How to Draft the Risk Factors Section of a Hong Kong Prospectus

The decision by the Hong Kong Stock Exchange (HKEX) to mandate climate-related disclosures under the enhanced Appendix C2 and D2 of the Listing Rules, effective for financial years commencing on or after 1 January 2025, has fundamentally altered the drafting calculus for the risk factors section of a Hong Kong prospectus. This is not merely a compliance update; it represents a structural shift in how issuers must articulate exposure to transition risk, physical risk, and the broader regulatory trajectory of the International Sustainability Standards Board (ISSB). For sponsors and listing counsel, the risk factors chapter—historically a boilerplate exercise in legal disclaimers—has become a site of heightened liability exposure, particularly under the Securities and Futures Ordinance (SFO) for misstatements. The 2024 enforcement actions by the Securities and Futures Commission (SFC) against sponsors for deficient due diligence on prospectus disclosures underscore that vague, generic risk language is no longer defensible. This article provides a technical framework for drafting risk factors that satisfy HKEX’s materiality standard, align with the 2025 climate rules, and withstand SFC scrutiny.

The Regulatory Foundation: From Boilerplate to Materiality

The starting point for any risk factors section is the principle of materiality, not completeness. HKEX Listing Rule 11.07 requires a prospectus to contain “full, true and plain disclosure of all material facts,” a standard interpreted by the SFC in its Code of Conduct for Persons Licensed by or Registered with the Securities and Futures Commission (the Code) to mean that risk factors must be “specific to the issuer and its business.” The 2025 climate disclosure rules intensify this requirement by mandating that issuers disclose how climate-related risks are “reasonably likely to impact the issuer’s prospects,” a phrase drawn directly from the ISSB’s IFRS S2.

Defining the Materiality Threshold

A common drafting error is listing every conceivable risk—from asteroid impact to currency devaluation in a jurisdiction where the issuer has no operations. This approach dilutes the impact of genuine risks and invites SFC inquiry. The materiality threshold should be defined by reference to the issuer’s latest audited financial statements and the forward-looking statements in the “Business” and “Financial Information” sections. For a PRC-based consumer internet company with a VIE structure, for example, the risk of a regulatory ban on variable interest entities (VIEs) is material if it accounts for more than 50% of consolidated revenue, as was the case for several issuers in the 2021-2023 wave of PRC regulatory crackdowns. The risk of a hypothetical trade war with a non-material jurisdiction is not.

The SFC’s Guidance Note on Due Diligence for Sponsors (2017, updated 2023) explicitly states that risk factors must be “cross-referenced to the issuer’s business model and financial condition.” Practically, this means the drafting team should begin with a materiality matrix derived from the issuer’s SWOT analysis and the sponsor’s due diligence findings. Each risk factor should be ranked by probability and potential financial impact, with only those crossing a defined threshold—for instance, a probability of >10% or a potential impact of >5% of net profit—included in the prospectus.

The Climate Risk Integration

The 2025 climate rules require a separate “Climate-related Disclosures” section in the prospectus, but the risk factors chapter must still cross-reference these disclosures. For a Hong Kong-listed real estate developer, physical risk from extreme weather events in its primary operating region must be articulated not as a generic “climate change may affect our business” but as a specific, quantified exposure. If the developer has HKD 10 billion in assets located in a flood-prone area, the risk factor should state: “As of 31 December 2024, approximately HKD 10 billion, or 35%, of our property portfolio is located in areas designated as high-risk flood zones by the Hong Kong Observatory. A single Category 3 typhoon could result in property damage and business interruption losses estimated at HKD 500 million to HKD 800 million, based on our internal risk assessment models.”

This level of specificity satisfies the HKEX’s requirement for “scenario analysis” under the new rules and provides a defensible basis for the disclosure. Sponsors should note that the SFC’s 2024 enforcement action against a sponsor for failing to verify climate risk data in a prospectus for a renewable energy company signals that climate-related risk factors will be closely scrutinised.

Structuring the Section: Taxonomy and Hierarchy

The risk factors section must be organised in a logical hierarchy that mirrors the issuer’s business model. The standard taxonomy used by Hong Kong listing counsel typically includes: (i) risks relating to the PRC legal and regulatory environment, (ii) risks relating to the VIE structure, (iii) risks relating to the issuer’s business and industry, (iv) risks relating to the offering and the H shares, and (v) forward-looking statement disclaimers. Each category must be internally consistent and avoid repetition.

