Soho House & Co (SHCO) Risk Factors

We will be subject to income taxes in the US, the UK and other jurisdictions in which we operate, and our domestic and foreign tax liabilities will be subject to the allocation of expenses in differing jurisdictions. Our future effective tax rates could be subject to volatility or adversely affected by a number of factors, including: - changes in the valuation of our deferred tax assets and liabilities;- expected timing and amount of the release of any tax valuation allowances;- tax effects of share-based compensation;- costs related to intercompany restructurings;- changes in tax laws, regulations, cross-border taxes, nexus-based tax practices, double taxation agreements, transfer pricing documentation rules, or in the interpretation, administration, or application thereof (in particular, as a result of Brexit and the ongoing base erosion and profit shifting ("BEPS" project); or - lower than anticipated future earnings in jurisdictions where we have lower statutory tax rates and higher than anticipated future earnings in jurisdictions where we have higher statutory tax rates. In addition, we may be subject to audits of our income, sales and other transaction taxes by US federal and state and foreign authorities. Outcomes from these audits could have an adverse effect on our business, results of operations and financial condition. Net operating losses and excess interest deductions to offset future taxable income may be subject to certain limitations or forfeiture. Realization of these tax losses and interest deductions depends on future income, and there is a risk that our existing NOLs in certain jurisdictions including the US could expire unused and be unavailable to offset future income tax liabilities, which could adversely affect our operating results. With respect to US net operating losses, there is no assurance that they will be used given the current assessment of the limitations on their use or the current projection of future taxable income in the entities to which these losses relate. In addition, future changes in our stock ownership, the causes of which may be outside of our control, could result in an additional ownership change under Section 382 of the Code. Our NOLs may also be impaired under US state laws. In addition, under the 2017 Tax Cuts and Jobs Act, NOLs generated in taxable years beginning after December 31, 2017 may be utilized to offset no more than 80% of taxable income annually. There is a risk that some of our US and UK losses and interest loss carryforwards may be restricted as a result of the changes in our stock ownership following the completion of our initial public offering on July 19, 2021.

In the ordinary course of business, we collect, use, transmit, store, share and otherwise process member, customer and employee data, including credit and debit card numbers, bank account information, dates of birth, location information and other types of personal data. Some of this data is sensitive and could be an attractive target for criminal attack by malicious third parties with a wide range of expertise and motives (including financial gain), including organized criminal groups, hackers, disgruntled current or former employees, and others. In particular, the increasing sophistication and resources of cyber criminals and other non-state threat actors and increased actions by nation-state actors make keeping up with new threats difficult and could result in a breach of security. The integrity, protection and security of such member, customer and employee data is critical to us. Despite the security measures we and our third-party service providers have in place to protect confidential information and PII and to comply with applicable laws, rules, regulations, industry standards and contractual obligations relating to data privacy, protection and security, our facilities and systems and those of our third-party service providers, as well as the Soho House App, may be vulnerable to security or data breaches, acts of cyber terrorism or sabotage, vandalism or theft, computer viruses, misplaced, corrupted or lost data, programming or human errors or other similar events. Furthermore, the size and complexity of our IT systems and those of our third-party service providers make such systems potentially vulnerable to security or data breaches and other security incidents from inadvertent or intentional actions by our employees or third-party service providers or from attacks by malicious third parties. Because such attacks are increasing in sophistication and change frequently in nature, we and our third-party service providers may be unable to anticipate these attacks or implement adequate preventative measures, and any compromise of our systems, or those of our third-party vendors, may not be discovered, mitigated or remediated promptly or effectively. Additionally, the collection, maintenance, use, disclosure, storage, transmission, disposal and other processing of PII by our businesses are regulated at the federal, state local, provincial and international levels as well as by certain industry groups, such as the Payment Card Industry organization and the National Automated Clearing House Association, and we cannot guarantee that we have been and will be in compliance with all such applicable laws, rules, regulations and standards. The regulatory framework for data privacy and security worldwide is continuously evolving and developing and, as a result, interpretation and implementation standards and enforcement practices are likely to remain uncertain for the foreseeable future. The occurrence of unanticipated events and the development of evolving technologies often rapidly drives the adoption of legislation or regulation affecting the use, collection or other processing of data. New laws, amendments to or reinterpretations of existing laws, regulations, standards and other obligations may require us to change our business