Risk Factors Dashboard

Once a year, publicly traded companies issue a comprehensive report of their business, called a 10-K. A component mandated in the 10-K is the ‘Risk Factors’ section, where companies disclose any major potential risks that they may face. This dashboard highlights all major changes and additions in new 10K reports, allowing investors to quickly identify new potential risks and opportunities.

Risk Factors - NRC

-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing

Item 1A.

Risk Factors

You should carefully consider each of the risks described below, together with all of the other information contained in this Annual Report on Form 10-K, before making an investment decision with respect to our securities. If any of the following risks develop into actual events, our business, financial condition or results of operations could be materially and adversely affected and you may lose all or part of your investment.

Risks Related to our Business

We depend on contract renewals, including retention of key clients, for a large share of our revenue and our operating results could be adversely affected.

We expect that a substantial portion of our revenue for the foreseeable future will continue to be derived from renewable service contracts. The majority of our contracts are renewable annually at the option of our clients. Client contracts are generally cancelable on short notice without penalty; however we are entitled to payment for services through the cancellation date. To the extent that clients fail to renew or defer their renewals, we anticipate our results may be materially adversely affected. We rely on a limited number of key clients for a substantial portion of our revenue. Our ten largest clients collectively accounted for 17%, 15%, and 15% of our total revenue in 2024, 2023 and 2022, respectively. Our ten largest clients collectively accounted for 14%, 14%, and 16% of our total revenue in 2021, 2020, and 2019, respectively. Our ability to secure renewals depends on, among other things, our ability to gather and analyze performance data in a consistent, high-quality, and timely fashion. In addition, the service needs of our clients are affected by accreditation requirements, enrollment in managed care plans, the level of use of satisfaction measures in healthcare organizations’ overall management and compensation programs, the size of operating budgets, clients’ operating performance, industry and economic conditions, and changes in management or ownership. As these factors are beyond our control, we cannot ensure that we will be able to maintain our renewal rates. Any material decline in renewal rates from existing levels would have an adverse effect on our revenue and a corresponding effect on our operating and net income.

We operate in a highly competitive market and could experience increased price pressure and expenses as a result.

The healthcare analytics and market research services industry is highly competitive. We have traditionally competed with healthcare organizations’ internal marketing, market research and/or quality improvement departments that create their own performance measurement tools, and with other firms that provide survey-based healthcare market research and/or performance assessment. We have traditionally competed with healthcare organizations’ internal marketing, market research and/or quality improvement departments that create their own performance measurement tools, and with relatively small specialty research firms that provide survey-based healthcare market research and/or performance assessment. Our primary competitors include Press Ganey and Qualtrics, both of which we believe has significantly higher annual revenue than us, and several other firms that provide similar services in the market we serve. Our primary competitors among such specialty firms include Press Ganey, which we believe has significantly higher annual revenue than us, and three or four other firms that we believe have lower annual revenue than us. We also compete with market research firms and technology solutions which provide survey-based, general market research or voice of the customer feedback capabilities and firms that provide services or products that complement healthcare performance assessments, such as healthcare software or information systems. Although only a few of these competitors have offered specific services that compete directly with our services, many of these competitors have substantially greater financial, information gathering, and marketing resources than us and could decide to increase their resource commitments to our market. Furthermore, we do not have a publicly traded group of peers, which makes it difficult to compare and benchmark performance to other similar companies. There are relatively few barriers to entry into our market, and we expect increased competition in our market which could adversely affect our operating results through pricing pressure, increased marketing expenditures, and market share losses, among other factors. There can be no assurance that we will continue to compete successfully against existing or new competitors.

Because our clients are concentrated in the healthcare industry, our revenue and operating results may be adversely affected by changes in regulations, a business downturn or consolidation with respect to the healthcare industry.

Substantially all of our revenue is derived from clients in the healthcare industry. As a result, our business, financial condition and results of operations are influenced by conditions affecting this industry, including changing political, economic, competitive and regulatory influences that may affect the procurement practices and operation of healthcare providers and payers. The healthcare industry is extensively regulated by both state and federal government. Future legislative changes, including additional provisions to control healthcare costs, improve healthcare quality and expand access to health insurance, could result in lower reimbursement rates and otherwise change the environment in which providers and payers operate. Recently, members of the U.S. House of Representatives have started to weigh a series of legislative proposals targeting Medicaid, Medicare, and other entitlement programs as part of a broader campaign to reduce federal spending, President Trump has issued a number of executive orders intended to reduce government spending, and we expect there will be continued proposals targeting reimbursement methodologies and the number of individuals eligible for government healthcare programs. There have also been proposals calling for repeal or reform of the Affordable Care Act. Any of these or related actions by state or federal governments could significantly reduce federal or state spending on the Medicaid and Medicare programs, constitute a fundamental change in the federal role in healthcare, change the nature of the entitlements offered by Medicaid and Medicare, or reduce or delay the payments made to both non-profit and for profit healthcare systems by Medicaid and Medicare, any of which could have a material effect on the revenues of our customers, resulting in harm to the demand for our solutions and our ability to collect subscriptions and fees owed to us, which could negatively impact our business, financial condition, cash flows, and results of operations.

