Chipotle (CMG) Risk Analysis

Our business is subject to extensive federal, state, local and international laws and regulations, including those relating to: - preparation, sale and labeling of food, including regulations of the Food and Drug Administration, which oversees the safety of the entire food system and covers inspections and mandatory food recalls, menu labeling and nutritional content;- employment practices and working conditions, including minimum wage rates, wage and hour practices, meal and rest breaks, fair workweek/secure scheduling and "just cause" legislation, employment of minors, discrimination, harassment, classification of employees, paid and family leave, workplace safety, immigration and overtime among others;- privacy and data security (including regulations governing the protection of personal information, advertising and marketing, access by children, biometrics, surveillance, artificial intelligence, health-related information and financial information);- health, sanitation, safety and fire standards and the sale of alcoholic beverages;- building and zoning requirements, including state and local licensing and regulation governing the design and operation of facilities and land use;- claims made in marketing and advertising, including regarding nutritional information and sustainability impacts;- public accommodations and safety conditions, including the Americans with Disabilities Act and similar state laws that give civil rights protections to individuals with disabilities in the context of employment, public accommodations, online resources and other areas;- environmental matters, such as emissions and air quality; water consumption; the discharge, storage, handling, release and disposal of hazardous or toxic substances; local ordinances restricting the types of packaging we can use in our restaurants; and claims we make about our sustainability practices and achievements;- new or increased tariffs, trade sanctions or taxes; and - public company compliance, disclosure and governance matters, including accounting and tax regulations, SEC and NYSE disclosure requirements. Compliance with these laws and regulations, and future new laws or changes in these laws or regulations that impose additional requirements, can be costly. If the Food and Drug Administration or other government agency adopts new laws and regulations in response to real or perceived emerging food safety, such as concerns over phthalates, PFAS, microplastics or heavy metals in the U.S. food supply, it could impose new processes that disrupt our suppliers' operations, increase costs or both. Any failure or perceived failure to comply with applicable laws or regulations could result in, among other things, revocation of required licenses, administrative enforcement actions, fines and civil and criminal liability.

We have been and will continue to be subject to litigation and other legal proceedings that may adversely affect our business, including claims brought by employees, guests, government agencies, suppliers, distributors, shareholders, job applicants or others. These proceedings may be in the form of private actions, administrative proceedings, government enforcement or regulatory actions and litigation on a class or collective basis on behalf of what can be a large group of potential claimants. These legal proceedings have involved, and in the future may involve, allegations of illegal, unfair or inconsistent employment practices, including those governing wage and hour, employment of minors, discrimination, harassment, wrongful termination, fair scheduling, pay disclosure and vacation and family leave laws; food safety issues including food-borne illness, food contamination and adverse health effects from consumption of our food products; data security or privacy incidents or violations of related laws; discrimination against guests or job applicants; personal injury in our restaurants; marketing and advertising claims, including claims that our Food with Integrity, marketing, nutrition, or sustainability claims are misleading or inaccurate or that price-related disclosures are misleading; infringement of patent, copyright or other intellectual property rights; violation of the federal securities laws; workers' compensation; or other concerns. We are party to multiple lawsuits and governmental audits alleging violations of federal and state employment laws, including wage and hour and predictive scheduling claims, and we could be involved in similar or even more significant litigation and legal proceedings in the future. Even if the allegations against us are unfounded or we ultimately are held not liable, the costs to defend ourselves may be significant and the proceedings may divert management's attention away from operating our business, all of which could negatively impact our financial condition and results of operations. A judgment significantly greater than any applicable insurance coverage or third-party indemnity could materially adversely affect our financial condition or results of operations. In addition, adverse publicity resulting from claims may damage our reputation.