operations with respect to how we use, collect, store, transfer or otherwise process certain types of PII, implement new processes, and incur additional costs to comply with those laws and our members' exercise of their rights thereunder. Foreign data protection, privacy, consumer protection and other laws and regulations are often more restrictive than those in the United States. In particular, the EEA (comprised of the EU member states and Iceland, Liechtenstein and Norway) and the UK, have traditionally taken broader views as to types of data that are subject to privacy and data protection. In the EU, the processing of personal data (i.e., data which identifies an individual or from which an individual is identifiable) is governed by the EU GDPR. The UK has implemented the EU GDPR into its national law by virtue of section 3 of the European Union (Withdrawal) Act 2018 (known as the "UK GDPR", and together with the EU GDPR, the "GDPR") which sits alongside the UK Data Protection Act 2018. The GDPR imposes a number of obligations on controllers, including, among others: (i) accountability and transparency requirements, which require controllers to demonstrate and record compliance with the GDPR and to provide more detailed information to data subjects regarding processing; (ii) requirements to process personal data lawfully including specific requirements for obtaining valid consent where consent is the lawful basis for processing; (iii) obligations to consider data protection as any new products or services are developed and designed and to limit the amount of personal data processed; (iv) obligations to comply with data protection rights of data subjects including a right of access to and rectification of personal data, a right to obtain restriction of processing or to withdraw consent to processing, or to object to processing of personal data and a right to ask for a copy of personal data to be provided to a third party in a usable format and a right to erasure of personal data in certain circumstances; (v) obligations to implement appropriate technical and organizational security measures to safeguard personal data; and (vi) obligations to report certain personal data breaches to the relevant supervisory authority without undue delay (and no later than 72 hours where feasible) and affected individuals where the personal data breach is likely to result in a high risk to their rights and freedoms. In addition, the EU GDPR prohibits the international transfer of personal data from the EEA to countries outside of the EEA unless made to a country deemed to have adequate data privacy laws by the European Commission or a data transfer mechanism in accordance with the EU GDPR has been put in place or a derogation under the EU GDPR can be relied on. In July 2020, the Court of Justice of the European Union ("CJEU") in its Schrems II ruling invalidated the EU-U.S. Privacy Shield framework, a self-certification mechanism that facilitated the lawful transfer of personal data from the EEA to the United States, with immediate effect. The CJEU upheld the validity of standard contractual clauses ("EU SCCs") as a legal mechanism to transfer personal data but companies relying on EU SCCs will need to carry out a transfer impact assessment ("TIA"), which among other things, assesses laws governing access to personal data in the recipient country and considers whether supplementary measures that provide privacy protections additional to those provided under EU SCCs will need to be implemented to ensure an 'essentially equivalent' level of data protection to that afforded in the EEA. The UK GDPR imposes similar restrictions on transfers of personal data from the UK to jurisdictions that the UK does not consider adequate. This may have implications for our cross-border data flows and may result in compliance costs. Further, on October 7, 2022, the U.S. President introduced an Executive Order to facilitate a new Trans-Atlantic Data Privacy Framework ("DPF"), and on July 10, 2023, the European Commission adopted its Final Implementing Decision granting the U.S. adequacy ("Adequacy Decision") for EU-US transfers of personal data for entities self-certified to the DPF. Entities relying on EU SCCs for transfers to the U.S. are also able to rely on the analysis in the Adequacy Decision as support for their TIA regarding the equivalence of U.S. national security safeguards and redress. It should also be noted that the UK government has published its own form of EU SCCs known as the UK International Data Transfer Agreement and an International Data Transfer Addendum to the new EU SCCs. The UK's Information Commissioner's Office ("ICO") has also published its own version of the TIA and guidance on international transfers, although entities may choose to adopt either the EU or UK style TIA. Further, on September 21, 2023, the UK Secretary of State for Science, Innovation and Technology established a UK-U.S. data bridge (i.e., a UK equivalent of the Adequacy Decision) and adopted UK regulations to implement the UK-U.S. data bridge ("UK Adequacy Regulations"). Personal data may now be transferred from the UK under the UK-U.S. data bridge through the UK extension to the DPF to organizations self-certified under the UK extension to DPF. The GDPR also introduces fines of up to €20 million (under the EU GDPR) or £17.5 million (under the UK GDPR) or up to 4% of the annual global turnover of the noncompliant company, whichever is greater, for serious violations of certain of the GDPR's requirements. The GDPR identifies a list of points to consider when determining the level of fines to impose (including the nature, gravity and duration of the infringement). Data subjects also have a right to compensation for financial or non-financial losses (e.g., distress). Complying with the GDPR may cause us to incur substantial operational and compliance costs or require us to change our business practices. Despite our efforts to bring