In addition, large private purchasers of healthcare services are placing increasing cost pressure on providers. Healthcare providers may react to these cost pressures and other uncertainties by curtailing or deferring purchases, including purchases of our services. Moreover, there has been consolidation of companies in the healthcare industry, a trend which we believe will continue to grow. Moreover, there has been consolidation of companies in the healthcare industry, a trend which we believe will continue to grow. Consolidation in this industry, including the potential acquisition of certain of our clients, could adversely affect aggregate client budgets for our services, could result in clients performing more marketing, market research and/or quality improvement functions internally or could result in the termination of a client’s relationship with us. The impact of these developments on the healthcare industry is difficult to predict and could have an adverse effect on our revenue and a corresponding effect on our operating and net income.

We could be negatively impacted by outbreaks or pandemics.

In May 2023, the federal government lifted its Federal Public Health Emergency Declaration related to COVID-19. However, the continued spread of COVID-19, including its variants, together with any other outbreak of other contagious diseases or public heath environments could adversely affect our business, results of operations, financial condition, and stock price. While the risk of such similar outbreaks is unpredictable, and the extent of such risk is highly uncertain, the possibility of future outbreaks remains a risk that could have a material adverse effect on our business and it may also have the effect of heightening many of the other risks described in this Part I, Item 1A of this Form 10-K.

We could be negatively impacted by the global conflicts or similar events.

Global conflicts or any expansion of such conflicts, could adversely affect our business and operations. From time-to-time we outsource certain software development services to third parties outside of the United States, including in the Ukraine. Historically, our contractors located in areas of conflict (including in the Ukraine) have been able to continue their work. However, those services could be more negatively impacted in the future.

Civil unrest, political instability or uncertainty, military activities (including the conflicts in the Ukraine and the Middle East, and as a result of any escalation of tensions between China and Taiwan), utility service breakdowns or broad-based sanctions, should they continue for the long term or escalate, could interrupt our contractors’ ability to provide services and require our associates to perform the services or replace the contractors which could have an adverse effect on our operations and financial performance, including higher volatility in foreign currency exchange rates, increased use of less cost-efficient resources and negative impacts to our business resulting from deteriorating general economic conditions. Further, we cannot predict the impact of the military actions and any heightened military conflict or geopolitical instability that may follow, including additional sanctions or countersanctions, heightened inflation, cyber disruptions or attacks, higher energy costs, and supply chain disruptions.

In addition, the new administration has stated its intention to impose new or increased tariff rates on imported goods from a number of countries, including China, Canada, Mexico, and the EU. Such trade policies and tariff implementations, and any related retaliatory trade policies and tariff implementations by foreign government may result in increased costs and worsening economic conditions and could have an adverse impact on our results of operations.

General economic factors could adversely impact our profitability.

Negative changes in general economic conditions, in the geographic areas in which we operate may reduce our profitability. An economic downturn, a rise in interest rates, and inflationary pressures can reduce the demand for our services and result in terminations as well as slower client payments or client defaults on receivables. Additionally, in recent years, we experienced increased costs including salary and benefits costs in sales and client support, software costs, contracted services, costs associated with our building improvements and equipment purchases and we expect inflationary pressures to continue in 2025. Inflation may increase our costs without a corresponding increase in our contract revenue due to fixed contract arrangements, which could result in decreased margins and profitability.

We face several risks relating to our ability to collect the data on which our business relies.

Our ability to provide timely and accurate performance measurement and improvement services to our clients depends on our ability to collect large quantities of high-quality data through surveys. If survey operations are disrupted and we are unable to process surveys in a timely manner, then our revenue and net income could be negatively impacted. If our mail survey operations are disrupted and we are unable to mail our surveys in a timely manner, then our revenue and net income could be negatively impacted. We outsource certain operations and engage third parties to perform work needed to fulfill our client services. We outsource certain operations and engage third parties to perform work needed to fulfill our client services. For example, we use vendors to perform certain outreach and data collection services related to our survey operations. For example, we use vendors to perform certain printing, mailing, information transmittal and other services related to our survey operations. If any of these vendors cease to operate or fail to adequately perform the contracted services and alternative resources and processes are not utilized in a timely manner, our business could be adversely affected. The loss of any of our key vendors could impair our ability to perform our client services and result in lower revenues and income. It would also be time-consuming and expensive to replace, either directly or through other vendors, the services performed by these vendors, which could adversely impact revenues, expenses and net income. Furthermore, our ability to monitor and direct our vendors’ activities is limited. If their actions and business practices violate policies, regulations or procedures otherwise considered illegal, we could be subject to reputational damage or litigation which would adversely affect our business.

If receptivity to our survey methods by respondents declines, or, for some other reason, their willingness to complete and return surveys declines, or if we, for any reason, cannot rely on the integrity of the data we receive, then our revenue could be adversely affected with a corresponding effect on our operating and net income.

If intellectual property and other proprietary information technology were copied or independently developed by our competitors, our operating results could be negatively affected.