We have in the past failed, and may in the future fail, to meet our forecasted guidance or market expectations, which has adversely affected, and could in the future adversely affect, the market price of our stock. Any guidance we provide is based on certain assumptions at the time the guidance is given, which may or may not prove to be correct. Failure to meet announced guidance or market expectations of future results, particularly with respect to our operational and financial results and shareholder returns, whether due to our assumptions not being met or the impact of various risks and uncertainties, will likely result in either or both a decline in or increased volatility in the market price of our stock. In addition, price and volume fluctuations in the stock market as a whole may affect the market price of our stock in ways that may be unrelated to our financial performance. Our quarterly financial results may fluctuate significantly and could fail to meet investors' expectations for various reasons, including: - negative publicity about the safety of our food, employment-related issues, guest safety, litigation or other issues involving our restaurants;- fluctuations in supply costs, particularly for our most significant ingredients, and our inability to offset the higher cost with price increases, without adversely impacting guest traffic;- our inability to purchase sufficient quantities of our key ingredients and equipment as our restaurant count grows;- labor availability and wages of restaurant management and employees;- increases in marketing or promotional expenses;- the timing of new restaurant openings and related revenues and expenses, and the operating costs at newly opened restaurants;- the impact of inclement weather and natural disasters, such as freezes and droughts, which could decrease guest traffic and increase the costs of ingredients;- the amount and timing of stock-based compensation;- litigation, settlement costs and related legal expenses;- taxes, new or increased tariffs or trade sanctions, asset impairment charges and non-operating costs; and - macroeconomic conditions described above. For these reasons, results for any one quarter are not necessarily indicative of results to be expected for any other quarter or for any year. A significant or sudden decrease in our stock price could entice an activist shareholder to initiate a campaign against the Company. If we are the target of public activism, it could cause us to incur significant costs, including legal expenses, divert the attention of our management and Board, create uncertainty about our strategic direction and cause stock price volatility that is unrelated to our business fundamentals.

The restaurant industry is highly competitive on factors such as taste, price, food quality and selection, customer service, brand reputation, digital engagement, advertising and promotional initiatives, and the location, attractiveness and maintenance of restaurants. We also compete with non-traditional market participants, such as "convenience meals" in the form of entrées, side dishes or meal preparation kits from grocery stores, meal kit delivery services, and "ghost" or "dark" kitchens, where meals are prepared at separate takeaway premises rather than a restaurant. Delivery aggregators and food delivery services, which provide consumers with convenient access to a broad range of competing restaurant chains and food retailers, particularly in urbanized areas, may direct potential customers to other restaurants based on paid placements, online reviews and other factors, and may form a closer relationship with our guests. Increased competition could have an adverse effect on our sales, profitability and development plans. If guest tastes or dietary preferences change, if our marketing efforts are unsuccessful, or if we are unable to compete successfully with other restaurant concepts, our business could be adversely affected. We continue to believe our commitment to higher-quality and responsibly sourced ingredients resonates with guests and gives us a competitive advantage; however, many of our competitors also make claims related to the quality of their ingredients and lack of artificial flavors, colors and preservatives. The use of these claims by competitors, even if such claims are not accurate or comparable, may lessen our differentiation and make it more difficult for us to compete. If we are unable to continue to maintain our distinctiveness and compete effectively, our business, financial condition and results of operations could be adversely affected.

Our growth depends on our ability to open new restaurants at an aggressive rate and operate them profitably as soon as possible. The cost of opening new restaurants has continued to increase due to construction labor inflation and increased costs of materials and equipment. In addition, we incur substantial startup expenses each time we open a new restaurant, and it can take around 36 months to ramp up the sales and profitability of a new restaurant, during which time costs may be higher as we train new employees and build up a guest base. If we are unable to build the guest base that we expect or fail to overcome the higher startup expenses associated with new restaurants, our new restaurants may not be as profitable as our existing restaurants. In addition, the opening of new restaurants may negatively impact the profitability of existing restaurants that are located nearby. Our ability to open and profitably operate new restaurants also is subject to risks, such as the identification and availability of desirable locations; the negotiation of acceptable lease terms; the need to obtain required governmental permits (including zoning approvals and liquor licenses) and comply with other regulatory requirements; the availability of capable contractors and subcontractors; increases in the cost and decreases in the availability of labor and building material; changes in weather, natural disasters, pandemics or other acts of God that could delay construction and adversely affect guest traffic; our ability to hire and train qualified management and restaurant employees; and general economic and business conditions. At each potential location, we compete with other restaurants and retail businesses for desirable development sites, construction contractors, management personnel, hourly employees and other resources. If we are unable to successfully manage these risks, we could face increased costs and lower than anticipated sales and earnings in future periods. Our timeline for completing construction also has gotten longer, due to landlord reluctance to commit to building in light of fluctuating interest rates, tight money supply and general economic conditions, and due to backlogs and long wait times for us to obtain required permits and utility hookups. In addition, we need to maintain the attractiveness of our existing restaurants through remodels, upgrades and regular upkeep. If the costs associated with remodels, upgrades or regular upkeep are higher than anticipated, restaurants are closed for remodeling for longer periods than planned or remodeled restaurants do not perform as expected, which could have a negative effect on our operating results, and we may not realize our projected desired return on investment.