practices into compliance with the GDPR, we may not be successful either due to internal or external factors such as resource allocation limitations or a lack of vendor cooperation. Non-compliance could result in proceedings against us by governmental entities, regulators, customers, data subjects, suppliers, vendors or other parties. Further, there is a risk that the measures will not be implemented correctly or that individuals within the business will not be fully compliant with the new procedures. If there are breaches of these measures, we could face significant administrative and monetary sanctions as well as reputational damage which may have a material adverse effect on our operations, financial condition and prospects. There is a risk that we could be impacted by a cybersecurity incident that results in loss or unauthorized disclosure of personal data, potentially resulting in us facing harms similar to those described above. The EU has also proposed the draft ePrivacy Regulation, which, once finalized and in effect, will replace both the ePrivacy Directive and all the national laws implementing this Directive. The ePrivacy Regulation, as proposed in its current form, would impose strict opt-in marketing rules, change rules about the use of cookies, web beacons and related technologies, and significantly increase penalties for violations. Such regulations could limit our ability to collect, use and share EU and UK data, could cause our compliance costs to increase and could increase our potential liability, ultimately having an adverse impact on our business, and harm our business and financial condition. In the US, numerous states have enacted or are in the process of enacting comprehensive data privacy laws and regulations governing the collection, use, and other processing of personal information and providing rights to state residents to access, delete, correct and opt out of the sale or use of their personal information for targeted advertising and for certain other uses of personal data. Our business operates in some, but not all, of these states. These laws are enforceable only by state attorney generals, district attorneys in some states, and in California, the state's new privacy agency; there is no private right of action to enforce these laws. Prosecutors can recover civil (and for California, administrative) penalties, often on a per-person and per-incident basis, which could be substantial. To date, there have been limited public enforcement actions, but that could change in the coming year. California's law also authorizes private parties to bring suits against regulated businesses for negligent data breaches, and plaintiffs can recover statutory damages for such claims, in addition to actual damages and injunctive relief; those cases are proliferating. These laws and expanded enforcement actions and authorities could increase our potential liability and could have an adverse impact on our business, including its financial condition. In addition, the plaintiffs' bar is increasingly active and has brought hundreds of cases in recent years under privacy-related legal theories, including the California Invasion of Privacy Act (CIPA), otherwise known as California's wiretapping law. These cases typically concern allegations that the use of common third-party vendors or tools on a website constitute interceptions of confidential communications that allegedly constitute wiretapping, which can only be done with the consent of both parties to the communication. These wiretapping cases can be brought in a class action or in a mass arbitration setting. If such suits are brought against us, defending against them in court or in arbitration could substantially increase our legal costs, potential liability, and involve members of our legal teams to assist in defending these claims. We make public statements about our use, collection, disclosure and other processing of PII through our privacy policies, information provided on our website and press statements. Although we endeavor to comply with our public statements and documentation, we may at times fail to do so or it may be alleged that we have failed to do so. The publication of our privacy policies and other statements that provide promises and assurances about data privacy and security can subject us to potential government or legal action if they are found to be deceptive, unfair or misrepresentation of our actual practices. Specifically, the Federal Trade Commission ("FTC") and many state attorneys general are interpreting existing federal and state consumer protection laws to impose evolving standards for the collection, use, dissemination and security of personal information. Courts may also adopt the standards for fair information practices promulgated by the FTC, which concern consumer notice, choice, security and access. If such information that we publish is considered untrue, we may be subject to government claims of unfair or deceptive trade practices, which could lead to significant liabilities and consequences. Furthermore, according to the FTC, violating consumers' privacy rights or failing to take appropriate steps to keep consumers' personal information secure may constitute unfair acts or practices in, or affecting, commerce in violation of Section 5 of the FTC Act. Additionally, the FTC recently published an advance notice of proposed rulemaking on commercial surveillance and data security, and is seeking comment on whether it should implement new trade regulation rules or other regulatory alternatives concerning the ways in which companies (1) collect, aggregate, protect, use, analyze, and retain consumer data, as well as (2) transfer, share, sell, or otherwise monetize that data in ways that are unfair or deceptive. Many of these laws and regulations are still evolving and being tested in courts and could be interpreted or applied in ways that could harm our business, particularly in the new and rapidly