuer already knows has occurred or is substantially certain to occur is not disclosure. It is a misrepresentation dressed in cautious-sounding grammar. When the risk has already materialized, the language must reflect that. |
2. The Specificity Problem: Why Generic Risk Factors Can Actually Hurt You
Generic risk language is the default in most private offering documents. It arrives in templates, persists through repeated recycling, and proliferates with the comfortable feeling that more disclosure is always safer than less. That intuition is wrong in two directions.
First, the SEC has explicitly discouraged generic risk factors and instructed issuers to keep them out of the main body of the section or place them at the end under a ‘General Risk Factors’ heading. The Commission’s view, stated clearly in the 2020 amendments, is that risks applicable to any registrant or any offering dilute the signal of risks that are actually material to the specific issuer. An investor reading twenty paragraphs of generic market risk, interest rate risk, regulatory risk, and macroeconomic risk before reaching the issuer-specific risks — which are the ones that actually matter for this investment — has been served a disclosure experience that obscures rather than informs.
Second, and more importantly for issuers trying to build a legal record, a generic risk factor is a weak defense. If an investor claims they were not adequately warned about a specific liquidity problem, a sponsor conflict of interest, or a construction risk embedded in the deal, the issuer’s ability to point to a specific, dated, signed disclosure describing exactly that risk is its strongest defense. Pointing to a paragraph that says ‘our business may be adversely affected by general economic conditions’ is not the same thing. It may technically have been in the document. It did not warn anyone about anything specific.
The distinction matters in practice. Think of a risk factor section like a contract: the protection it provides is proportional to the specificity of what it says. A contract that says ‘the parties may encounter various difficulties’ gives neither party anything useful to enforce or rely on. A contract that identifies specific obligations, timelines, and conditions is what actually allocates risk. Risk factors work the same way.
| 📌 The Quick Test for a Generic Risk Factor Before finalizing any risk factor, apply this test: could this exact paragraph be dropped into the offering documents of fifty unrelated issuers in different sectors without changing a word? If the answer is yes, the paragraph is generic. It does not describe this issuer’s risk profile. It describes a category of risk that exists somewhere in the universe. The SEC has specifically discouraged this kind of disclosure, and it does less legal work than a specific, issuer-connected paragraph that identifies the actual exposure, explains why this particular business is vulnerable to it, and states what happens if the risk materializes. Generic language has a place at the end of the section, under ‘General Risk Factors,’ for risks that are genuinely broad and cannot be made more specific. It does not belong at the front, and it should never crowd out the material risks that a reasonable investor actually needs to understand before deciding whether to invest. |
3. Identifying What Actually Belongs in the Risk Factor Section
Start With What a Reasonable Investor Would Want to Know
The first question to ask when identifying risk factors is not ‘What can go wrong?’ It is ‘What would a reasonable investor genuinely need to understand before deciding whether to invest in this specific offering?’ That shift in framing produces a materially different set of answers.
‘What can go wrong?’ produces a brainstorm that includes interest rate movements, geopolitical events, pandemics, regulatory changes, and anything else that has happened to any business in recorded history. It is an infinite list. ‘What would a reasonable investor need to know about this offering?’ produces a finite list tied to the actual structure of the deal: the leverage on this specific property, the refinancing risk given this specific debt maturity, the construction timeline on this specific development, the conflict between the sponsor and an affiliated property manager, the transfer restrictions on these specific interests that make them illiquid.
That second list is what belongs in the section. The first list produces padding that makes the section longer without making it more useful.
Business Risks vs. Transaction Risks: Both Matter, and They Are Different
A well-organized risk factor section addresses two distinct categories of risk, each of which can independently cause investors to lose money.
Business risks come from the issuer itself: leverage and refinancing exposure, customer or tenant concentration, dependence on key personnel, regulatory compliance gaps, construction and entitlement risk on development deals, market-specific demand assumptions, and any other operational risk embedded in the underlying business or asset. An investor who puts money into a well-structured offering can still lose that money if the underlying business fails, and the risk factor section should explain specifically how and why.
Transaction risks come from the structure of the securities being sold: limited liquidity and restricted transfer rights, subordination in the capital structure, dilution mechanics, conflicts of interest between the issuer and the sponsor, uncertain closing conditions, or unusual governance provisions that limit investor recourse. A fundamentally sound business can offer securities with structural features that expose investors to losses the business itself would not produce — and those structural features need to be disclosed specifically.
Item 105 expressly requires the drafter to explain how each risk affects the registrant or the securities being offered. That phrase covers both categories. A risk factor section that only describes business risks and ignores how the offering is structured is incomplete. A section that only describes transaction risks without explaining the business context leaves investors without the information they need to evaluate the underlying asset. The section needs both, organized so each type of risk is addressed with the specificity it deserves.