We built strong value in the Chipotle brand by serving delicious, high quality food, made fresh every day using responsibly sourced ingredients served in generous portions. Our continued success depends on maintaining this compelling brand value, which may be eroded by numerous factors, some of which are outside of our control. Incidents that could erode trust in our brand include actual or perceived food safety or food-borne illnesses; allegations of unethical or unprofessional behavior by employees and/or guests; privacy breaches or violations of privacy laws; safety-related incidents occurring in or around our restaurants; guest perceptions regarding smaller entrée portion sizes; or other events or incidents described in this risk factors section. The adverse impact of such incidents may be compounded by negative publicity, including through social or digital media, or if they result in litigation. Social media, video-sharing, networking, and gaming and messaging platforms dramatically increase the speed and reach at which negative publicity is disseminated, often before we have a meaningful opportunity to investigate, respond to and address an issue. Negative online postings or comments about us, including as a result of inaccurate, fictitious or malicious postings or media content, have in the past and could in the future magnify and prolong the adverse impact of any one incident and increase the damage to the value of our brand. Additionally, consumer demand for our products and our brand value could diminish significantly if we, our employees or business partners fail to comply with applicable laws and regulations, take positions or actions that may be considered controversial, fail to deliver a consistently positive guest experience or fail to foster an inclusive and welcoming environment. In addition, we cannot ensure that our restaurant crew or business partners will not take actions that adversely affect our brand reputation and relevance.

As our dependence on technology has grown, the scope and severity of potential risks from cyber-attacks and security threats have increased. We expect that the rapid evolution and increased adoption of artificial intelligence have heightened and will continue to heighten those risks. Many of our information technology systems and the systems of our third-party business partners (whether cloud-based or hosted in proprietary servers) contain personal, financial or other information of our guests, employees, and business partners, and confidential information about our business, such as business strategies, financial results, development initiatives, and confidential information about third parties, such as suppliers. Similar to many other restaurant companies, we have in the past experienced, and we expect to continue to experience, cyber-attacks, including phishing, and other attempts to breach, or gain unauthorized access to, our systems and databases and we expect the number and frequency of these attempts to increase as the scope and scale of our technology footprint and digital operations increases. In addition, individuals performing work for us and our third-party business partners may access some of this data, including on personally owned digital devices. To the extent we, a third party or any such individual were to experience a breach of our or their information technology systems that results in the unauthorized access, theft, use, destruction or other compromises of guests' or employees' data or confidential information of Chipotle, including through cyber-attacks or other external or internal methods, it could have an adverse impact on our reputation and brand and we could experience a material loss of revenues, a decrease in our ability to retain guests or attract new ones, the imposition of potentially significant costs (including loss of data or payment for recovery of data) and liabilities, loss of business partners and the disruption to our supply chain and business plans. Unauthorized access, theft, use, destruction or other compromises are becoming increasingly sophisticated and may occur through a variety of methods, including attacks using malicious code, vulnerabilities in software, hardware or other infrastructure (including systems used by our supply chain), system misconfigurations, phishing, deepfakes, ransomware, malware or social engineering. Our logging capabilities, or the logging capabilities of third parties, are not always complete or sufficiently granular, affecting our ability to fully understand the scope of security breaches. Given the increasing complexity and sophistication of techniques used by bad actors to obtain unauthorized access to or disable information technology systems, and the fact that cyberattacks are being made by groups and individuals with a wide range of expertise and motives, it is increasingly difficult to anticipate, defend against and detect cyberattacks. A cyberattack could occur and persist for an extended period of time before we detect it. Moreover, the extent of a particular cyber incident and the steps that we may need to take to investigate the incident may not be immediately clear, and it may take a significant amount of time before such investigation can be finalized and completed and reliable information about the incident is known. During the pendency of any such investigation, we may not know the extent of the harm or how best to remediate it, and we may be required to disclose incidents before their full extent is known. Such security breaches also could result in a violation of applicable U.S. and international privacy, cyber and other laws or trigger data breach notification laws, including under the SEC's disclosure rules, and subject us to private third party or securities litigation and governmental investigations and proceedings, any of which could result in our exposure to material civil or criminal liability. These risks also exist in companies that license our brand, that we partner with or invest in that use separate information systems. We may be required to make significant capital investments and other expenditures to investigate security incidents, remedy cybersecurity problems, recuperate lost data, prevent future compromises and adapt systems and practices to react to the changing threat environment. These include costs associated with notifying affected individuals and other agencies, additional security technologies and training, hiring additional employees, retention of experts and providing credit monitoring services for individuals whose data has been breached. These costs could be material and could adversely impact our results of operations in the period in which they are incurred, including by causing us to delay the pursuit of other important business strategies and initiatives, and may not meaningfully limit the success of future attempts to breach our information technology systems.

