The Hackett Group (HCKT) Risk Factors

We may not be able to compete effectively with current or future competitors. The business consulting and IT services markets are highly competitive. We expect competition to further intensify as these markets continue to evolve. Some of our competitors have longer operating histories, larger client bases, longer relationships with their clients, greater brand or name recognition and significantly greater financial, technical and marketing resources than we do. As a result, our competitors may be in a stronger position to respond more quickly to new or emerging technologies, such as artificial intelligence, and changes in client requirements and to devote greater resources than we can to the development, promotion and sale of their services. Competitors could lower their prices, potentially forcing us to lower our prices and suffer reduced operating margins. We face competition from international accounting firms; international, national and regional strategic consulting and systems implementation firms; and the IT services divisions of application software firms. In addition, there are relatively low barriers for entry into the business consulting and IT services market. We do not own any patented technology that would stop competitors from entering this market and providing services similar to ours. As a result, the emergence of new competitors may pose a threat to our business. Existing or future competitors may develop and offer services that are superior to, or have greater market acceptance, than ours, which could significantly decrease our revenue and the value of your investment.

As part of our strategy, from time to time, we enter into capped or fixed-price contracts, in addition to contracts based on payment for time and materials. Because of the complexity of many of our client engagements, accurately estimating the cost, scope and duration of a particular engagement can be a difficult task. We maintain an Office of Risk Management ("ORM") that evaluates and attempts to mitigate delivery risk associated with complex projects. In connection with their review, ORM analyzes the critical estimates associated with these projects. If we fail to make these estimates accurately, we could be forced to devote additional resources to these engagements for which we will not receive additional compensation. To the extent that an expenditure of additional resources is required on an engagement, this could reduce the profitability of, or result in a loss on, the engagement. We may be unsuccessful in negotiating with clients regarding changes to the cost, scope or duration of specific engagements. To the extent we do not sufficiently communicate to our clients, or our clients fail to adequately appreciate the nature and extent of any of these types of changes to an engagement, our reputation may be harmed, and we may suffer losses on an engagement.

We believe that establishing and maintaining a good reputation and name recognition are critical for attracting and retaining clients and employees in our industry. We also believe that the importance of reputation and name recognition will continue to increase due to the number of providers of business consulting and IT services. If our reputation is damaged or if potential clients are not familiar with us or with the solutions we provide, we may be unable to attract new, or retain existing, clients and employees. Promotion and enhancement of our name will depend largely on our success in continuing to provide effective solutions. If clients do not perceive our solutions to be effective or of high quality, our brand name and reputation will suffer. In addition, if solutions we provide have defects, critical business functions of our clients may fail, and we could suffer adverse publicity as well as economic liability.

Our clients, and therefore our business and revenues, are sensitive to negative changes in general economic conditions and business confidence arising from pandemics. The extent to which a pandemic could impact our business, operations and financial results will depend on numerous evolving factors that we may not be able to accurately predict, including: the duration, severity and scope of the pandemic; governmental, business and individuals' actions that are taken in response to a pandemic; the impact of the pandemic on economic activity and actions taken in response; the effect on our clients and client demand for our services and solutions; the ability of our clients to pay for our services and solutions; and any closures of our clients' offices and facilities. Clients may also slow down decision making, delay planned work or seek to terminate existing agreements. Any of these events could cause or contribute to the risks and uncertainties enumerated in "Item 1A. Risk Factors" and elsewhere in this Annual Report and could materially adversely affect our business, financial condition, results of operations and/or stock price.

We have international operations, where we earn revenue and incur costs in various foreign currencies, primarily the British Pound, and the Euro. Doing business in these foreign currencies exposes us to foreign currency risks in numerous areas, including revenue, purchases, payroll and investments. Certain foreign currency exposures are naturally offset within an international business unit, because revenue and costs are denominated in the same foreign currency, and certain cash balances are held in U.S. Dollar denominated accounts. Fluctuations in foreign currency exchange rates could materially impact our results. Our cash position includes amounts denominated in foreign currencies. We manage our worldwide cash requirements considering available funds from our subsidiaries and the cost effectiveness with which these funds can be accessed. The repatriation of cash balances from certain of our subsidiaries outside the U.S. could have adverse tax consequences and be limited by foreign currency exchange controls. However, those balances are generally available in the local jurisdiction without legal restrictions to fund ordinary business operations. Any fluctuations in foreign currency exchange rates could materially impact the availability and amount of these funds available for transfer.