Categories of Risk: A Starting Framework, Not a Checklist
Most strong risk factor sections in real estate and private fund offerings cover risks organized into recognizable groups. The 2020 amendments to Item 105 require logical organization with relevant headings, and grouping related risks helps readers understand the overall risk landscape before reading every individual paragraph. Common categories include:
- Deal and investment structure risks: Liquidity constraints, transfer restrictions, limited investor rights, conflicts of interest, distribution waterfall mechanics, and the impact of leverage on returns.
- Business and operational risks: Tenant concentration, occupancy assumptions, lease rollover risk, property management dependence, construction cost and timeline risk for development deals, and dependence on key principals.
- Financial and leverage risks: Current debt terms, refinancing risk at maturity, covenant compliance, the impact of rising interest rates on variable-rate debt, and the availability of capital for future investment.
- Regulatory and compliance risks: Permit and entitlement requirements, environmental compliance, securities law limitations on transfer and resale, tax risks for non-U.S. investors, and any jurisdiction-specific regulatory exposure.
- Market risks: Local and national real estate market conditions, interest rate environment, inflation’s impact on operating costs, and demand-side assumptions that support the underwriting.
- General risk factors (at the end): Macroeconomic conditions, geopolitical risk, and other broad factors that affect the investment but cannot be made more issuer-specific. These belong at the end of the section, not at the beginning.
These categories are a starting point. The mix depends on what actually makes this specific investment speculative or risky. A real estate fund with heavy use of a subscription credit facility needs to explain how that facility affects the preferred return calculation. A development project with a pending entitlement needs to explain the specific conditions that must be satisfied and the timeline risk if they are not. A deal with a significant affiliated-party service arrangement needs to explain that conflict specifically, not just note that conflicts ‘may exist.’
4. Drafting Risk Factors That Actually Work
The Heading Should State the Risk, Not Describe the Category
Every risk factor must appear under a subcaption, and that subcaption should do real work. ‘Risks Related to Our Business’ is a category heading — it tells the reader that risks exist, which they already knew. ‘Our Three Largest Tenants Represent 60% of Annualized Base Rent, and Loss of Any One Would Materially Reduce Distributions’ is a subcaption that states the actual risk and where the consequences land.
The test is simple: can a reader understand the risk from the heading alone? If yes, the heading is functioning correctly. If the reader must read the full paragraph to understand what kind of risk is being described, the heading is not pulling its weight.
Strong headings also force better drafting. When a drafter must commit to a specific, clear subcaption, it forces clarity about what the risk actually is. Vague headings are often symptoms of paragraphs that have not yet resolved what they are trying to say. If the subcaption is ‘We Face Various Risks Related to Our Operations,’ the paragraph underneath probably says nothing specific either. Rewrite the heading first, and the paragraph often improves automatically.
Every Risk Factor Should Answer Four Questions
A well-drafted individual risk factor typically answers four questions in sequence, even if the paragraph never explicitly labels them:
- What is the risk? The specific condition, dependency, uncertainty, or exposure that exists. Not ‘we face various competitive pressures’ but ‘the two properties in our portfolio are in submarkets where three new competing multifamily developments are under construction within a half-mile radius.’
- Why is this issuer or offering specifically exposed? The connection between the general risk and this specific deal. Not ‘interest rates affect real estate’ but ‘our construction loan carries a variable rate, and our proforma assumes refinancing at a fixed rate of X% at stabilization, which may not be achievable if rates remain elevated at the expected refinancing date.’
- What happens if the risk materializes? The concrete consequence for the business, the asset, or the investors’ returns. Not ‘results may be adversely affected’ but ‘reduced occupancy or lower achieved rents would reduce distributable cash flow, delay or reduce distributions to investors, and may impair the ability to refinance at maturity.’
- How does this affect the specific securities being offered? The item 105 requirement that the explanation connect the risk to the registrant or the offering. Does the risk delay distributions? Increase dilution? Reduce the likelihood of a profitable exit? Create a capital call obligation? The investor needs to know what this risk means for what they are buying.
These four questions do not need to be answered in four separate sentences or labeled as a list within the paragraph. A single well-constructed paragraph can move through all four naturally. The point is to check, before the paragraph is finalized, that all four are answered somewhere. A paragraph that describes the risk, explains the company’s exposure, and then stops before stating the consequence is the most common drafting failure in this section.
Plain English Is a Legal Requirement, Not a Style Preference
The SEC’s plain English rule requires offering documents to use short sentences, active verbs, everyday language, and concrete examples. It specifically prohibits legal jargon, legalistic complex presentations, and unnecessary technical language in the sections it covers. That requirement is not decorative. It reflects the Commission’s view that disclosure that cannot be understood by the investor it is addressed to has not actually disclosed anything.
