Risk Strategy

Pre-IPO Risk Management: The Rules Are Getting Easier. The Scrutiny Is Not.

The SEC is lowering the bar for newly public companies. Underwriters and investors are not. What a credible pre-IPO risk program looks like.

By Eric Kennedy · Thu Jun 11 2026 · 8 min read

Pre-IPO Risk Management: The Rules Are Getting Easier. The Scrutiny Is Not.
TL;DR: Pre-IPO risk management is the work of building a risk program that holds up under underwriter diligence, investor scrutiny, and public-company governance before a company files to go public. The SEC is actively lowering the regulatory requirements: under its May 2026 proposal, every newly public company would start as a non-accelerated filer, exempt from the auditor attestation on internal controls and from ongoing risk factor disclosure, potentially forever. But the parties who decide whether your IPO succeeds, the underwriters, the institutional investors, the D&O insurers, and your own board, set their own bar, and it is not dropping. The companies that treat risk readiness as a diligence asset rather than a compliance cost are the ones that get through the window when it opens.

For years, the standard advice on going public included a warning: enjoy the on-ramp, because the compliance cliff is coming. A company could IPO as an emerging growth company, take up to five years of scaled disclosure and an exemption from the most expensive control requirement in securities law, and then graduate into the full regime. The cliff forced discipline. You built the risk and control infrastructure because you knew the auditors were coming.

That cliff is now on the table to be removed. And if you are a CFO or a head of internal audit at a company on an IPO path, the worst conclusion you could draw is that the risk work just got optional. The opposite is true. The regulatory floor is dropping at exactly the moment the market is raising its own.

What the rulebook requires today

Start with the current system, because the proposal only makes sense against it.

A company going public today files a registration statement, usually a Form S-1, and that filing must include a Risk Factors section under Item 105 of Regulation S-K. You sit down, you name the things that could materially hurt the business, and you publish them. There is no exemption from this at IPO. Whatever else changes, you still have to write your risks down once to get to the bell.

After the IPO, most companies qualify as emerging growth companies under the JOBS Act. An EGC is a company with less than 1.235 billion dollars in annual revenue, and the status lasts up to five years after the IPO unless revenue, debt issuance, or public float push the company out sooner. While it lasts, the EGC is exempt from the Section 404(b) requirement to have its outside auditor attest to internal controls over financial reporting.

Then the grace period ends. The fifth anniversary arrives, or revenue crosses the line, and the company faces its first 404(b) audit. Anyone who has lived through a first-year attestation knows it is not a formality. It is the moment a lot of newly public companies discover that the control environment they described in the S-1 and the one they actually run are two different things. The cliff was painful, but it had one virtue: it guaranteed that, eventually, someone independent would check.

What the SEC's proposal changes for IPO companies

On May 19, 2026, the SEC proposed a restructuring of the filer status system. I covered the mid-market implications in detail in my breakdown of the SEC filer status proposal, but the IPO-specific effects deserve their own treatment, because they are bigger than most of the coverage suggests.

Under the proposal, every company undergoing an IPO would enter the public markets as a non-accelerated filer. Non-accelerated filers would be exempt from the 404(b) auditor attestation and would not be required to provide risk factor disclosure in their Form 10-K and Form 10-Q. The threshold for large accelerated filer status, the only category where those requirements would still apply, would rise from 700 million dollars to 2 billion dollars in public float, and a company would need 60 months as a reporting company before it could become one, up from 12 months today.

Put those pieces together and this stops being a tweak to thresholds. Today, the question is when the compliance cliff hits. Under the proposal, for most companies, it never does. A company that stays under 2 billion dollars in public float would remain a non-accelerated filer indefinitely. No attestation, ever. No ongoing risk factor filing, ever. By the SEC's own estimate, 80.8 percent of public companies would sit in that category.

The comment period closes July 20, 2026, and nothing is final. But the direction is unmistakable. The regulator is dismantling the scaffolding that used to force newly public companies to mature their risk and control environments on a schedule.