We rely upon a combination of nondisclosure and other contractual arrangements and trade secrets, copyright and trademark laws to protect our proprietary rights and the proprietary rights of third parties from whom we license IP. Although we enter into confidentiality agreements with our employees and limit distribution of proprietary information, there can be no assurance that the steps we have taken in this regard will be adequate to deter misappropriation of our IP, or that we will be able to detect unauthorized use and take appropriate steps to enforce our IP rights. Although we believe that our services do not infringe on the IP rights of others and that we have all rights necessary to utilize the IP employed in our business, we are subject to the risk of claims alleging infringement of third-party IP rights. Any claims could require us to spend significant sums in litigation, pay damages, develop non-infringing IP or acquire licenses to the IP that is the subject of asserted infringement.

We use information technology and security systems to protect proprietary and confidential information, including that of our customers, suppliers and employees. Denial of service or other attacks on, or accidental or willful security breaches or other unauthorized access to our facilities or information systems, unauthorized access to or acquisition of personal information, confidential information or other data we process or maintain, or viruses, loggers, or other malfeasant code, including ransomware, in our data or software, could compromise this information and otherwise disrupt our operations. The consequences of such loss, possible misuse of our proprietary and confidential information, or operational disruptions could include, among other things, unfavorable publicity, damage to our reputation, difficulty marketing our products, customer allegations of breach-of-contract, claims and litigation by affected parties, investigations by and other proceedings involving governmental authorities and possible financial liabilities for damages, any of which could materially adversely affect our business, financial condition, reputation and relationships with customers and partners. We also rely on a number of third-party service providers to host, store or otherwise process information for us, or to provide other facilities or infrastructure that we make use of, including "cloud-based" providers of corporate infrastructure services relating to, among other things, human resources, electronic communication services and some financial functions, and we are therefore dependent on the security systems of these providers. Any security breaches or incidents or other unauthorized access to, or disruptions of, our service-providers' systems or viruses, loggers, ransomware or other malfeasant code in their data or software, or unauthorized access to or acquisition of any data they process or otherwise maintain for us could expose us to information loss, corruption and unavailability, operational disruptions, and misappropriation of confidential information, and could have similar consequences to us as any incidents affecting our own systems or the data we process or maintain. We and our third parties face these threats from a variety of sources, including attacks from hackers, phishing and other forms of social engineering, and human error or employee or contractor malfeasance. Because the techniques used to obtain unauthorized access to or sabotage security systems change frequently and are often not recognized until after an attack, we and our third-party service providers may be unable to anticipate the techniques or implement adequate preventative measures, thereby exposing us to material adverse effects on our business, financial condition, results of operations and growth prospects. A security breach or other security incident impacting us or our third-party service providers could require a substantial level of financial resources to rectify and otherwise respond to, may be difficult to identify or address in a timely manner, and could result in claims, investigations, and inquires by private parties or governmental entities that may divert management's attention and require the expenditure of significant time and resources, and which may cause us to incur substantial fines, penalties, or other liability and related legal and other costs. Any actual or perceived security breach or other security incident may also harm our reputation and market position. Any of the foregoing matters could harm our operating results and financial condition.