Our success depends in part upon our data collection process, research methods, data analysis techniques, and internal systems and procedures that we have developed specifically to serve clients in the healthcare industry. We do not hold patents for our intellectual property. We have no patents for most of our intellectual property. Consequently, we rely on a combination of copyright, trade secret laws and associate nondisclosure agreements to protect our systems, survey instruments and procedures. We cannot assure you that the steps we have taken to protect our rights will be adequate to prevent misappropriation of such rights, or that third parties will not independently develop functionally equivalent or superior systems or procedures. We believe that our systems and procedures and other proprietary rights do not infringe upon the proprietary rights of third parties. We cannot assure you, however, that third parties will not assert infringement claims against us in the future, or that any such claims will not result in protracted and costly litigation, regardless of the merits of such claims, or whether we are ultimately successful in defending against such claims.

Failures, interruptions or deficiencies in our information technology and communications systems could negatively impact our business and operating results.

Our ability to provide timely and accurate performance measurement and improvement service to our clients is dependent, to a significant extent, upon the technology that we develop internally as well as the efficient and uninterrupted operation of our information technology and communication systems, and those of our external service providers. Investment in the enhancement of existing and development of new information technology processes is costly and affects our ability to successfully serve our clients. The failure or deficiency of the technology we develop and implement could negatively impact the willingness or ability for our clients to use our services and our ability to perform our services. The failure or deficiency of the technology we develop could negatively impact the willingness or ability for our clients to use our services and our ability to perform our services. Our failure to anticipate clients’ expectations and needs, adapt to emerging technological trends, or design efficient and effective information technology platforms, could result in lower utilization, loss of customers, damage to customer relationships, reduced revenue and profits, refunds to customers and damage to our reputation. Our failure to anticipate clients’ expectation and needs, adapt to emerging technological trends, or design efficient and effective information technology platforms, could result in lower utilization, loss of customers, damage to customer relationships, reduced revenue and profits, refunds to customers and damage to our reputation. Although we have procedures to monitor the efficacy of our information technology platforms, the procedures may not prevent failures or deficiencies in the information technology platforms we develop and implement, we may not adapt quickly enough and may incur significant costs and delays that could harm our business. Additional costs will be incurred to further develop and improve our information technology platforms. Additional costs could be incurred to further develop and improve our information technology platforms.

In addition, changing technologies including AI and other emerging technologies may become significant to operational results in the future. Although we plan to continue to invest in research and development, including through acquisitions, in order to enhance our technology and new and existing solutions. However, if we are unable to successfully anticipate, develop, implement and utilize such emerging technologies as effectively as competitors or our customers are able to use AI as a replacement to our services, our results of operations may be negatively affected. Additionally, while AI and other technologies may offer substantial benefits, they may also introduce additional risks and raise ethical, technological, legal, regulatory, and other issues that may negatively affect the demand for our solutions.

Our systems and those of our external service providers could be exposed to damage or interruption from fire, natural disasters, which may increase in frequency and severity due to climate change, energy loss, telecommunication failure, security breach and computer viruses. An operational failure or outage in our information technology and communication systems or those of our external service providers, could result in loss of customers, damage to customer relationships, reduced revenue and profits, refunds of customer charges and damage to our reputation and may result in additional expense to repair or replace damaged equipment and recover data loss resulting from the interruption. Although we have taken steps to prevent system failures and have back-up systems and procedures to prevent or reduce disruptions, such steps may not prevent an interruption of services and our disaster recovery planning may not account for all contingencies. Additionally, our insurance may not adequately compensate us for all losses or failures that may occur. Any one of the above situations could have a material adverse effect on our business, financial condition, results of operations and reputation.

If we or our third-party service providers sustain cyber-attacks or other privacy or data security incidents that result in security breaches that disrupt our operations or result in the unintended dissemination of protected personal information or proprietary or confidential information or AI impacts our demand for, or providing of, services, we could suffer a loss of revenue and increased costs, exposure to significant liability, reputational harm and other serious negative consequences.

In connection with our client services, we and our third-party service providers receive, process, store and transmit sensitive business information and, in certain circumstances, personal medical information of our clients’ patients, electronically over the internet. We or our third-party service providers may become the target of attempted cyber-attacks and other security threats and may be subject to breaches of the information technology systems we use. Experienced computer programmers and hackers may be able to penetrate our security controls and access, misappropriate or otherwise compromise protected personal information or proprietary or confidential information or that of third parties, create system disruptions or cause system shutdowns that could negatively affect our operations. They also may be able to develop and deploy viruses, worms, ransomware, and other malicious software programs that attack our systems or otherwise exploit any security vulnerabilities

In addition, the risk of cyber-attacks has increased in connection with the military conflict between Russia and Ukraine and the resulting geopolitical conflict. In light of those and other geopolitical events, nation-state actors or their supporters may launch retaliatory cyber-attacks and may attempt to cause supply chain and other third-party service provider disruptions, or take other geopolitically motivated retaliatory actions that may disrupt our business operations, result in data compromise, or both. Nation-state actors have in the past carried out, and may in the future carry out, cyber-attacks to achieve their aims and goals, which may include espionage, information operations, monetary gain, ransomware, disruption, and destruction. In February 2022, the U.S. Cybersecurity and Infrastructure Security Agency issued a “Shields Up” alert for American organizations noting the potential for Russia’s cyber-attacks on Ukrainian government and critical infrastructure organizations to impact organizations both within and beyond the United States, particularly in the wake of sanctions imposed by the United States and its allies, which is still in effect. These circumstances increase the likelihood of cyber-attacks and/or security breaches.