What Changes at IPO
The Compliance Cliff Disappears
Today
IPO through Year 5
Emerging growth company. Scaled disclosure, no auditor attestation.
Year 5, or sooner: the cliff
First 404(b) auditor attestation, plus Risk Factors in every 10-K and 10-Q.
Under the Proposal
IPO onward, indefinitely
Non-accelerated filer. No auditor attestation. No ongoing Risk Factors requirement.
Unless public float crosses 2 billion dollars for two straight years after 60 months as a reporting company.
Source: SEC proposed rule, File No. S7-2026-18, May 19, 2026.
Kennedy Risk Group

The diligence bar does not read the Federal Register

Here is what does not change, and this is the part that should drive your planning.

An IPO is not a regulatory event first. It is a sales process. Before you ever face the SEC's ongoing reporting regime, you have to get through underwriters who put their reputation behind the offering, institutional investors who decide whether to anchor it, lawyers running diligence on every material claim in the prospectus, and D&O insurers pricing the risk of insuring your board. Every one of those parties asks some version of the same question: does management actually understand what could go wrong with this business, and is there evidence of it?

None of them lower their standards because the SEC lowered its filing requirements. If anything, the logic runs the other way. When the rules guaranteed that an auditor would eventually attest to your controls and that your risks would be published every quarter, outside parties could lean on that system. Remove it, and the burden of proof shifts to you. A buyer or an underwriter looking at a company that will never face an attestation has one fewer external signal to rely on, so they dig harder into the internal one: your own risk program.

There is also the matter of liability. Antifraud rules still apply in full. A company that knows about a material risk and hides it from investors is exposed whether or not a Risk Factors section was technically required. The first stock drop after an undisclosed problem surfaces is when newly public companies meet the securities class action bar. The disclosure requirement may become optional. The consequences of a known risk surprising the market do not.

Who Is Still Checking
The SEC's Bar Is Dropping. The Market's Bar Is Not.
The SEC's Bar, Dropping
404(b) auditor attestation: not required for non-accelerated filers
Ongoing Risk Factors in the 10-K and 10-Q: not required
Large accelerated filer obligations: deferred at least 60 months, and most companies would never reach them
The Market's Bar, Not Moving
Underwriter diligence on every material claim in the prospectus
Institutional investors deciding whether to anchor the offering
D&O insurers pricing the risk of insuring your board
Audit committee oversight on a public-company cadence
The acquirer or lender who will test all of it again later
Kennedy Risk Group

What a credible pre-IPO risk program looks like

EY's guidance, consistent for years, is that successful companies start preparing 12 to 24 months before the IPO, often with a formal readiness assessment. Most of that window gets consumed by financial reporting, systems, and governance plumbing. Risk is usually the line item that gets deferred. Here is what it should actually include.

A real enterprise risk assessment, tied to the equity story. The risks that matter pre-IPO are the ones that could break the narrative you are about to sell: customer concentration, key-person dependency, unit economics that do not survive scrutiny, cyber exposure, regulatory overhang. If your risk assessment reads like a generic checklist instead of a stress test of your own investment thesis, diligence will expose the gap. A risk register alone does not do this. I have written before about the difference between a risk register and a risk program, and the IPO process is where that difference gets expensive.

A risk appetite the board has actually debated. Underwriters and investors do not expect a 50-page framework. They expect management to answer, without flinching, how much risk the company is willing to run in pursuit of the growth plan, and where the escalation lines sit. A short, board-ratified risk appetite statement is one of the highest-credibility documents a pre-IPO company can produce, precisely because so few of them have one.

Governance that runs on a public-company cadence before you are public. Your audit committee should be receiving real risk reporting, on a quarterly rhythm, at least a year before the filing. Not because a rule requires it, but because the committee will be asked, in diligence and in liability terms, whether it exercised oversight. A committee that saw its first risk report the quarter before the S-1 has no good answer.

Management's control assessment treated as the main event. Whatever happens to 404(b), management's own obligation to assess internal controls under Section 404(a) remains. With no auditor attestation behind it, that self-assessment stops being a dress rehearsal and becomes the only assurance anyone gets. Building it honestly, with documented scope and real testing, is now the whole game.

