NRC HEALTH (NRC) Risk Factors

Item 1A. Risk Factors

You should carefully consider each of the risks described below, together with all of the other information contained in this Annual Report on Form 10-K, before making an investment decision with respect to our securities. If any of the following risks develop into actual events, our business, financial condition, or results of operations could be materially and adversely affected, and you may lose all or part of your investment. Some of the factors, events and contingencies discussed below may have occurred in the past, but the disclosures below are not representations as to whether or not the factors, events or contingencies have occurred in the past and instead reflect our beliefs and opinions as to the factors, events or contingencies that could materially and adversely affect us in the future.

Risks Related to our Business

We depend on contract renewals, including retention of key customers, for a large share of our revenue and our operating results could be adversely affected.

We expect that a substantial portion of our revenue for the foreseeable future will continue to be derived from renewable service contracts. To the extent that customers fail to renew or defer their renewals, our results may be materially adversely affected. We rely on a limited number of key customers for a substantial portion of our revenue. Our ten largest customers collectively accounted for 20%, 17%, and 15% of our total revenue in 2025, 2024, and 2023, respectively. Our ability to secure renewals depends on, among other things, our ability to gather and analyze performance data in a consistent, high-quality, and timely fashion. In addition, the service needs of our customers are affected by accreditation requirements, enrollment in managed care plans, the level of use of satisfaction measures in healthcare organizations’ overall management and compensation programs, the size of operating budgets, customers’ operating performance, industry and economic conditions, and changes in management or ownership. As these factors are beyond our control, we cannot ensure that we will be able to maintain our renewal rates. Any material decline in renewal rates from existing levels would have an adverse effect on our revenue and a corresponding effect on our operating and net income.

We operate in a highly competitive market and could experience increased price pressure and expenses as a result.

The healthcare analytics and market research services industry is highly competitive. We have traditionally competed with healthcare organizations’ internal marketing, market research and/or quality improvement departments that create their own performance measurement tools, and with other firms that provide survey-based healthcare market research and/or performance assessment. Our primary competitors include Press Ganey and Qualtrics, both of which we believe have significantly higher annual revenue than us, and several other firms that provide similar services in the market we serve. We also compete with market research firms and technology solutions which provide survey-based, general market research or voice of the customer feedback capabilities and firms that provide services or products that complement healthcare performance assessments, such as healthcare software or information systems. Although only a few of these competitors have offered specific services that compete directly with our services, many of these competitors have substantially greater financial, information gathering, and marketing resources than us and could decide to increase their resource commitments to our market. Our competitors may increase their resources through organic growth, as well as consolidation with other competitors. Furthermore, we do not have a publicly traded group of peers, which makes it difficult to compare and benchmark performance to other similar companies. There are relatively few barriers to entry into our market, and we expect increased competition in our market which could adversely affect our operating results through pricing pressure, increased marketing expenditures, and market share losses, among other factors. There can be no assurance that we will continue to compete successfully against existing or new competitors.

8

Table of Contents

Because our customers are concentrated in the healthcare industry, our revenue and operating results may be adversely affected by changes in regulations, a business downturn, or consolidation with respect to the healthcare industry.

Substantially all of our revenue is derived from customers in the healthcare industry. As a result, our business, financial condition, and results of operations are influenced by conditions affecting this industry, including changing political, economic, competitive, and regulatory influences that may affect the procurement practices and operation of healthcare providers and payers. The healthcare industry is extensively regulated by both state and federal government. Future legislative changes, including additional provisions to control healthcare costs, improve healthcare quality, and expand access to health insurance, could result in lower reimbursement rates and otherwise change the environment in which providers and payers operate. From time-to-time, members of the U.S. House of Representatives have weighed legislative proposals targeting Medicaid, Medicare, and other entitlement programs as part of broader campaigns to reduce federal spending, a number of executive orders have been issued intended to reduce government spending, and we expect there will be continued proposals targeting reimbursement methodologies and the number of individuals eligible for government healthcare programs. There have also been proposals calling for repeal or reform of the Affordable Care Act. Any of these or related actions by state or federal governments could significantly reduce federal or state spending on the Medicaid and Medicare programs, constitute a fundamental change in the federal role in healthcare, change the nature of the entitlements offered by Medicaid and Medicare, or reduce or delay the payments made to both non-profit and for profit healthcare systems by Medicaid and Medicare, any of which could have a material effect on the revenues of our customers, resulting in harm to the demand for our solutions and our ability to collect subscriptions and fees owed to us, which could negatively impact our business, financial condition, cash flows, and results of operations.