PRC Regulatory Risks: The VIE and Data Security Dimensions

For PRC-based issuers, the risk factors section must address the evolving regulatory landscape under the Cybersecurity Law of the People’s Republic of China (2017), the Data Security Law (2021), and the Personal Information Protection Law (2021). The drafting challenge is to articulate these risks without creating a self-fulfilling prophecy that destroys the issuer’s valuation. The solution is to frame risks as contingent on specific regulatory actions, not as certainties.

A typical risk factor for a VIE-structured issuer might read: “We conduct our operations in the People’s Republic of China through contractual arrangements with our PRC domestic entities, commonly known as a variable interest entity (VIE) structure. Although the PRC government has not, to date, prohibited the use of VIE structures by companies seeking overseas listings, the PRC Securities Law (2020) and the Administrative Measures for the Filing of Overseas Securities Offerings and Listings by Domestic Companies (2023) require that any overseas listing of a PRC domestic company must be filed with the China Securities Regulatory Commission (CSRC). If the CSRC determines that our VIE structure violates PRC law, we may be required to unwind these arrangements, which could result in the loss of our ability to consolidate the financial results of our PRC operating entities. As of the date of this prospectus, no such determination has been made, and we have received a filing acceptance letter from the CSRC dated [date].”

This drafting achieves three objectives: it states the risk clearly, it grounds the risk in a specific regulatory framework (the CSRC filing regime), and it provides a factual counterpoint (the filing acceptance) that mitigates the risk’s perceived immediacy. The SFC’s Code of Conduct requires that risk factors not be “misleading by omission,” and this structure ensures that both the risk and the current state of compliance are disclosed.

Business and Industry Risks: Quantification and Benchmarking

Risks relating to the issuer’s business must be quantified wherever possible. For a biotech issuer relying on a single drug candidate, the risk factor should state the probability of clinical trial failure based on industry benchmarks. For example: “According to a 2023 study published in Nature Biotechnology, approximately 90% of drug candidates that enter Phase I clinical trials fail to obtain regulatory approval. Our lead product candidate, [Drug Name], is currently in Phase II trials. If [Drug Name] fails to demonstrate efficacy or safety in its ongoing Phase III trials, we may be unable to generate any revenue from product sales, and our entire business may be materially and adversely affected.”

For a technology issuer with a concentrated customer base, the risk factor should name the top customers and their revenue contribution. “For the year ended 31 December 2024, our top three customers accounted for 62%, 15%, and 8% of our total revenue, respectively. The loss of any one of these customers could result in a material decline in our revenue and profitability.” This specificity forces the issuer to acknowledge its concentration risk and provides investors with the data needed to assess that risk independently.

The Liability Shield: Forward-Looking Statements and Qualification

The risk factors section serves a dual function: it informs investors and it provides a legal defence against claims of misrepresentation. Under section 40 of the Companies (Winding Up and Miscellaneous Provisions) Ordinance (Cap. 32), a person is liable for loss suffered by a person who subscribes for shares on the faith of a prospectus that contains an untrue statement. The risk factors section, if drafted properly, can demonstrate that the issuer disclosed the specific risk that later materialised, thereby defeating a claim of misrepresentation.

The “Known Unknown” Framework

The most defensible risk factors are those that identify a “known unknown”—a risk that is identifiable but whose outcome is uncertain. For example, a risk factor stating “We may be unable to renew our key intellectual property licenses” is weak because it does not identify the specific license or the renewal conditions. A stronger version reads: “Our patent for [Drug Name] in the United States is scheduled to expire on [date]. We have filed a patent term extension application with the United States Patent and Trademark Office (USPTO), but there is no assurance that this application will be granted. If the patent is not extended, generic competition could reduce our revenue from [Drug Name] by up to 80% within 12 months of patent expiry, based on historical generic erosion rates in the oncology sector.”

This formulation identifies the specific license, the regulatory body involved, the contingency (patent term extension), and the quantified impact. If the patent extension is denied and revenue declines, the issuer can point to this risk factor as evidence of full disclosure.

