Home Depot (HD) Risk Analysis

Over the past several years, we have made significant investments to deliver a frictionless interconnected experience, including enhancing and expanding our supply chain, developing differentiated capabilities for our customers, including enhancements and improvements to our digital capabilities, expanding our store base, and making strategic acquisitions. These investments are designed to streamline our operations to allow our associates to continue to provide high-quality service to our customers; simplify customer interactions; provide our customers with a more interconnected experience; expand our sales to Pros and better address their needs for complex projects; and create the fastest, most efficient, and most reliable delivery network for home improvement products. Executing our interconnected experience requires continual investment in our operations and information technology systems, as well as the development and execution of new processes, systems and support. In addition, our stores are a critical component of our interconnected experience, serving as the hub of our customers' interconnected shopping journey. We have an aging store base that requires maintenance, investment, and space reallocation initiatives to deliver the shopping experience that our customers desire. We also need to identify and secure available locations with appropriate characteristics for new stores, branches, and supply chain facilities to ensure we can continue to serve our customers effectively. We must effectively manage the volume, timing, nature, location, and cost of our investments, projects and changes. Failure to continue to make investments to effectively support our strategy and to implement or integrate those investments in the right manner and at the right pace could adversely impact our business operations or financial results. The cost and potential problems, defects of design, and interruptions associated with the implementation of these initiatives, including those associated with managing third-party service providers, employing new online tools and services, implementing new technologies using AI, implementing and restructuring support systems and processes, securing appropriate store and other facility locations, and addressing impacts on inventory levels, could disrupt or reduce the efficiency of our operations in the near term, lead to product availability issues, create complexity in our systems and operations and impact our profitability. Our investments to enhance our interconnected experience, including investments in our store base, supply chain, and differentiated capabilities, including our digital assets, might not provide the anticipated benefits, or might take longer than expected to complete, integrate or realize anticipated benefits, any of which could adversely impact our competitive position and our financial condition, results of operations, or cash flows.

Our industry is highly competitive, highly fragmented, and evolving. As a result, we face competition for customers for our products and services from a variety of retailers (including those operating reseller marketplaces), suppliers, service providers, distributors and manufacturers that sell products directly to their respective customer bases. These competitors range from traditional brick-and-mortar, to multichannel, to exclusively online, and they include a number of other home improvement retailers; local, regional and national hardware stores; electrical, plumbing and building materials supply houses; and lumber yards. With respect to some products and services, we also compete with specialty design stores, showrooms, discount stores, paint stores, specialty and mass digital retailers, warehouse clubs, MRO distributors, national and local wholesale supply distributors, home décor retailers, and other retailers, as well as with providers of home improvement services and tool and equipment rental. Online and other digital capabilities, as well as AI tools, facilitate competitive entry, price transparency, and comparison shopping, increasing the level of competition we face. We compete primarily based on customer experience; price; quality; product availability, assortment, and innovation; and delivery options and capabilities, both in-store and online. We also compete based on store and branch location and appearance, presentation of merchandise, and ease of shopping experience throughout every step of the customer's project, from inspiration and research to any post-purchase support. Our Pros also look for dedicated sales support, competitive credit and pricing options, project planning tools, professional and reliable deliveries, and product depth and job lot quantities, particularly for their complex project needs. Furthermore, with respect to delivery options, customers are seeking faster and/or guaranteed delivery times, real-time updates on delivery status, low-price or free shipping, and/or convenient pickup options. Our ability to be competitive on delivery and pickup times, options and costs depends on many factors, including leveraging the momentum of our investments in our supply chain and our interconnected capabilities to further enhance the customer shopping experience. Failure to successfully manage these factors and offer competitive delivery and pickup options could negatively impact the demand for our products and services and our profit margins. We use our marketing, advertising and promotional programs to drive customer traffic and compete more effectively, and we must regularly assess and adjust our efforts to address changes in the competitive landscape. Intense competitive pressures from one or more of our competitors, such as through aggressive promotional pricing or liquidation events, or our inability to adapt effectively and quickly to a changing competitive landscape, could adversely affect our prices, our margins, or demand for our products and services. If we are unable to timely and appropriately respond to these competitive pressures, including through the delivery of a superior interconnected experience leveraging both our digital and physical platforms, our market share and our financial performance could be adversely affected.