evolving industry in which we operate. Federal, state, local, provincial, and international regulators and industry groups may also consider and implement from time to time new data privacy, security and protection laws, rules, regulations and requirements that apply to our businesses, and we cannot yet determine the impact that such future laws, regulations and standards may have on our business. For example, laws in all 50 US states require businesses to provide notice under certain circumstances to customers whose PII has been disclosed as a result of a data breach. Compliance with evolving data privacy and security laws, rules, requirements and regulations may result in cost increases due to necessary changes to our systems and practices, new limitations or constraints on our business models, the development of new administrative processes and may prevent us from providing certain offerings in certain jurisdictions in which we currently operate and in which we may operate in the future. They also may impose further restrictions on our processing, sharing, transmission, collection, disclosure and use of PII in connection with the Soho House App or that are housed in one or more databases maintained by us or our third-party service providers. Any actual or perceived noncompliance with applicable data privacy, security and protection laws, rules and regulations, industry group requirements, contractual obligations, consent requirements or a security or data breach involving the misappropriation, loss or other unauthorized disclosure of personal, sensitive or confidential information, including PII, whether by us or by one of our third-party service providers, and lawsuits brought under state wiretapping laws could have a material adverse effect on our business, operations, brand, reputation and financial condition, including decreased revenue, material fines and penalties, litigation, increased financial processing fees, compensatory, statutory, punitive or other damages, adverse actions against our licenses to do business and injunctive relief by court or consent order.

Our IT and other systems, and those of our third-party service providers, are vulnerable to cybersecurity risks. For example, certain persons and entities may attempt to penetrate our network, the systems hosting our website, the Soho House App or our other networks and systems, and may otherwise seek to misappropriate our proprietary or confidential information, including PII, or cause interruptions of our service. Because the techniques used by such persons and entities to access or sabotage networks and systems are increasingly diverse and sophisticated, change frequently and may not be recognized until launched against a target, we may be unable to anticipate these techniques. Back-up and redundant systems may be insufficient or may fail, which may result in a disruption of availability of our products or services to our members or compromise the integrity or availability of our members' information. In addition, sophisticated operating system software and applications that we procure from third parties may contain defects in design or manufacture, including "bugs" and other problems that could unexpectedly interfere with the operation of our networks, system, or our processing of personal information or other data. Furthermore, we depend upon our employees, independent contractors, consultants and other third parties with whom we do business to appropriately handle confidential data and deploy our IT resources in a safe and secure fashion that does not expose our network systems to security breaches and the loss of data. Accordingly, if any of our IT or cybersecurity systems, processes or policies, or those of any of our manufacturers, logistics providers, customers, independent contractors or other third-party service providers fail to protect against or effectively and timely remediate unauthorized access, sophisticated hacking or terrorism, the mishandling, misuse or misappropriation of data, including PII, by employees, contractors or other persons or entities, software errors, failures or crashes, interruptions in power supply, virus proliferation or malware, communications failures, acts or war or sabotage, denial-of-service attacks or other cybersecurity breaches or security incidents, our ability to conduct our business effectively could be damaged in a number of ways, including: - sensitive data regarding our business, including intellectual property, personal information (including PII), and other confidential and proprietary data, could be stolen;- our electronic communications systems, including email and other methods, could be disrupted, delayed, or damaged, and our ability to conduct our business operations could be seriously damaged until such systems can be restored;- our ability to process membership and other fees, customer orders, and our distribution channels could be disrupted, interrupted or damaged, resulting in delays in revenue recognition, harm to our relationships with customers and prospective customers and harm to our reputation;- accidental release or loss of or access to information maintained in our or third-party service providers' information systems and networks, including PII of our employees and our members, may occur; and - PII relating to various parties, including members, customers, employees and business partners, could be compromised, and we may be found to be in violation of applicable data privacy, security and protection laws, rules, regulations, industry standards, policies or contractual obligations. Furthermore, outside parties may attempt to fraudulently induce our employees or employees of our third-party service providers to disclose sensitive or confidential information in order to gain access to our or our third-party service providers' systems and processes. The number and complexity of these threats continue to increase over time. Although we have implemented