We were the target of a cyber-attack in 2020, which resulted in temporary suspension of our services to clients. One of our third-party service providers was the target of a cyber-attack in December 2022, which resulted in a temporary suspension of certain services to our clients. In both instances no protected data was compromised or exfiltrated. We, and our service providers, will likely continue to be the target of other attempted cyber-attacks and security threats. Such cyber-attacks may subject us to litigation and regulatory risk, civil and criminal penalties, additional costs and diversion of management attention due to investigation, remediation efforts and engagement of third-party consultants and legal counsel in connection with such incidents, payment of “ransoms” to regain access to our systems and information, loss of clients, damage to client relationships, reduced revenue and profits, refunds of client charges and damage to our reputation, any of which could have a material adverse effect on our business, cash flows, financial condition and results of operations. Such cyber-attacks may subject us to litigation and regulatory risk, civil and criminal penalties, additional costs and diversion of management attention due to investigation, remediation efforts and engagement of third party consultants and legal counsel in connection with such incidents, payment of “ransoms” to regain access to our systems and information, loss of clients, damage to client relationships, reduced revenue and profits, refunds of client charges and damage to our reputation, any of which could have a material adverse effect on our business, cash flows, financial condition and results of operations. While we have contingency plans and insurance coverage for potential liabilities of this nature, they may not be sufficient to cover all claims and liabilities and in some cases are subject to deductibles and layers of self-insured retention. Any system failure, inability to upgrade or update, or security breach (including cyber-attacks) related to our information technology systems may also impact third parties that we rely on in our business and could result in a hinderance to the services provided by the Company or such third parties, as the case may be, and may have a material adverse effect on our business.

We cannot ensure that we or our third-party service providers will be able to identify, prevent or contain the effects of cyber-attacks or other cybersecurity risks that bypass our security measures or disrupt our information technology systems or business. We have security technologies, processes and procedures in place to protect against cybersecurity risks and security breaches. However, hardware, software or applications we develop or procure from third parties may contain defects in design, manufacturer defects or other problems that could unexpectedly compromise information security. In addition, because the techniques used to obtain unauthorized access, disable or degrade service or sabotage systems change frequently, are becoming increasingly sophisticated, and may not immediately produce signs of intrusion, we may be unable to anticipate these techniques, timely discover or counter them or implement adequate preventative measures.

In addition, we use third-party technology, systems and services for a variety of reasons, including, without limitation, encryption and authentication technology, employee email, content delivery to clients, back-office support, and other functions that in some cases involve processing, storing and transmitting large amounts of data for our business. These third-party providers may also experience security breaches or interruptions to their information technology hardware and software infrastructure and communications systems that could adversely impact us.

Under the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act of 2009, or HITECH, implementing regulations promulgated by the U.S. Department of Health and Human Services, or “HHS,” including what are referred to as the “Privacy Rule” and the “Security Rule” (collectively, “HIPAA”), we face potential liability related to the privacy of health information we obtain. We are required through our contracts with our clients and by HIPAA to protect the privacy and security of certain health information and to make certain disclosures to our clients or to the public if this information is unlawfully accessed.

Changes in privacy and information security laws and standards may require that we incur significant expense to ensure compliance due to increased technology investment and operational procedures. Noncompliance with any privacy or security laws and regulations, including, without limitation, HIPPA, or any security breach, cyber-attack or cybersecurity breach, and any incident involving the misappropriation, loss or other unauthorized disclosure or use of, or access to, sensitive or confidential information, whether by us or by one of our third-party service providers, could require us to expend significant resources to continue to modify or enhance our protective measures and to remediate any damage. In addition, this could negatively affect our operations, cause system disruptions, damage our reputation, cause client losses and contract breaches, and could also result in regulatory enforcement actions, material fines and penalties, litigation or other actions that could have a material adverse effect on our business, cash flows, financial condition and results of operations. Even if cyber-attacks or other cybersecurity breaches do not result in noncompliance with privacy or security laws, the perception that such noncompliance may have occurred by our clients or in the news media may have an adverse impact on our stock price and could result in damage to our reputation or loss of clients, which could have a material adverse effect on our business, cash flows, financial condition and results of operations.

New solution offerings involve inherent risk.

We have made substantial investments to develop new solution offerings and technologies, including AI enhanced offerings. We expect to continue investing significant resources in developing new technologies, tools, features, and solutions. At the same time, our competitors are rapidly developing their technologies and services, and our offerings may not be able to compete effectively. Our new solutions have a high degree of risk, as each involves strategies and technologies which we have limited or no prior development or operating experience. There can be no assurance that customer demand for such initiatives will exist or be sustained at the levels that we anticipate, or that they will generate sufficient revenue to offset any new expenses or liabilities associated with these new investments. Further, our development efforts with respect to new solution offerings and technologies could distract management from current operations and will divert capital and other resources from our more established solution offerings and technologies. Even if we are successful in developing new solution offerings or technologies, regulatory authorities may subject us to new rules or restrictions in response to our innovations that could increase our expenses or prevent us from successfully commercializing new solution offerings or technologies. At the same time, if we do not realize the expected benefits of our investments, our business, financial condition and operating results may be harmed. If we do not invest in commercially successful and innovative technologies, we may not realize the expected benefits of those investments. No assurance can be given that such strategies and offerings will be successful and will not harm our reputation, financial condition, and operating results.