Our brand and reputation are critical to attracting customers, associates and jobseekers, suppliers, service providers, and vendors to do business with us. We must continue to manage and protect our brand and reputation. Negative incidents can erode trust and confidence quickly, and adverse publicity about us, regardless of its accuracy, the reputability of its source and whether we are involved in the incident, could damage our brand and reputation; undermine our customers' confidence in us; reduce demand for our products and services, including as a result of boycotts; affect our ability to recruit, engage, motivate and retain associates; attract regulatory scrutiny or investigations; lead to litigation; and impact our relationships with current and potential suppliers and vendors. Third party actions, including our suppliers', service providers', and vendors' business practices and positions, may also be attributed to us, regardless of the Company's actions, meaning the actions of third parties pose similar risks to our brand and reputation. Partnerships with celebrities and social media content creators may also expose us to brand and reputational risks. Further, our actual or perceived position or lack of position on social, environmental, governance, political, public policy, regulatory, economic, geopolitical, or other sensitive issues, and any perceived lack of transparency about those matters, could harm our reputation with certain groups and attract regulatory scrutiny, investigations, litigation, or boycotts. In addition, we could be criticized for the scope or nature of initiatives or goals related to these matters, or for any revisions to or failure to achieve these goals on a timely basis or at all. If data, processes, and reporting related to these matters are incomplete or inaccurate, we could face regulatory scrutiny or investigations, litigation and/or adverse reputational impacts. Customers are also increasingly using social media to provide feedback and information about the Company, including our products and services, in a manner that can be quickly and broadly disseminated. Negative sentiment about the Company shared over social media, or misinformation from fraudulent accounts impersonating the Company, could impact our brand and reputation, whether or not it is based in fact.

Our ability to successfully operate in, and source products and materials from, international markets is affected by many of the same risks we face in our U.S. operations, as well as other costs and difficulties specific to managing international operations. Our international operations, including any expansion in international markets, may be, and on occasion have been, adversely affected by local laws and customs, U.S. laws or administrative actions applicable to foreign operations and other foreign legal and regulatory constraints, as well as political, social and economic conditions. Risks inherent in international operations also include, among others, potential adverse tax consequences; international trade disputes, trade policy changes or tariffs and other import-related taxes, fees and controls; inability to sell certain products due to customs actions, including regulatory enforcement inquiries, holds, detentions, and exclusions; greater difficulty in enforcing intellectual property rights; limitations on access to ports; risks associated with the Foreign Corrupt Practices Act and local anti-bribery law compliance; geopolitical tensions or conflicts, military conflicts or acts of war, as well as any related sanctions or other government or private responses; compliance with forced labor laws; compliance with environmental and responsible sourcing laws and regulations; and challenges in identifying and gaining access to local suppliers. For example, trade tensions between the U.S. and numerous other countries have led to a series of tariffs on the importation of certain product categories since the beginning of fiscal 2025. Following the recent U.S. Supreme Court decision that struck down tariffs previously imposed under the International Emergency Economic Powers Act, there is additional uncertainty regarding the U.S. tariff regime, and the imposition by the U.S. government of new or different tariffs under different authority. For the retail products we source, directly or indirectly, outside of the U.S., including Mexico, Canada and China, major changes in tax or trade policies, tariffs or trade relations could significantly adversely impact the cost of, demand for, and profitability of retail product sales in our U.S. or other locations. Countries outside the U.S. may also change, and on occasion have changed, their business and trade policies in anticipation of or in response to increased import tariffs and other changes in U.S. trade policy and regulations, and consumers may seek to avoid goods not sourced domestically, all of which could significantly adversely impact the cost of, demand for, and profitability of retail products in our U.S., Mexico and Canada locations. In addition, our operations in international markets create risk due to foreign currency exchange rates and fluctuations in those rates, which may adversely impact our sales and profitability.