and maintain systems and controls designed to prevent cybersecurity events from occurring, including policies and processes designed to identify and mitigate threats, such efforts may not be able to prevent all security breaches or unauthorized attempts to access our systems or data, including PII and confidential data. The development and maintenance of our IT systems, controls, and processes require ongoing monitoring and updating as technologies evolve and efforts to intrude into our IT systems become more sophisticated. Despite our best efforts, including the implementation of threat protection, information and network security measures and business continuity and disaster recovery plans, our systems and those of our third-party service providers may be vulnerable to attacks, and we cannot guarantee that the inadvertent or unauthorized use of confidential, sensitive or personal information, including PII, will not occur, or that third parties will not gain unauthorized access to such information. A number of the states, counties and cities in which we maintain facilities issued "shelter in place" and similar orders in response to the global outbreak of COVID-19, which caused a proportion of our employees to work remotely on less secure systems. We have, and may in the future, need to devote additional resources to enhance the security of our IT systems, which may not successfully prevent against all risks. Future additional transitions to a remote work environment may exacerbate certain risks to our business, including increasing the stress on, and our vulnerability to disruptions of, our IT infrastructure and computer systems, increased risk of phishing and other cybersecurity attacks, and increased risk of unauthorized dissemination of personal or confidential information. Additionally, our third-party vendors are may also experience similar challenges as they provide services to us. Should any of the above events occur, we could be subject to significant claims for liability from our customers, members, employees or other third parties and legal or regulatory investigations, inquiries or actions from governmental agencies or competent courts. In addition, our ability to protect our intellectual property rights could be compromised and our reputation and competitive position could be significantly harmed. Any regulatory, contractual or other actions, litigation, investigations, fines, penalties and liabilities relating to any actual or alleged misuse or misappropriation of PII or other confidential or proprietary information could be significant in terms of monetary exposure and reputational impact, and may necessitate changes to our business operations that may be disruptive to us. Additionally, we could incur significant costs in order to upgrade our cybersecurity systems, processes, policies and procedures and remediate damages. While we maintain cyber risk insurance, in the event of a significant security or data breach, this insurance may not cover all of the losses that we may suffer. The successful assertion of one or more large claims against us that exceed our available insurance coverage, or the occurrence of changes in our insurance policies, including premium increases or the imposition of large deductible or co-insurance requirements, could adversely affect our reputation and our business, financial condition and results of operations. We also cannot ensure that our existing insurance coverage will continue to be available on acceptable terms or will be available in sufficient amounts to cover one or more large claims related to a security incident or breach, or that the insurer will not deny coverage as to any future claim. Consequently, our financial performance and results of operations could be materially adversely affected. In addition, certain jurisdictions have enacted laws requiring companies to notify individuals of data security breaches involving certain types of personal data. For example, the General Data Protection Regulation (2016/679) ("EU GDPR") and national laws supplementing the EU GDPR across the European Economic Area ("EEA") and in the UK, require companies to notify individuals of personal data breaches that are likely to result in a high risk to the rights and freedoms of these individuals. Additionally, laws in all 50 US states require businesses to provide notice to customers whose PII has been disclosed as a result of a data breach. In some cases, our agreements with certain customers may require us to notify them in the event of a security incident. Such mandatory disclosures could lead to negative publicity and may cause our current and prospective customers to lose confidence in the effectiveness of our data security measures. Moreover, if we, or a third-party service provider or a similar provider in our industry were to experience a security breach, customers may lose trust in the security of the business model and underlying technology generally, which could adversely impact our ability to retain existing customers or attract new ones. Any actual or perceived threat of breach or disruption to our services or any compromise of personal data, including PII, or any actual or perceived violations of cybersecurity laws, rules or regulations, could impair our reputation, cause us to lose customers, members or revenue, cause us to face costly litigation or administrative or regulatory proceedings, result in member complaints, necessitate customer service or repair work, require increased security protection costs by deploying additional personnel and modifying or enhancing our protection technologies, require the investigation and remediation of any information security vulnerabilities and defending against and resolving legal and regulatory claims, all of which would involve substantial costs, divert our management's attention and resources and have a material adverse effect on our business, financial condition and results of operations.