A standing answer to the risk question. Even if the ongoing filing requirement disappears, maintain a current, plain-language statement of your material risks, reviewed by the board. You will use it in the S-1, in underwriter diligence, in D&O underwriting, and in every investor meeting where someone asks what keeps you up at night. A company that maintains it continuously can answer in days. One that has to build it under deadline pressure answers in weeks, and everyone in the room can tell.

SOX readiness is not risk management

One mix-up causes real damage on IPO paths, so it is worth pulling the two apart. SOX readiness is about controls over financial reporting: can you produce accurate financial statements, and can you prove the process behind them is controlled. Enterprise risk management is about the business: what could prevent the company from executing the plan investors are buying into.

They overlap in governance and share infrastructure, but neither substitutes for the other. A company can have immaculate financial controls and no functioning view of its strategic and operational risks. In an IPO process, you will be tested on both, by different people, at different stages. The efficient move is to build them together in the readiness window rather than sequentially under pressure, because the same risk assessment that drives your ERM program should inform your control scoping, and the same governance cadence carries both.

The bottom line

The SEC is proposing to make going public easier and staying public lighter, and for most companies the old compliance cliff would simply disappear. What replaces it is not nothing. It is the judgment of underwriters, investors, insurers, and your own board, applied without the comfort of knowing an auditor will eventually check. In that world, a working risk program stops being a cost of going public and becomes part of the asset you are selling. The companies that build it in the 12-to-24-month window will move through diligence faster and price with fewer surprises. They will also start public life with a discipline that nothing forces on them anymore, which is exactly what makes it worth something. The ones that read deregulation as permission to skip the work will find out, at the worst possible moment, that the market never agreed to the trade.

Where to Start

If your company is on an IPO path, or your investors are starting to use the word, the first step is knowing where your risk program actually stands. The ERM Program Diagnostic gives you an independent, practitioner-level read on your current state and the specific gaps a diligence process would find, in one to two weeks. If you already know the program needs to be built, the ERM Foundation Build stands up the full operating program, assessment, appetite, governance, and reporting, inside the readiness window.

Get the ERM Diagnostic{.cta-primary} See the ERM Foundation Build{.cta-secondary}

Frequently Asked Questions

What is pre-IPO risk management?

Pre-IPO risk management is the work of building an enterprise risk program before a company files to go public, so that its risk assessment, risk appetite, governance reporting, and internal control assessment hold up under underwriter diligence, investor scrutiny, and public-company board oversight. It typically starts 12 to 24 months before the planned offering, alongside financial reporting and SOX readiness.

Does the SEC require an ERM program before an IPO?

No. The SEC requires risk factor disclosure in the IPO registration statement under Item 105 of Regulation S-K, but it does not mandate an enterprise risk management program. The pressure to have one comes from underwriters, institutional investors, D&O insurers, and the board, all of whom test in diligence whether management has a real, documented view of the company's material risks.

What does the SEC's 2026 filer status proposal change for IPO companies?

Under the May 2026 proposal, every company going public would enter as a non-accelerated filer, exempt from the SOX 404(b) auditor attestation and from ongoing risk factor disclosure in its Form 10-K and Form 10-Q. The large accelerated filer threshold would rise to 2 billion dollars in public float with a 60-month seasoning requirement, so a company that stays below that line would never face either requirement. The proposal is not final; the comment period closes July 20, 2026.

Is SOX readiness the same as enterprise risk management?

No. SOX readiness covers internal controls over financial reporting: producing accurate financial statements and proving the process is controlled. Enterprise risk management covers the risks to the business itself: strategic, operational, financial, and compliance exposures that could prevent the company from executing its plan. An IPO process tests both, and building them together in the readiness window is more efficient than building them sequentially.

When should a company start building risk management before an IPO?

Start 12 to 24 months before the planned offering. EY's IPO readiness guidance notes that successful companies begin preparation in that window, often with a formal readiness assessment. Risk governance needs at least a year of operating history before the filing: an audit committee that has received quarterly risk reporting, a board-ratified risk appetite, and a current risk assessment all carry far more weight in diligence than versions assembled in the months before the S-1.