In addition, large private purchasers of healthcare services are placing increasing cost pressure on providers. Healthcare providers may react to these cost pressures and other uncertainties by curtailing or deferring purchases, including purchases of our services. Moreover, there has been consolidation of companies in the healthcare industry, a trend which we believe will continue to grow. Consolidation in this industry, including the potential acquisition of certain of our customers, could adversely affect aggregate customer budgets for our services, could result in customers performing more marketing, market research and/or quality improvement functions internally, or could result in the termination of a customer’s relationship with us. The impact of these developments on the healthcare industry is difficult to predict and could have an adverse effect on our revenue and a corresponding effect on our operating and net income.

We could be negatively impacted by outbreaks or pandemics.

Any outbreak of contagious diseases, such as COVID-19 or its variants, or adverse public heath environments could negatively affect our business, results of operations, financial condition, and stock price. While the risk of such outbreaks is unpredictable, and the extent of such risk is highly uncertain, the possibility of future outbreaks remains a risk that could have a material adverse effect on our business and it may also have the effect of heightening many of the other risks described in this Part I, Item 1A of this Form 10-K.

We could be negatively impacted by global conflicts or similar events.

Global conflicts or any expansion of such conflicts could adversely affect our business and operations. From time-to-time we outsource certain software development services to third parties outside of the United States, including in Ukraine. Historically, our contractors located in areas of conflict (including in Ukraine) have been able to continue their work. However, those services could be more negatively impacted in the future.

Civil unrest, political instability or uncertainty, military activities, utility service breakdowns, or broad-based sanctions, should they continue for the long term or escalate, could interrupt our contractors’ ability to provide services and require our associates to perform the services or replace the contractors which could have an adverse effect on our operations and financial performance, including higher volatility in foreign currency exchange rates, increased use of less cost-efficient resources and negative impacts to our business resulting from deteriorating general economic conditions. Further, we cannot predict the impact of the military actions and any heightened military conflict or geopolitical instability that may follow, including additional sanctions or countersanctions, heightened inflation, cyber disruptions or attacks, higher energy costs, and supply chain disruptions.

In addition, the new administration has imposed new or increased tariff rates on imported goods from a number of countries. Such trade policies and tariff implementations, and any related retaliatory trade policies and tariff implementations by foreign governments may result in increased costs and worsening economic conditions and could have an adverse impact on our results of operations.

9

Table of Contents

General economic factors could adversely impact our profitability.

Negative changes in general economic conditions, in the geographic areas in which we operate may reduce our profitability. An economic downturn, a rise in interest rates, and inflationary pressures can reduce the demand for our services and result in terminations as well as slower customer payments or customer defaults on receivables. Additionally, in recent years, we experienced increased costs, including salary and benefits costs, software costs, contracted services, costs associated with our building improvements, and equipment purchases, and we expect inflationary pressures to continue in 2026. Inflation may increase our costs without a corresponding increase in our contract revenue due to fixed contract arrangements, which could result in decreased margins and profitability.

We face several risks relating to our ability to collect the data on which our business relies.