We are heavily dependent on information technology systems, including for point-of-sale and payment processing in our restaurants, digital ordering and order delivery, tracing ingredients back to suppliers and growers, digital Hazard Analysis and Critical Control Points monitoring, monitoring and managing our supply chain, our guest rewards program, payroll processing, sales forecasting, marketing initiatives, business analytics and various other processes and transactions. Our ability to effectively manage our business and coordinate the procurement, production, distribution, safety and sale of our products depends significantly on the consistent availability, reliability and security of these systems. Many of these critical systems are provided and managed by third parties, and we are reliant on these third-party providers to implement protective measures that ensure the security and availability of their systems. Although we have operational safeguards in place and we take efforts to ensure that our third-party providers have implemented proper safeguards and controls, we cannot guarantee that breaches or failures caused by these third-party systems or platforms will not occur. Failures may be caused by factors such as power outages, natural disasters and other catastrophic events, physical theft, computer and network failures, inadequate or ineffective redundancy, problems with transitioning to upgraded or replacement systems or platforms, flaws in third-party software or services, or errors or improper use by our employees or our third-party service providers. If any of our critical IT systems were to become unreliable, unavailable, compromised or otherwise fail, and we were unable to recover in a timely manner, we could experience an interruption in our operations that could have a material adverse impact on our profitability. We continue to invest in and utilize emerging technologies that have potential to make business tasks easier, more efficient and less labor intensive, including artificial intelligence and machine learning. These new technologies may not deliver the expected efficiencies and could expose us to new risks, including risks related to cybersecurity, data privacy, inaccuracies, hallucinations, bias or discrimination and claims of intellectual property infringement.

Restaurant dining generally is dependent upon consumer discretionary spending, which may be affected by macroeconomic conditions that are beyond our control. A prolonged economic downturn or slow recovery may reduce consumer spending, leading to lower demand or shifts to lower-priced options. Factors such as unemployment, inflation, interest rate changes, taxes, access to credit, public health crises, trade disputes, and geopolitical instability can all impact consumer behavior, including discretionary spending, potentially reducing demand for our products. A significant decrease in guest traffic or average transaction size would negatively impact our financial performance. If economic uncertainty persists, guests may adopt lasting changes in spending habits, potentially affecting our sales, profitability, and growth plans. Our operating results have been, and will continue to be, subject to a number of other macroeconomic and other factors, many of which are largely outside our control. Any one or more of the factors listed below could have a material adverse impact on our business, financial condition, or results of operations: - Rising real estate costs in certain markets;- Supply chain disruptions;- Climate change and extreme weather affecting costs and availability of ingredients;- Changes in tax laws and government regulations, such as the One Big Beautiful Bill Act, enacted in the U.S. in July 2025;- Adverse litigation outcomes;- Inflation and interest rate fluctuations;- Natural or man-made disasters disrupting major markets;- Government shutdowns and election-related impacts globally, including regime change and political and civil unrest;- Terminations of or changes in existing trade agreements among the countries in which we purchase ingredients; and - Tariffs imposed on commodities or goods, including recent tariffs imposed or threatened to be imposed by the U.S. on other countries, and any retaliation measures taken by such countries. These factors also could cause us to, among other things, reduce the number and frequency of new restaurant openings, close restaurants or delay remodeling of our existing restaurant locations. Further, poor economic conditions may force nearby businesses to shut down, which could reduce traffic to our restaurants or cause our restaurant locations to be less attractive. In addition, we purchase ingredients, packaging and equipment from both U.S. and international suppliers and we may need to increase our menu prices in response to increased inflation, higher taxes, new tariffs on imported goods, wage increases due to a tighter job market and other macro-economic factors. Higher menu prices or the perceived value of our meals relative to competitors may lead consumers to reduce their spending in our restaurants or switch to competitors' value or lower-priced meals. If competitive or other factors prevent us from offsetting these higher costs through menu price increases, our profitability may decline.

Adverse weather conditions have impacted and may again impact guest traffic at our restaurants and, in more severe cases such as hurricanes, tornadoes, wildfires or other natural disasters, cause temporary restaurant closures, all of which negatively impact our restaurant sales. In addition, our supply chain is subject to increased costs caused by the effects of severe, volatile weather, extended droughts and diminished energy and water resources. Increasing weather volatility and changes in global weather patterns could reduce crop size and crop quality, or destroy crops altogether, which could result in decreased availability or higher pricing for our produce and other ingredients. We may be forced to source ingredients from new geographic regions, which could impact quality and taste, and increase our costs. These factors are beyond our control and may be unpredictable. Climate change and government regulation relating to climate change mitigation also could result in construction delays for new restaurants and interruptions to the availability or increases in the cost of utilities. The ongoing and long-term costs of these impacts related to climate change and other sustainability-related issues could have a material adverse effect on our business and financial condition if we are not able to mitigate them.