Some of our employees work remotely, which may increase the cybersecurity risks to our business, including an increased demand for information technology resources, increased risk of phishing, and other cybersecurity risks.

We have, and will continue to have, a portion of our employee population that works from home full-time or under flexible work arrangements, and we have provided associates with expanded remote network access options which enable them to work outside of our corporate infrastructure and, in some cases, use their own personal devices, which exposes us to additional cybersecurity risks. Our employees working remotely may expose us to cybersecurity risks through: (i) unauthorized access to sensitive information as a result of increased remote access, including our employees’ use of Company-owned and personal devices and videoconferencing functions and applications to remotely handle, access, discuss, or transmit confidential information, and (ii) increased exposure to phishing and other scams as cybercriminals may, among other things, install malicious software and access sensitive information. We believe that the increased number of employees working remotely has incrementally increased our cyber risk profile, but we are unable to predict the extent or impacts of those risks at this time. A significant disruption of our information technology systems, unauthorized access to or loss of confidential information, or legal claims resulting from our violation of privacy laws could each have a material adverse effect on our business.

Reputational harm could have a material adverse effect on our business, financial condition and results of operations.

Our ability to maintain a positive reputation is critical to selling our services. Our reputation could be adversely impacted by any of the following (whether or not valid): the failure to maintain high ethical and social standards; the failure to perform our client services in a timely manner; violations of laws and regulations; failure to adequately preserve information security; and the failure to maintain an effective system of internal controls or to provide accurate and timely financial information. Damage to our reputation or loss of our clients’ confidence in our services for any of these, or any other reasons, could adversely impact our business, revenues, financial condition, and results of operations, as well as require additional resources to rebuild our reputation.

Our operations are subject to laws and regulations that impose significant compliance costs and create reputational and legal risk.

Due to the nature of the services we offer, we are subject to significant commercial, trade and privacy regulations. We cannot predict the nature, scope or effect of future regulatory requirements to which our operations might be subject or the manner in which existing laws might be administered or interpreted, which could have a material and negative impact on our business and our results of operation. For example, recent years have seen an increase in the development or enforcement of legislation related to healthcare reform, privacy, trade compliance and anti-corruption. Additionally, some of the services we provide include information our clients need to fulfill regulatory reporting requirements. If our services result in errors or omissions in our clients’ regulatory reporting, we may be subject to loss of clients, reputational harm or litigation, each potentially adversely impacting our business. Furthermore, although we maintain a variety of internal policies and controls designed to educate, discourage, prevent and detect violations of such laws, we cannot guarantee that such actions will be effective or sufficient or that individual employees will not engage in inappropriate behavior in breach of our policies. Such conduct, or even an allegation of misbehavior, could result in material adverse reputational harm, costly investigations, severe criminal or civil sanctions, or could disrupt our business, and could negatively affect our results of operations or financial condition.

Ineffective internal controls could have a negative impact on our business, results of operations, and our reputation.

Our internal controls over financial reporting may not prevent or detect misstatements because of its inherent limitations, including the possibility of human error, failure or interruption of information technology systems, the circumvention or overriding of controls, or fraud. Even effective internal controls can provide only reasonable assurance with respect to the preparation and fair presentation of financial statements. If we fail to maintain the adequacy of our internal controls, including any failure to implement required new or improved controls, or if we experience difficulties in their implementation, including with the implementation of our internal controls in acquired companies, our business and operating results could be harmed and we could fail to meet our financial reporting obligations, which also could have a negative impact on our reputation.

Our growth strategy includes future acquisitions, partnerships and/or investments which involve inherent risk.

In order to expand services or technologies to existing clients and increase our client base, we have historically, and may in the future, make strategic business acquisitions, partnerships with other organizations and/or investments that we believe complement our business.

Acquisitions have inherent risks which may have material adverse effects on our business, financial condition, or results of operations, including, among other things: (1) failure to successfully integrate the purchased operations, technologies, products or services and maintain uniform standard controls, policies and procedures; (2) substantial unanticipated integration costs; (3) loss of key associates including those of the acquired business; (4) diversion of management’s attention from other operations; (5) failure to retain the customers of the acquired business; (6) failure to achieve any projected synergies and performance targets; (7) additional debt and/or assumption of known or unknown liabilities; (8) dilutive issuances of equity securities; and (9) a write-off of goodwill, software development costs, client lists, other intangibles and amortization of expenses. If we fail to successfully complete acquisitions or integrate acquired businesses, we may not achieve projected results and there may be a material adverse effect on our business, financial condition and results of operations. In addition, volatility in the equity markets could impair our financial position in general terms and our ability to effectively capitalize on potential merger and acquisition opportunities.