Our ability to provide timely and accurate performance measurement and improvement services to our customers depends on our ability to collect large quantities of high-quality data through surveys. If survey operations are disrupted and we are unable to process surveys in a timely manner, then our revenue and net income could be negatively impacted. We outsource certain operations and engage third parties to perform work needed to fulfill our customer services. For example, we use vendors to perform certain outreach and data collection services related to our survey operations. If any of these vendors cease to operate or fail to adequately perform the contracted services and alternative resources and processes are not utilized in a timely manner, our business could be adversely affected. The loss of any of our key vendors could impair our ability to perform our customer services and result in lower revenues and income. It would also be time-consuming and expensive to replace, either directly or through other vendors, the services performed by these vendors, which could adversely impact revenues, expenses, and net income. Furthermore, our ability to monitor and direct our vendors’ activities is limited. If their actions and business practices violate policies, regulations or procedures otherwise considered illegal, we could be subject to reputational damage or litigation which would adversely affect our business.

If receptivity to our survey methods by respondents declines, or, for some other reason, their willingness to complete and return surveys declines, or if we, for any reason, cannot rely on the integrity of the data we receive, then our revenue could be adversely affected with a corresponding effect on our operating and net income.

If intellectual property and other proprietary information technology were copied or independently developed by our competitors, our operating results could be negatively affected.

Our success depends in part upon our data collection process, research methods, data analysis techniques, and internal systems and procedures that we have developed specifically to serve customers in the healthcare industry. We do not hold patents for our intellectual property. Consequently, we rely on a combination of copyright, trade secret laws, and associate nondisclosure agreements to protect our systems, survey instruments, and procedures. We cannot assure you that the steps we have taken to protect our rights will be adequate to prevent misappropriation of such rights, or that third parties will not independently develop functionally equivalent or superior systems or procedures. We believe that our systems and procedures and other proprietary rights do not infringe upon the proprietary rights of third parties. We cannot assure you, however, that third parties will not assert infringement claims against us in the future, or that any such claims will not result in protracted and costly litigation, regardless of the merits of such claims, or whether we are ultimately successful in defending against such claims.

Failures, interruptions, or deficiencies in our information technology and communications systems could negatively impact our business and operating results.

Our ability to provide timely and accurate performance measurement and improvement service to our customers is dependent, to a significant extent, upon the technology that we develop internally as well as the efficient and uninterrupted operation of our information technology and communication systems, and those of our external service providers. Investment in the enhancement of existing and development of new information technology processes is costly and affects our ability to successfully serve our customers. The failure or deficiency of the technology we develop and implement could negatively impact the willingness or ability for our customers to use our services and our ability to perform our services. Our failure to anticipate customers’ expectations and needs, adapt to emerging technological trends, or design efficient and effective information technology platforms, could result in lower utilization, loss of customers, damage to customer relationships, reduced revenue and profits, refunds to customers, and damage to our reputation. Although we have procedures to monitor the efficacy of our information technology platforms, the procedures may not prevent failures or deficiencies in the information technology platforms we develop and implement, we may not adapt quickly enough and may incur significant costs and delays that could harm our business. Additional costs will be incurred to further develop and improve our information technology platforms.

10

Table of Contents

In addition, changing technologies including AI and other emerging technologies may become significant to operational results in the future. We plan to continue to invest in research and development, including through acquisitions, in order to enhance our technology and new and existing solutions. However, if we are unable to successfully anticipate, develop, implement, and utilize such emerging technologies as effectively as competitors or our customers are able to use AI as a replacement to our services, our results of operations may be negatively affected. Additionally, while AI and other technologies may offer substantial benefits, they may also introduce additional risks and raise ethical, technological, legal, regulatory, and other issues that may negatively affect the demand for our solutions.

Our systems and those of our external service providers could be exposed to damage or interruption from fire, natural disasters, which may increase in frequency and severity due to climate change, energy loss, telecommunication failure, security breach, and computer viruses. An operational failure or outage in our information technology and communication systems or those of our external service providers, could result in loss of customers, damage to customer relationships, reduced revenue and profits, refunds of customer charges, and damage to our reputation and may result in additional expense to repair or replace damaged equipment and recover data loss resulting from the interruption. Although we have taken steps to prevent system failures and have back-up systems and procedures to prevent or reduce disruptions, such steps may not prevent an interruption of services, and our disaster recovery planning may not account for all contingencies. Additionally, our insurance may not adequately compensate us for all losses or failures that may occur. Any one of the above situations could have a material adverse effect on our business, financial condition, results of operations, and reputation.