In practice, plain English in risk factors means:
- Write to the investor, not to other lawyers. The reader does not need to know that the sentence uses passive voice because it deliberately avoids assigning blame. The reader needs to understand what could happen to their investment.
- Name specific numbers, timelines, parties, and conditions. ‘Our loan matures in March 2027’ is more useful than ‘our debt is subject to maturity risk over the near term.’ If the loan has a variable rate tied to SOFR plus 200 basis points, say so.
- State consequences directly. ‘We may be unable to refinance at maturity, which could require us to seek additional equity from investors, sell the property at an inopportune time, or default on the loan’ is clearer and more protective than ‘refinancing risk may adversely impact operations.’
- Avoid euphemisms for bad outcomes. ‘Investors could lose some or all of their investment’ is plain English. ‘Returns may be impacted’ is a euphemism that does not communicate what the reader needs to hear.
| Generic Version | Specific Version |
| Our business may be adversely affected by general economic conditions. | We have assumed stabilized occupancy of 94% in our underwriting. A recession or local employment downturn could suppress demand and push actual occupancy below 85%, which would reduce distributable cash flow by approximately 30% against our proforma at that occupancy level. |
| We face risks related to regulatory compliance. | The property’s ability to operate as a short-term rental requires annual renewal of a city license that was granted on a conditional basis. The city council has proposed legislation that would restrict new short-term rental licenses in the target neighborhood. Loss of the license would eliminate the property’s current revenue model and require conversion to a longer-term rental strategy generating approximately 40% less gross revenue. |
| We may not be able to refinance on favorable terms. | Our construction loan of $X million carries a variable rate currently at SOFR + 225 basis points, with a maturity date of [date]. Our proforma assumes refinancing at a fixed rate of approximately 5.75% at that maturity. If market rates remain above 7.0% at maturity, our ability to refinance without an equity contribution to support debt service coverage requirements at that rate may be impaired, which could require us to seek additional investor capital or sell the property prior to our intended exit date. |
| Conflicts of interest may affect our decisions. | Our sponsor’s affiliate, [Entity Name], will serve as property manager and earn a property management fee equal to 4% of gross revenues. The sponsor therefore has a financial interest in decisions that affect gross revenues, including lease negotiation terms, tenant concession policies, and capital expenditure timing. Investors cannot independently verify the reasonableness of the property management fee without third-party market comparison. |
5. Common Risk Factor Failures — and What They Cost
The Hypothetical Language Problem
The most dangerous drafting error in risk factor disclosure is using hypothetical language — could, may, might, could result in — to describe conditions that are not actually hypothetical. As the October 2024 Unisys enforcement action illustrates, a risk factor that says the company ‘could’ experience data loss when the issuer already knows a breach has occurred is not cautionary disclosure. It is a misrepresentation.
This problem is not limited to cybersecurity. A real estate issuer that knows a major tenant has provided a notice to vacate but continues to describe lease-rollover risk as a hypothetical future possibility is in the same position. A fund sponsor that knows a lender has issued a default notice but describes covenant compliance risk as something that ‘may’ occur is facing the same exposure. The principle is the same across contexts: hypothetical language implies that the described scenario has not yet occurred. When it has, that language creates a materially misleading impression.
The practical fix is straightforward but requires discipline: every time a risk factor is reviewed, someone in the process must ask whether the described scenario has already occurred, partially occurred, or become substantially certain to occur. If the answer to any of those is yes, the language must be updated to reflect reality. The tense and certainty of the language must match the actual state of knowledge at the time of disclosure.
The Stale Template Problem
The second common failure is recycling risk factors from prior documents without reviewing whether they accurately reflect the current offering, current business conditions, and current management knowledge. A paragraph that was accurate and appropriately cautionary in a 2021 offering may be stale, misleading, or simply inapplicable by 2025 because the business has changed, the regulatory environment has shifted, the risk has materialized, or the offering structure is different.
Stale templates are particularly dangerous in two scenarios. First, when a risk factor describes a specific regulatory or competitive condition that no longer accurately reflects the current environment — what was a hypothetical future risk in 2021 may have become a present operational reality by now. Second, when numbers, names, parties, or timelines embedded in the risk factors are from a prior deal and were never updated for the current one. An investor who reads a risk factor referencing a construction timeline that bears no relationship to the actual project, or a lender whose identity has changed, is reading a disclosure that does not describe the offering they are evaluating.
The solution is to treat risk factors as documents that need to be written for the current offering, not borrowed from the last one. Templates are a starting point for identifying categories of risk, not a final product. Every paragraph should be reviewed against the specific facts of the current transaction before it goes into the document.
The Missing Consequence Problem
The third common failure is stopping the analysis before the consequence is stated. A risk factor that describes what can go wrong without stating what happens to the business or the investor when it does has answered only half the question. The SEC’s rule requires an explanation of how the risk affects the registrant or the securities being offered. A paragraph that identifies the risk and the issuer’s exposure but then ends without stating the consequence for investors is not satisfying that requirement.