We have established a strategic partnership and intend to continue to establish strategic partnerships with third parties to enhance our solution offering. We currently depend on our partner’s technology to perform certain services for our customers. As a result, these services may not be provided in the manner or on the time schedule we currently expect, which may negatively impact our business operations. In addition, we cannot control the amount and timing of resources our partners may devote to their technology enhancements. Furthermore, there is no assurance that our partner-provided services will be purchased by our customers. Our partners may terminate their agreements with us for cause under certain circumstances and may elect not to renew our agreements, which could discontinue our ability to use their technologies and could result in our partners pursuing competing solutions. If our partners terminate or breach our agreements with them or otherwise fail to complete their obligations in a timely manner, it may have a detrimental effect on our financial position by reducing or eliminating the potential for us to receive technology access and perform our contractual obligations to our customers. These factors could have a material adverse effect on our business, financial condition and results of operations. Reputational harm could have a material adverse effect on our business, financial condition and results of operations.

If we are unable to achieve a proper revenue to cost ratio our profitability could decrease

Our ability to achieve our goals and earnings growth depends on our ability to grow our revenue and achieve the appropriate cost structure for our revenues. Our revenue and margins have decreased in recent years. We have invested in product development, leadership and recruiting in an effort to increase revenue. During the second quarter of 2025 we expect to recognize compensation expense of $4.9 million (based on the price of our common stock on February 28, 2025) for Mr. Green's signing bonus. In addition, we expect to recognize compensation expense of approximately $608,000 (based on the price of our common stock on February 28, 2025) per quarter for Mr. Green's equity grant beginning in June 2025 and continuing through the third anniversary of the grant. In light of Mr. Green's hiring and compensation, we expect to terminate the existing long-term incentive program for our executive leadership team with the consent of the impacted participants and adopt a new incentive program during the second quarter of 2025, which could result in additional expenses. We have also adjusted spending in certain areas to reduce costs. If we are unsuccessful in increasing our revenue or we do not reduce costs sufficiently, our margins will continue to be compressed.

Risks Related to our Common Stock

Our principal shareholders effectively control the Company.

A majority of our common stock and voting power was historically owned and/or held by Michael D. Hays, our Chief Executive Officer and President. However, over the years Mr. Hays, for estate planning purposes, gifted and/or transferred almost all of his directly owned shares to trusts for the benefit of his family. Currently, the principal holder of shares previously owned by Mr. Hays is the Common Property Trust (the “Trust”).

As of February 28, 2025, approximately 37.5% of our outstanding common stock was owned by the Trust and approximately 46.8% of our outstanding common stock was held by the Trust and other entities controlled by trustees or special power holders for the benefit of members of Mr. Hays’ family. As a result, the Trust and these other entities, through the trustees or special power holders, have the power to indirectly control decisions such as whether to issue additional shares or declare and pay dividends and can control matters requiring shareholder approval, including the election of directors and the approval of significant corporate matters such as change of control transactions. As a result, the Trusts and these other entities have the power to indirectly control decisions such as whether to issue additional shares or declare and pay dividends and can control matters requiring shareholder approval, including the election of directors and the approval of significant corporate matters such as change of control transactions. The effects of such influence could be to delay or prevent a change of control of the Company unless the terms are approved by the Trust and these other entities.

The market price of our common stock may be volatile and shareholders may be unable to resell shares at or above the price at which the shares were acquired.

The market price and trading volume of our common stock has historically been and may continue to be highly volatile, and investors in our common stock may experience a decrease in the value of their shares, including decreases that are in response to factors beyond our control, including, but not limited to:

Any of these factors, among others, may result in changes in the trading volume and/or market price of our common stock. Following periods of volatility in the market price of securities, shareholders have often filed securities class-action lawsuits. Our involvement in a class-action lawsuit would result in substantial legal fees and divert our senior management’s attention from operating our business, which could harm our business and net income.

General Risk Factors

Our operating results may fluctuate and this may cause our stock price to decline.

Our overall operating results may fluctuate as a result of a variety of factors, including the size and timing of orders from clients, client demand for our services (which, in turn, is affected by factors such as accreditation requirements, enrollment in managed care plans, operating budgets and clients’ operating performance), the hiring and training of additional staff, expense increases, and industry and general economic conditions. Because a significant portion of our overhead is fixed in the short-term, particularly some costs associated with owning and occupying our building and full-time personnel expenses, our results of operations may be materially adversely affected in any particular period if revenue falls below our expectations. These factors, among others, make it possible that in some future period our operating results may be below the expectations of securities analysts and investors which would have a material adverse effect on the market price of our common stock.

Our business and operating results could be adversely affected if we are unable to attract or retain key managers and other personnel.