If we or our third-party service providers sustain cyber-attacks or other privacy or data security incidents that result in security breaches that disrupt our operations or result in the unintended dissemination of protected personal information or proprietary or confidential information or AI impacts our demand for, or providing of, services, we could suffer a loss of revenue and increased costs, exposure to significant liability, reputational harm, and other serious negative consequences.

In connection with our customer services, we and our third-party service providers receive, process, store, and transmit sensitive business information and, in certain circumstances, personal medical information of our customers’ patients, electronically over the internet. We or our third-party service providers may become the target of attempted cyber-attacks and other security threats and may be subject to breaches of the information technology systems we use. Experienced computer programmers and hackers may be able to penetrate our security controls and access, misappropriate or otherwise compromise protected personal information or proprietary or confidential information or that of third parties, create system disruptions, or cause system shutdowns that could negatively affect our operations. They also may be able to develop and deploy viruses, worms, ransomware, and other malicious software programs that attack our systems or otherwise exploit any security vulnerabilities.

In addition, the risk of cyber-attacks has increased in connection with the military conflict between Russia and Ukraine and the resulting geopolitical conflict. In light of those and other geopolitical events, nation-state actors or their supporters may launch retaliatory cyber-attacks and may attempt to cause supply chain and other third-party service provider disruptions, or take other geopolitically motivated retaliatory actions that may disrupt our business operations, result in data compromise, or both. Nation-state actors have in the past carried out, and may in the future carry out, cyber-attacks to achieve their aims and goals, which may include espionage, information operations, monetary gain, ransomware, disruption, and destruction. In February 2022, the U.S. Cybersecurity and Infrastructure Security Agency issued a “Shields Up” alert for American organizations noting the potential for Russia’s cyber-attacks on Ukrainian government and critical infrastructure organizations to impact organizations both within and beyond the United States, particularly in the wake of sanctions imposed by the United States and its allies, which is still in effect. These circumstances increase the likelihood of cyber-attacks and/or security breaches.

We were the target of a cyber-attack in 2020, which resulted in temporary suspension of our services to customers. One of our third-party service providers was the target of a cyber-attack in December 2022, which resulted in a temporary suspension of certain services to our customers. In both instances no protected data was compromised or exfiltrated. We, and our service providers, will likely continue to be the target of other attempted cyber-attacks and security threats. Such cyber-attacks may subject us to litigation and regulatory risk, civil and criminal penalties, additional costs and diversion of management attention due to investigation, remediation efforts and engagement of third-party consultants and legal counsel in connection with such incidents, payment of “ransoms” to regain access to our systems and information, loss of customers, damage to customer relationships, reduced revenue and profits, refunds of customer charges, and damage to our reputation, any of which could have a material adverse effect on our business, cash flows, financial condition, and results of operations. While we have contingency plans and insurance coverage for potential liabilities of this nature, they may not be sufficient to cover all claims and liabilities and in some cases are subject to deductibles and layers of self-insured retention. Any system failure, inability to upgrade or update, or security breach (including cyber-attacks) related to our information technology systems may also impact third parties that we rely on in our business and could result in a hinderance to the services provided by the Company or such third parties, as the case may be, and may have a material adverse effect on our business.

11

Table of Contents

We cannot ensure that we or our third-party service providers will be able to identify, prevent, or contain the effects of cyber-attacks or other cybersecurity risks that bypass our security measures or disrupt our information technology systems or business. The use of AI by bad actors may make cyber-attacks more difficult to anticipate or detect. We have security technologies, processes, and procedures in place to protect against cybersecurity risks and security breaches. However, hardware, software, or applications we develop or procure from third parties may contain defects in design, manufacturer defects, or other problems that could unexpectedly compromise information security. In addition, because the techniques used to obtain unauthorized access, disable, or degrade service or sabotage systems change frequently, are becoming increasingly sophisticated, and may not immediately produce signs of intrusion, we may be unable to anticipate these techniques, timely discover or counter them or implement adequate preventative measures.