We use information technology and security systems to process, transmit, and store electronic information in connection with the operation of our business. We also use such systems to protect proprietary and confidential information, including that of our customers, suppliers and employees. We face risks associated with cybersecurity incidents and other significant disruptions of such systems, including denial of service or other similar attacks, to our facilities or systems; unauthorized access to or acquisition of personal information, confidential information or other data we process or maintain; or viruses, loggers, or other malfeasant code, including ransomware, in our data or software. These cybersecurity incidents or other significant disruptions could be caused by persons inside our organization, persons outside our organization with authorized access to systems inside our organization, or by individuals outside our organization. The risk of a cybersecurity incident or disruption, particularly through cyber-attack or cyber-intrusion, has generally increased as the number, intensity and sophistication of attempted attacks and intrusions from around the world have increased. Although the cybersecurity incidents that we have experienced to date, as well as those reported to us by our third-party partners, have not had a material effect on our business, financial condition or results of operations, such incidents could have a material adverse effect on us in the future. We also rely on a number of third-party service providers to host, store or otherwise process information for us, or to provide other facilities or infrastructure that we make use of, including "cloud-based" providers of corporate infrastructure services relating to, among other things, human resources, communication services, financial functions, as well as proprietary digital technology platforms, and we are therefore dependent on the security systems of these providers. These third-party entities are subject to similar risks as it relates to cybersecurity, business interruption, and systems. Employee failures and a cybersecurity incident or other significant disruption affecting such third parties could have a material adverse effect on our business. Because the techniques used to obtain unauthorized access to or sabotage security systems change frequently and are often not recognized until after an attack, we and our third-party service providers may be unable to anticipate the techniques or implement adequate preventative measures, thereby exposing us to material adverse effects on our business, financial condition, results of operations and growth prospects. In order to address risks to our information systems, we continue to make investments in personnel, technologies and training. Data protection laws and regulations around the world often require "reasonable," "appropriate" or "adequate" technical and organizational security measures, and the interpretation and application of those laws and regulations are often uncertain and evolving; there can be no assurance that our security measures will be deemed adequate, appropriate or reasonable by a regulator or court. Moreover, even security measures that are deemed appropriate, reasonable, and/or in accordance with applicable legal requirements may not be able to protect the information we maintain. A cybersecurity incident or other significant disruption impacting us or our third-party service providers could require a substantial level of financial resources to rectify and otherwise respond to, may be difficult to identify or address in a timely manner, and may divert management's attention and require the expenditure of significant time and resources. Such cybersecurity incidents or other significant disruptions could result in claims, increased regulatory scrutiny, or investigations, and may cause us to incur substantial fines, penalties, or other liability and related legal and other costs. Any actual or perceived cybersecurity incident or significant disruption may also interfere with our ability to comply with financial reporting requirements and harm our reputation and market position, especially given that we handle sensitive customer information. Any of the foregoing matters could harm our operating results and financial condition. While we have purchased cybersecurity insurance, there are no assurances that the coverage would be adequate in relation to any incurred losses. Moreover, as cyber-attacks increase in frequency and magnitude, we may be unable to obtain cybersecurity insurance in amounts and on terms we view as adequate for our operations.

We collect, store, have access to and otherwise process certain confidential or sensitive data, including proprietary business information, personal data or other information that is subject to privacy and security laws, regulations and/or customer-imposed controls. We operate in an environment in which data privacy regulatory and legal framework is evolving quickly and varies by jurisdiction. We cannot predict the cost of compliance with future data privacy laws, regulations and standards, or future interpretations of current laws, regulations and standards, related to privacy and cybersecurity or the potential effects on our business. As a company doing business in Europe, we are also subject to European data protection laws and regulations. The European Union General Data Protection Regulation ("GDPR"), imposes stringent requirements in how we collect and process personal data and provides for significantly greater penalties for noncompliance; and several other countries have passed laws that require personal data relating to their citizens to be maintained on local servers and impose additional data transfer restrictions. In addition, we are also subject to and affected by new state privacy and data security laws such as the California Consumer Privacy Act ("CCPA"). The CCPA imposes additional data privacy requirements on many businesses operating in the state, including, potentially, with respect to employee data. Several states have enacted or introduced varying comprehensive privacy laws modeled to some degree on the CCPA and/or the GDPR. Compliance with multiple country and state laws containing varying requirements could be complicated and costly. Government enforcement actions can be costly and interrupt the regular operation of our business, and violations of data privacy laws can result in fines, reputational damage and civil lawsuits, any of which may adversely affect our business, reputation and financial statements.

To succeed, we must hire, train, motivate, retain and manage highly skilled employees. Competition for skilled employees who can perform the services we offer is intense. We might not be able to hire enough skilled employees or train, motivate, retain and manage the employees we hire. This could hinder our ability to complete existing client engagements and bid for new ones. Hiring, training, motivating, retaining and managing employees with the skills we need is time-consuming and expensive.