Our future performance may depend, to a significant extent, upon the efforts and ability of our key personnel who have expertise in gathering, interpreting and marketing survey-based performance information for healthcare markets. Although client relationships are managed at many levels within our company, the loss of the services of Michael D. Hays, our Chief Executive Officer and President, or one or more of our other executive officers, could have a material adverse effect, at least in the short to medium term, on most significant aspects of our business, including strategic planning, product development, and sales and customer relations. Hays, our Chief Executive Officer and President, or one or more of our other senior managers, could have a material adverse effect, at least in the short to medium term, on most significant aspects of our business, including strategic planning, product development, and sales and customer relations. Our success will also depend on our ability to hire, train and retain skilled personnel in all areas of our business. Competition for qualified personnel in our industry is intense, and many of the companies that compete with us for qualified personnel have substantially greater financial and other resources than us. Furthermore, we expect competition for qualified personnel to become more intense as competition in our industry increases. We cannot assure you that we will be able to recruit, retain and motivate a sufficient number of qualified personnel to compete successfully. While we expect Mr. Green will begin serving as our Chief Executive Officer and as a director on June 1, 2025, his start date may be delayed or may never occur.

In December 2024, Linda Stacy left her position as our Principal Accounting Officer, in January 2025, Christophe Louvion, left his position as our Chief Product Technology Officer, and in March 2025, Jason Hahn left his position as Chief Revenue Officer. While Ms. Stacy has been temporarily appointed as Interim Principal Financial Officer, these departures or departures of other key executive may result in lack of continuity, operational issues and we may not realize the expected benefits and results from compensation structures we have put in place.

Like many other companies, we experienced higher attrition rates in the last several years. We may incur higher costs to attract, train and retain these associates. Attrition in our sales and service areas can also impact our ability to retain and attract new business. We may need to develop or adapt to new ways of doing business that challenge our leadership, our associate training, our human resources, and our business practices, and we cannot assure you that we will be successful in doing so. The short and long-term costs associated with these potential changes are difficult to quantify.

Increases in income tax rates, changes in income tax laws or regulations, or unfavorable resolutions of tax matters could adversely impact our profitability.

We are subject to income tax in the United States. Our overall effective income tax rate is a function of the federal and local tax rates and the geographic mix of our income before taxes in the jurisdictions in which we operate. The new administration has indicated a desire to amend the federal tax laws. Changes in tax rates could negatively impact our net income. Tax laws and regulations, including rates of taxation, are subject to revisions by individual taxing jurisdictions. It is possible that these types of changes could materially impact our net income and cash flows. Significant judgment is required in determining our annual income tax expense and in evaluating our tax positions. Although we believe our tax estimates are reasonable, the final determination of tax audits could materially differ from our historical income tax provisions, estimates and accruals and could materially adversely impact our financial statements for the period or periods which the statute of limitations is open.

Failure to comply with public company regulations could adversely impact our profitability.

As a public company, we are subject to the reporting requirements of the Securities Act of 1933, the Securities Exchange Act of 1934, the Sarbanes-Oxley Act of 2002, the Dodd-Frank Act Wall Street Reform and Consumer Protection Act, the listing requirements of NASDAQ and other applicable securities rules and regulations. Additionally, laws, regulations and standards relating to corporate governance and public disclosure are subject to varying interpretations and continue to develop and change. If we misinterpret or fail to comply with these rules and regulations, our legal and financial compliance costs and net income may be adversely affected.

We may change our dividend policy at any time.

We have historically paid quarterly dividends to holders of our common stock. Although we expect to continue to pay dividends to holders of our common stock, the declaration and amount of any future dividends is subject to approval of our Board of Directors and various risks and uncertainties, including, but not limited to, our cash flow and cash needs, compliance with applicable law, restrictions on the payment of dividends under existing or future financing arrangements, changes in tax laws relating to corporate dividends, and deterioration in our financial condition or results of operations. Accordingly, our dividend policy may change at any time without notice, and our Board of Directors may determine to terminate payment of dividends, or reduce the amount or frequency of dividend payments, and we may not pay dividends at our historical rates or at all.

Item 1B.

Unresolved Staff Comments

We have no unresolved staff comments to report pursuant to this item.

Item 1C.

Cybersecurity

We have a robust information security program to safeguard our information and systems as well as third parties that create, receive, or transmit our information or are critical to our operations. The controls within the program are constantly updated to adapt to technological advancements, regulatory changes, and operational needs, ensuring that we uphold our strict standards and unwavering commitment to maintaining confidentiality, integrity, and availability of our valuable information assets.

Risk management & strategy

Our information security program, including cybersecurity risk management is integrated into our overall Enterprise Risk Management Program (“ERMP”) framework. Our ERMP assesses strategic, operational, and environmental factors to identify key and emerging risks across the organization including cybersecurity risks. A key risk matrix is maintained to evaluate the potential impact of key risks and monitor the effectiveness of mitigation and controls. We, our customers, suppliers, and subcontractors face cybersecurity risks such as phishing, ransomware, zero-day exploits, malware attacks, and social engineering attacks. A cybersecurity incident impacting us or our subcontractors could materially adversely affect our performance and results of operations. For more information on about the cybersecurity risks we face, see the factors set forth under the caption “Risk Factors” in Part I, Item 1A of this Annual Report on Form 10-K.