The Role of the Sponsor’s Due Diligence Report

The sponsor’s due diligence report, filed with the HKEX under the Listing Rules, must support every risk factor in the prospectus. The SFC’s 2023 enforcement action against a sponsor for failing to verify a risk factor regarding a PRC regulatory licence is instructive. The sponsor had accepted management’s representation that the licence was valid, but the SFC found that the sponsor had not conducted an independent check with the PRC regulator. The resulting fine of HKD 30 million and a 12-month suspension underscored the importance of independent verification.

For each material risk factor, the sponsor’s working papers should contain: (i) a source document supporting the factual basis of the risk (e.g., a regulatory notice, a market report, a legal opinion), (ii) a cross-reference to the due diligence step that verified the information, and (iii) a record of the discussion with management about the risk’s probability and impact. This documentation is the sponsor’s primary defence in any subsequent SFC investigation.

Cross-Border Considerations: The VIE and PRC Filing Regime

The intersection of the HKEX Listing Rules, the PRC filing regime under the Administrative Measures for the Filing of Overseas Securities Offerings and Listings by Domestic Companies (2023), and the SFC’s disclosure requirements creates a complex drafting environment for PRC-based issuers. The risk factors section must address the PRC regulatory approval process without creating an impression that approval is guaranteed.

The CSRC Filing and Its Implications

The CSRC filing requirement, effective from 31 March 2023, mandates that any domestic company seeking an overseas listing must file with the CSRC within three business days of submitting its listing application to the overseas exchange. The risk factors section must disclose the status of this filing and the consequences of a denial. A typical drafting for a company that has filed but not yet received a “no objection” letter reads: “We have submitted our CSRC filing on [date] and have received an acknowledgement of receipt from the CSRC. There is no assurance that the CSRC will issue a ‘no objection’ letter or that it will not impose additional conditions on our listing. If the CSRC determines that our filing is incomplete or that our VIE structure violates PRC law, our listing may be delayed or prohibited.”

For companies that have received the CSRC’s “no objection” letter, the risk factor should state the date of the letter and its scope, but should also note that the CSRC retains the authority to revoke its approval if new information emerges. This drafting balances the need for transparency with the issuer’s interest in not creating unnecessary alarm.

The Data Security Cross-Border Transfer Risk

The Data Security Law and the Personal Information Protection Law impose restrictions on the cross-border transfer of personal information and “important data.” For a fintech issuer that processes PRC customer data, the risk factor must address the potential for regulatory action if the issuer’s data security assessment is not approved. The drafting should reference the specific regulatory pathway: “We are required to undergo a data security assessment under the Measures for Data Security Assessment (2022) before transferring any personal information or important data outside of the PRC. As of the date of this prospectus, we have not completed this assessment. If the assessment is not approved, or if the Cyberspace Administration of China (CAC) imposes additional restrictions on our data transfer practices, our ability to operate our business and to report financial results to our Hong Kong auditors may be materially impaired.”

This risk factor is specific, regulatory-grounded, and does not assume a negative outcome. It also creates a clear timeline for investors to monitor: the completion of the data security assessment will be a key milestone for the issuer’s risk profile.

Practical Takeaways for Drafting Teams

The risk factors section of a Hong Kong prospectus is a legal document, not a marketing brochure. Every sentence must be defensible by reference to a primary source, and every claim must be quantified where possible. The 2025 climate disclosure rules and the SFC’s heightened enforcement posture mean that generic drafting is no longer acceptable. The following five takeaways provide a practical checklist for sponsors and listing counsel:

1. Map every risk factor to a specific, verifiable source document in the sponsor’s due diligence report, and ensure that source is dated and authorised by the relevant regulatory body or independent expert.

2. Quantify the financial impact of each material risk using data from the issuer’s audited financial statements, industry benchmarks, or independent third-party reports, and state the methodology used for any scenario analysis.

3. Cross-reference climate risks to the 2025 HKEX climate disclosure requirements, ensuring that physical and transition risks are quantified by reference to the issuer’s asset base and revenue streams, not generic climate scenarios.

4. For PRC-based VIE issuers, disclose the exact status of the CSRC filing and the data security assessment, including the date of submission, the regulator’s response, and the specific consequences of a denial or revocation.

5. Draft each risk factor as a “known unknown” —identifying a specific contingency, the regulatory or factual basis for the risk, and the quantified outcome—to provide a defensible record against any future claim of misrepresentation under section 40 of Cap. 32.