Natural disasters, such as hurricanes, tropical storms, fires, floods, droughts or water scarcity, tornadoes, and earthquakes; unseasonable, unexpected or extreme weather conditions; acts of terrorism or violence, including active shooter situations; public health concerns, such as pandemics and quarantines and related impacts; civil unrest; geopolitical tensions or conflicts, or military conflicts or acts of war, as well as any related sanctions or other government or private responses; or similar disruptions and catastrophic events could have and on occasion have had an adverse effect on our operations and financial performance in a number of ways. These types of events can affect consumer spending and confidence and consumers' disposable income, particularly with respect to home improvement or construction projects. They can also adversely affect our work force and prevent associates and customers from reaching our stores, branches and other facilities. They can, temporarily or on a long-term basis, disrupt or disable the operations of stores, branches, other facilities and support centers, and portions of our supply chain and distribution network, including causing reductions in the availability of inventory and disruptions of utility services. In addition, these events may affect our information systems and digital platforms, resulting in disruptions to various aspects of our operations, including our ability to transact with customers and fulfill orders; to communicate with our stores, branches, other facilities or support centers or senior management; or to access financial or banking systems. Unseasonable, unexpected or extreme weather conditions such as excessive precipitation, warm temperatures during the winter season, or prolonged or extreme periods of warm or cold temperatures could render a portion of our inventory incompatible with customer needs and adversely impact our financial results. Demand for certain of our products has historically been influenced by the occurrence of seasonal events, such as storms. The impact of these events on our sales varies depending on their location, frequency and magnitude. Sustained periods without such events can lead, and in the past have led, to lower sales compared to prior periods. Furthermore, the potential long-term impacts of climate change, whether involving physical risks (such as extreme weather conditions) or transition risks (such as regulatory or technology changes), could be widespread and unpredictable. Over time, these changes could affect, for example, the availability and cost of or demand for certain products, commodities, and energy (including utilities), which in turn may impact our ability to procure certain goods or services for the operation of our business at the quantities and levels we consider optimal. As a consequence of these or other catastrophic or uncharacteristic events, we may experience interruption to our operations, increased costs, changes in customer behavior or demand, or losses of property, equipment or inventory, any of which could adversely affect our sales and profitability.

GAAP and related accounting pronouncements, implementation guidelines and interpretations with regard to a wide range of matters that are relevant to our business, such as asset impairment, inventories, lease obligations, self-insurance, vendor allowances, tax matters, business combinations, and litigation, are complex and involve many subjective assumptions, estimates and judgments. Implementation of new accounting standards or changes in existing accounting standards or their application or interpretation, or changes in underlying assumptions, estimates or judgments, could significantly change our reported or expected financial performance or financial condition. The implementation of, or changes to, accounting standards could also require certain systems, internal processes, internal controls, and other changes that could increase our operating costs.

We are involved in a number of legal proceedings and regulatory matters, including government inquiries and investigations, and consumer, employment, tort and other litigation that arise from time to time in the ordinary course of business. Litigation is inherently unpredictable, and the outcome of some of these proceedings and other contingencies could require us to take or refrain from taking actions, which could adversely affect our operations or could result in excessive adverse verdicts, fines, or results. Additionally, as we have seen in the past, involvement in such lawsuits, investigations and inquiries, and other proceedings, as well as compliance with any settlements or consent decrees that result from those proceedings, could involve significant expense, divert management's attention and resources from other matters, and impact the brand and reputation of the Company.