Our cybersecurity risk management procedures encompass comprehensive administrative, technical, and physical security measures. Our Security Team meets, subscribes to intelligence sources, and actively participates in professional organizations to stay informed and have reliable access to the latest information on emerging threats and vulnerabilities. We utilize both internal tools and third-party resources to perform risk and vulnerability assessments, as well as penetration testing. This includes a comprehensive managed security service that operates 24/7, dedicated to scanning and analyzing potential threats. Our Contractors and Third Parties Policy requires certain vendors to undergo annual reviews including security assessments and site visits. Additionally, our subcontractor agreements require that they report any security incidents. Risk assessment results and recommendations are documented in our risk register, reported, and closely monitored by our security team. Annually, we engage independent auditors to issue a System and Organization Control (SOC) 2 - Type II report based on their examination of our critical systems used to provide services to our clients for the suitability of design and operating effectiveness of controls.

Governance

The Board of Directors has the responsibility to oversee our enterprise risk management framework and associated policies and procedures. The Audit Committee of the Board has been assigned the responsibility to inquire of management, the independent accountants and the internal auditor about significant risks and exposures, including risks and exposures relating to data privacy, information security, and cybersecurity, and assess the steps management has taken to minimize such risks and exposures; and to make recommendations to the Board, as and when appropriate, as to the scope, direction, investment levels, and execution of the our data privacy, information security and cybersecurity initiatives.

Our Enterprise Risk Management Committee (ERMC), which includes certain associates with data privacy, information security, and cybersecurity experience, supports our Board of Directors in this oversight. The ERMC reports to the Audit Committee of the Board of Directors. The ERMC manages the ERMP and provides regular updates to the Audit Committee regarding our key risks and ERMP developments. Our Vice President of Privacy Compliance also reports to the Audit Committee on a regular basis, providing an Information Security Report, which includes information such as our information system risk profile, our top risk challenges, and security initiatives and strategies. Additionally, the ERMC communicates emerging risks and the mitigation of those risks to the Audit Committee, among other things. Significant cybersecurity matters, and strategic risk management decisions are elevated to the overall Board of Directors to enable oversight and guidance on critical cybersecurity issues.

Our Vice President of Privacy Compliance, Jen Spencer, is an ERMC member and has primary responsibility for our Information Security Program, including the maintenance and enforcement of our security policies. Ms. Spencer serves as an advisor to our leadership team, assisting them in optimizing security measures, mitigating risk, fortifying defenses, and minimizing vulnerabilities. Ms. Spencer develops written policies and procedures and conducts training to ensure our entire organization is well-protected. She is responsible for overseeing and executing the strategic plan for our data protection program, information security systems, compliance, computer networks and business continuance/disaster recovery. Additionally, Ms. Spencer actively participates in project management duties and manages information security integration efforts, working closely with internal teams, vendors, subcontractors, and clients. Ms. Spencer has over twenty years in cybersecurity, privacy, and compliance. Her primary job responsibilities include security, privacy, and compliance including AI data governance. Ms. Spencer works on several working groups through H-ISAC, Women in Bio, and Women in AI Governance. Prior to NRC she was the CIO/CISO/CPO for the Rochester RHIO and Manager of Information Security and GRC with Excellus Health Plan. She graduated from Rochester Institute of Technology (RIT) with an eMBA and a master’s in science in IT Security. She earned her paralegal certificate from Stony Brook University and holds several industry certifications. Ms. Spencer is also an adjunct professor at RIT, the University of Virginia and the Blue Ridge Virginia Governor's School.

Recently Filed
Click on a ticker to see risk factors
Ticker * File Date
HWBK 20 hours ago
TRSO 20 hours ago
SAIC 20 hours ago
BHRB 21 hours ago
NUVR 21 hours ago
TETEF 21 hours ago
NRC 22 hours ago
PACK 23 hours ago
CVGI 1 day ago
NEWT 1 day ago
PACB 1 day ago
CTGO 1 day ago
SNDA 1 day ago
CRVO 1 day ago
MBX 1 day ago
PLX 1 day, 1 hour ago
TSQ 1 day, 3 hours ago
FMCB 3 days, 13 hours ago
ANIK 3 days, 14 hours ago
ACR 3 days, 14 hours ago
BGSF 3 days, 15 hours ago
NXU 3 days, 15 hours ago
SSBK 3 days, 15 hours ago
BPRN 3 days, 15 hours ago
HNVR 3 days, 15 hours ago
MUX 3 days, 15 hours ago
HYAC 3 days, 16 hours ago
LPSN 3 days, 16 hours ago
NEN 3 days, 16 hours ago
HSON 3 days, 16 hours ago
BMRC 3 days, 16 hours ago
UHG 3 days, 16 hours ago
AMTX 3 days, 16 hours ago
GRI 3 days, 16 hours ago
GAN 3 days, 16 hours ago
USCB 3 days, 16 hours ago
LSBK 3 days, 16 hours ago
SKYT 3 days, 16 hours ago
XPOF 3 days, 16 hours ago
MYPS 3 days, 16 hours ago
FRAF 3 days, 16 hours ago
HBIA 3 days, 16 hours ago
AROW 3 days, 16 hours ago
WMT 3 days, 16 hours ago
MCHX 3 days, 16 hours ago
BZFD 3 days, 16 hours ago
MX 3 days, 16 hours ago
MNTK 3 days, 16 hours ago
KBSR 3 days, 16 hours ago
NRXP 3 days, 16 hours ago

OTHER DATASETS

House Trading

Dashboard

Corporate Flights

Dashboard

App Ratings

Dashboard