We increasingly rely on information technology ("IT") systems, including our point-of-sale processing systems in our Houses, restaurants and other businesses and other information systems managed by third-party service providers, to interact with our members and customers and collect, maintain, store, transfer, disclose and otherwise process customer and member information and other PII, including for our operations, collection of cash, management of our supply chain, accounting, staffing, payment obligations, Automated Clearing House ("ACH") transactions, credit and debit card transactions, and other processes and procedures. We leverage our internal IT systems, and those of our third-party service providers, to enable, sustain, and support our business interests. Given the communication channels through which we engage with our members, customers and employees, and other aspects of our business, it is important that we and our third-party service providers maintain uninterrupted operation of our business-critical computer systems. Our operations depend upon our ability, and the ability of our third-party service providers, to protect our computer equipment and other systems against damage, failure, interruption and security incidents. Our systems, and those of our third-party service providers, including back-up systems, are subject to damage, interruption, disruption or outage from, among other things, physical theft, human error, power outages and loss, computer and telecommunications failures, computer viruses and worms, installation of malicious software, internal or external security or data breaches, phishing, ransomware, malware, social engineering attacks, credential stuffing, denial-of-service attacks, catastrophic events and natural disasters such as fires, floods, earthquakes, tornadoes and hurricanes, wars, terrorism, fraud, negligence, misconduct or errors by our employees or other third parties, including state-sponsored organizations with significant financial and technological resources, and other disruptive problems or security breaches. If our or our third-party service providers' systems are damaged or cease to function properly, we may have to make significant investments to fix or replace them, and we may suffer interruptions in our operations in the interim. Any material impairment of our systems, including the theft, damage, or corruption of information in our systems, could have a material adverse effect on our business, results of operations and financial condition. Among other things, this could result in interruptions to, or delays in, our business and member and customer service, unauthorized access or misuse of data, including PII, and may reduce efficiency in our operations. In addition, the implementation of technology changes and upgrades to maintain current systems and integrate new systems, as well as transitions from one service provider to another, may also cause service interruptions, disruptions or outages, operational delays due to the learning curve associated with using a new system, transaction processing errors and system conversion delays, and may cause us to fail to comply with applicable laws, rules, regulations, policies, industry standards, contractual obligations and other legal requirements related to data privacy, protection and security. If our information systems or those of our third-party service providers fail, and our or our third-party service providers' back-up or disaster recovery plans are not adequate to address such failures, such events may adversely affect our business and operations. If we need to move to a different third-party system, our operations, including electronic funds transfer drafting, could be interrupted. In addition, remediation of such problems could result in significant, unplanned operating or capital expenditures, which may have an adverse effect on our business, results of operations and financial condition.

We compete in numerous segments of the restaurant, hotel, working spaces, well-being, digital and retail industries, each of which faces its own challenges. Although we do not believe that we have a single direct competitor across all of the different sectors and geographies in which we operate, we face direct competition from other private members' clubs, restaurants, bars, spas, hotels and co-working spaces that exist locally in proximity to our own Houses. No assurances can be given that these competing local clubs, restaurants, accommodation, co-working spaces, well-being, digital or retail providers, or other new entrants in any of these industries, will not expand and compete with us locally or globally. We believe that these business sectors are each highly competitive and primary competitive factors include name recognition, demographic considerations, effectiveness of public relations and brand recognition, level of service, convenience of location, quality of the property, pricing, product or service and range and quality of services and amenities offered. We compete with other restaurants, boutique hotels, co-working spaces and beauty care and retailers on a local level, as well as on a global level against certain larger chains with properties in the markets in which we operate. This competition may limit our ability to attract and retain existing members and customers and our ability to attract new members and customers. If we are unable to compete effectively in any of these market sectors, we could lose market share, which could adversely affect our business, results of operations and financial condition.

Our industry is driven in large part by consumer preferences and perceptions. Our success depends significantly on our ability to anticipate and respond to dynamic and evolving consumer tastes and preferences in a timely manner. If we fail to continue to create and offer quality Houses, restaurants, co-working spaces, wellness and other offerings, or provide superior service, we may not be able to sustain or increase membership and other member traffic, which may adversely affect our business, results of operations and financial condition. With respect to our restaurants, we may invest in the development of menu items and concepts which may not be as successful as we anticipate. If consumer tastes and preferences change, we may be required to adapt our offerings and we may not be able to do so quickly or successfully at a manageable cost. Moreover, if prevailing preferences and perceptions cause consumers to avoid our Houses, restaurants and other offerings in favor of alternatives, our business would materially suffer.