Five years is a long time in the technology industry, so perhaps it’s not surprising that the risk profiles of major tech firms have changed markedly in that time (see chart below).
In fact, some risk factors have become significantly greater concerns rather suddenly. For example, among the fiscal-year 2015 10-K filings of the 100 largest U.S. tech firms, 61 reported loss of a major customer as a risk factor, according to an analysis by BDO. Just a year earlier, only 44 did so.
A leading cause of that shift is accelerating merger-and-acquisition activity in several technology subsectors — like the semiconductor business, with Intel, Singapore-based Avago, and NXP all having completed big deals in 2015.
For many tech firms, the sale of components or solutions to other tech firms is a primary source of revenue, notes Aftab Jamil, leader of the technology and life sciences practice for BDO. When a major customer is acquired, that account may be in jeopardy. “If there is consolidation in your target sector, maybe instead of selling to five big customers you now have only three left,” Jamil says. “We’re seeing that all the time, especially on the hardware side.”
The growing presence of M&A in the tech industry can also be seen in the steep rise of goodwill impairment as a risk factor in recent years, as shown in the chart below.
Another risk factor that became more prominent in 2015 annual reports was loss of government contracts and incentives, reported by 57 of the 100 largest technology companies, up from 47 in 2014. “There is more competition for government contracts, and we have observed some cuts in defense-related spending and other federal budgetary constraints,” says Jamil.
Two risks — cybersecurity and regulation — were cited by all 100 companies in their 2015 annual reports. The former completed a steady march upward in recent years; in 2011 reports, only 71% of the largest technology companies reported cyber risk.
That shift has occurred even though technology companies were the victims of only 2.6% of total reported data breaches since 2010, according to TrendMicro. While the kind of data tech firms have may be less useful to wrong-doers than that possessed by financial services, retail, and health-care companies, there is still a great focus on securing internal systems, Jamil says.
But other types of cyber risk are far greater for the technology industry than for others. For example, protecting against theft or misuse of intellectual property is among the most important activities for many tech companies. “You can’t lock up IP with a physical lock and key, and if somebody accesses it or infringes on it, the company’s value can erode quickly and significantly,” says Jamil.
Additionally, many technology firms are exposed to risks that their products will contribute to breaches suffered by their customers. “Any cyber incident is the result of a vulnerability or flaw in technology,” says Shahryar Shaghaghi, leader of BDO’s technology advisory services practice. “While the onus is partly on the user entity to implement appropriate protocols and policies, the technology manufacturer or service provider does share in the blame ― whether it’s warranted or not.”
Regulatory risk, meanwhile, has always been of great concern for the tech industry. One topic that’s currently on the minds of many industry CFOs is the new revenue recognition rules slated to take effect in 2018. In BDO’s most recent Technology Outlook Survey, 31% of technology finance chiefs admitted that they’re still trying to understand the changes.
Jamil characterized that result as “somewhat disappointing,” because the new standard was finalized in 2014 and its effective date was delayed for a year.
Companies have two options for implementing the new rules. They can leave their historical financials in place and begin reporting revenue according to the new standard in 2018, or they can at that time restate their revenue back to 2014. Most have not yet pulled the trigger on the decision.
“Companies are waiting to see what their competitors do, and I can understand the hesitation,” says Jamil. “If you adopt the new standard prospectively and your competitor adopts it retrospectively, you will have to think about how to deal with the analyst community and other stakeholders, because your financials will not be directly comparable to your competitor’s.”