This is common in the treatment of regulatory and legal risks, where the drafter is often reluctant to state specific consequences. ‘If we fail to maintain required licenses, our ability to operate in certain markets could be affected’ is weaker than ‘Loss of our primary operating license in the target market would prevent us from generating revenue from the property’s primary use, reducing distributable cash flow to zero until the license is restored or the property is converted to an alternative use, which would take an estimated additional 12 to 18 months.’ Both paragraphs describe a license risk. The second one tells the investor what losing the license would actually mean for their investment.
6. Maintaining Risk Factors Over Time
Risk Factors Are Not a Closing Document — They Are an Ongoing Obligation
Once an offering closes, sponsors sometimes treat the risk factor section as a fixed historical document — the disclosure that was made, now preserved in amber. That treatment is incorrect for any offering that remains open, any security that is subject to ongoing disclosure obligations, and any circumstance where investors can still make decisions based on the offering documents.
For rolling or multi-close private offerings, the offering documents — including the risk factor section — are the disclosure that new investors receive and rely on. A risk factor section in a PPM that was drafted for the initial close but has not been updated for a re-opening that occurs eighteen months later may be materially stale. If the risks of the deal have changed — because market conditions shifted, a key tenant left, a regulatory environment changed, or a construction project encountered material delays — the risk factors should reflect those changes.
For public companies with periodic reporting obligations, the maintenance obligation is explicit: Item 105 requires risk factor disclosure in the annual report and requires updating for material changes in quarterly reports. The SEC’s expansion of cybersecurity disclosure requirements, with Form 8-K reporting of material incidents within four business days of materiality determination, is the most visible recent example of how the disclosure framework continues to expand the issuer’s obligation to reflect current reality, not historical assumptions.
The Periodic Review Checklist
A practical risk factor review — whether triggered by a new filing, a re-opening, or a periodic compliance review — should work through the following questions for each individual risk factor:
- Is this risk still real? Has the underlying condition changed so that the risk is no longer present, has been resolved, or is no longer material? If so, delete the paragraph rather than preserving it out of institutional inertia.
- Is the language still accurate? Has the risk already materialized? If so, does the language reflect that reality rather than describing it as a future hypothetical? Does the language accurately reflect management’s current knowledge?
- Are the facts current? Do specific numbers, timelines, names, parties, and conditions referenced in the paragraph still accurately describe the current deal and business? Has the debt maturity changed? Has the tenant roster changed? Has the sponsor’s experience or track record changed in ways that affect how this risk factor reads?
- Is the consequence still accurate? Has the magnitude of the stated consequence changed because of developments in the business or market? A consequence that was stated in 2022 based on a certain interest rate environment may look materially different in 2025.
- Is the disclosure consistent with the rest of the document? Do the risk factors align with what the business section, financial discussion, and any material event disclosures say? A risk factor that says a particular event is hypothetical while the business section describes that event as having already occurred is a contradiction that creates rather than resolves disclosure risk.
Risk Factors Work Best When They Are Written Specifically for the Deal in Front of You
The difference between a risk factor section that provides genuine legal protection and one that provides the appearance of it comes down to a single disciplined question asked about every paragraph: does this describe a real, current, material risk of this specific offering, in language specific enough to have warned this investor, with enough consequence identified that the warning is meaningful?
That is not a question that can be answered by recycling a template. It requires someone with knowledge of the deal — the capital structure, the business plan, the regulatory environment, the conflicts, the sponsor’s track record — to make specific choices about what belongs in the document, how it should be expressed, and what the consequence chain looks like for investors if the described scenario occurs.
The SEC’s direction, expressed through the 2020 Item 105 amendments and reinforced through enforcement actions against issuers who used generic and hypothetical language when they knew better, is consistent: material, specific, plainly written, and updated to reflect reality. A risk factor section that does those four things is not guaranteed to prevent every claim or resolve every dispute. But it creates a documented record that the issuer understood its risks, took them seriously, and communicated them honestly.
That record is what makes the difference when questions get serious. The time to build it is before the offering document goes out, not after someone is asking why it does not describe what actually happened.
| I Can Help You Write Risk Factors That Hold Up If your offering documents contain risk factors recycled from prior deals, drafted at a level of generality that would not warn anyone about anything specific to this transaction, or written in hypothetical language that does not reflect what management already knows — that is a drafting problem with legal consequences that grow over time. I work with real estate sponsors, fund managers, and issuers on offering document preparation, including risk factor drafting that is specific to the deal structure, consistent with the rest of the offering package, written in plain English that investors can actually understand, and reviewed for the hypothetical-language problem before the document goes out. The risk factor section is not decoration. Draft it like it has to perform. |