Our business, like that of most retailers, involves the collection, use, retention, management, transmission, and deletion of personal information (including identifiers, localization, internet activity, preferences, and payment information) from our customers, associates, jobseekers, and business partners, as well as confidential Company information. We also work with third-party service providers that provide technology, systems and services that we use in connection with the handling of information. Our information systems, and those of our third-party service providers, are vulnerable to continually evolving data protection and cybersecurity risks. Despite our efforts, our cybersecurity risk management processes may not be fully implemented, complied with or effective in preventing or mitigating future cybersecurity risks. Unauthorized parties, including criminal threat actors, nation-states, or insiders (including associates or contractors engaged in fraudulent or malicious activities), have in the past gained access, and will continue to attempt to gain access, to these systems and data through technical vulnerabilities, breach of security policies, fraud or other means of deceiving or coercing our associates, contractors or third-party service providers, which could jeopardize the confidentiality, integrity, or availability of such information systems or data that we may handle. Hardware, software or applications we develop or obtain from third parties may contain, and on occasion have contained, exploitable vulnerabilities, bugs, or defects in design, maintenance or manufacture or other problems that could unexpectedly compromise information security. We have experienced and continue to face the ongoing risk of exploitation of our software providers and our software development and implementation process, including from coding and process vulnerabilities and the installation of so-called back doors that provide unauthorized access to systems and data, and through unauthorized access to or theft of our intellectual property. The continued availability of remote or hybrid working arrangements has also expanded the possible attack surface areas and increased risks posed by insider threats, as our interactions with associates, contractors and third-party service providers increasingly occur on information systems, networks and environments over which we have less control and which may be more difficult to monitor. In addition, the risk of cyber-attacks has increased in connection with geopolitical tensions or conflicts and ongoing trade and diplomatic tensions. In light of the conflicts in Europe, the Middle East and South America and other geopolitical events, nation-state actors or their supporters and other politically-motivated actors may launch retaliatory cyber-attacks, and may attempt to cause supply chain and other third-party service provider disruptions, or take other geopolitically-motivated retaliatory actions that may disrupt our business operations, result in data compromise, or both. Nation-state actors have in the past carried out, and may in the future carry out, cyber-attacks to achieve their aims and goals, which may include espionage, monetary gain, disruption, and destruction. Similarly, there may be increased activities by organized or coordinating groups of cyber criminals who seek to attack larger organizations' data or systems for their own aims and goals, which can include financial gain. The availability of AI may enable new types of threat actors who may not otherwise have had the capabilities to engage in malicious activity to do so, or may enhance the capabilities of nation-state actors or organizing or coordinating groups to carry out attacks, or may generally enable novel types of attacks to be developed and deployed. Because the techniques that threat actors use to obtain unauthorized access, disable or degrade service, or sabotage systems, including use of stolen passwords, social engineering, phishing, smishing, vishing, identity spoofing (including through the use of emerging technologies such as deep fakes), ransomware or other disruptive and destructive malware, supply chain compromises, insider threats, and man-in-the-middle and denial of service attacks, change frequently and may not immediately produce signs of anomalous activity or compromise, we may be unable to anticipate or detect these techniques or implement adequate preventative measures. The ever-evolving cybersecurity threat landscape means that we and our third-party service providers and business partners must continually evaluate and adapt our respective systems and processes and overall security environment, as well as those of companies we or they acquire. There is no guarantee that the measures we take will be adequate to safeguard against all threats, including vulnerabilities, data security breaches, system compromises or misuses or loss of data. As we have experienced in the past, any significant compromise or breach of our data security, whether external or internal, or misuse of customer, associate, jobseeker, business partner, or Company data, could result in significant costs, including costs to investigate, mitigate, and remediate, as well as lost sales, fines, lawsuits, regulatory investigations, and damage to our reputation. Additionally, as we have experienced in the past, we or our third-party service providers may not discover any vulnerability, data security breach, system compromise, or data misuse or loss for a significant period of time after the occurrence of a security incident. When our systems or those of our third-party service providers on which we rely are breached or attacked, we may also suffer, and on some occasions have suffered, an outage, failure, or unavailability of data or information technology systems, cessations of service, and interruptions to our business operations while such breach or attack is being remedied; this may impact data or systems operated by us or by third-party service providers. Furthermore, our cyber insurance coverage may not be adequate for liabilities or costs actually incurred, and we cannot be certain that insurance will continue to be available to us on economically reasonable terms, or at all, or that any insurer will not deny coverage of a future claim. Data governance failures can also adversely affect our reputation and business. Our business depends on our customers', associates', jobseekers', contractors', and business partners' willingness to entrust us with their personal information. Events that adversely affect that trust, including inadequate disclosure to our customers, associates, jobseekers, contractors, or business partners of our uses of their information or failing to keep our information technology systems and our customers', associates', jobseekers', contractors', and business partners' personal information secure from significant attack, theft, damage, loss or unauthorized or unintended disclosure or access, whether as a result of our action or inaction (including human error or malfeasance) or that of our service providers or other third parties, could adversely affect our brand and harm our reputation. The regulatory environment related to data privacy, cybersecurity, and AI and other emerging technologies is constantly changing, with new and increasingly rigorous requirements applicable to our business. The implementation of these requirements has also become more complex. Maintaining our adherence to evolving data privacy and cybersecurity regulatory requirements, including state and international privacy laws, requires significant effort and cost, requires changes to our business practices, and may limit our ability to collect and use certain data for our business operations, including to support the customer experience. In addition, many regulators have indicated an intention to take more aggressive enforcement actions regarding data privacy and cybersecurity matters, and private litigation resulting from such matters is increasing and resulting in progressively larger judgments and settlements. Complying with current or contemplated information security, cybersecurity, data privacy, data protection, and data processing laws and regulations (including reporting and disclosure regimes), or any failure to comply, could cause us to incur substantial costs. As we have experienced in the past, failure to comply with applicable requirements could subject us to fines, sanctions, governmental investigations, or lawsuits, which could lead to negative publicity and reputational harm, and may cause customers to lose confidence in the effectiveness of our cybersecurity measures, data privacy practices, or our business more generally.