In addition, we use third-party technology, systems, and services for a variety of reasons, including, without limitation, encryption and authentication technology, employee email, content delivery to customers, back-office support, and other functions that in some cases involve processing, storing, and transmitting large amounts of data for our business. These third-party providers may also experience security breaches or interruptions to their information technology hardware and software infrastructure and communications systems that could adversely impact us.

Under the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act of 2009, or HITECH, implementing regulations promulgated by the U.S. Department of Health and Human Services, or “HHS,” including what are referred to as the “Privacy Rule” and the “Security Rule” (collectively, “HIPAA”), we face potential liability related to the privacy of health information we obtain. We are required through our contracts with our customers and by HIPAA to protect the privacy and security of certain health information and to make certain disclosures to our customers or to the public if this information is unlawfully accessed.

Changes in privacy and information security laws and standards may require that we incur significant expense to ensure compliance due to increased technology investment and operational procedures. Noncompliance with any privacy or security laws and regulations, including, without limitation, HIPPA, or any security breach, cyber-attack or cybersecurity breach, and any incident involving the misappropriation, loss, or other unauthorized disclosure or use of, or access to, sensitive or confidential information, whether by us or by one of our third-party service providers, could require us to expend significant resources to continue to modify or enhance our protective measures and to remediate any damage. In addition, this could negatively affect our operations, cause system disruptions, damage our reputation, cause customer losses and contract breaches, and could also result in regulatory enforcement actions, material fines and penalties, litigation, or other actions that could have a material adverse effect on our business, cash flows, financial condition, and results of operations. Even if cyber-attacks or other cybersecurity breaches do not result in noncompliance with privacy or security laws, the perception that such noncompliance may have occurred by our customers or in the news media may have an adverse impact on our stock price and could result in damage to our reputation or loss of customers, which could have a material adverse effect on our business, cash flows, financial condition, and results of operations.

New solution offerings involve inherent risk.

We have made substantial investments to develop new solution offerings and technologies, including AI-enabled offerings. We expect to continue investing significant resources in developing new technologies, tools, features, and solutions. At the same time, our competitors are rapidly developing their technologies and services, and our offerings may not be able to compete effectively. Our new solutions have a high degree of risk, as each involves strategies and technologies with which we have limited or no prior development or operating experience. There can be no assurance that customer demand for such initiatives will exist or be sustained at the levels that we anticipate, or that they will generate sufficient revenue to offset any new expenses or liabilities associated with these new investments. Further, our development efforts with respect to new solution offerings and technologies could distract management from current operations and will divert capital and other resources from our more established solution offerings and technologies. Even if we are successful in developing new solution offerings or technologies, regulatory authorities may subject us to new rules or restrictions in response to our innovations that could increase our expenses or prevent us from successfully commercializing new solution offerings or technologies. If we do not invest in commercially successful and innovative technologies, we may not realize the expected benefits of those investments. At the same time, if we do not realize the expected benefits of our investments, our business, financial condition and operating results may be harmed. No assurance can be given that such strategies and offerings will be successful and will not harm our reputation, financial condition, and operating results.

12

Table of Contents

Some of our employees work remotely, which may increase the cybersecurity risks to our business, including an increased demand for information technology resources, increased risk of phishing, and other cybersecurity risks.

We have, and expect to continue to have, a portion of our employee population that works from home full-time or under flexible work arrangements, and we have provided associates with expanded remote network access options which enable them to work outside of our corporate infrastructure and, in some cases, use their own personal devices, which exposes us to additional cybersecurity risks. Our employees working remotely may expose us to cybersecurity risks through: (i) unauthorized access to sensitive information as a result of increased remote access, including our employees’ use of Company-owned and personal devices and videoconferencing functions and applications to remotely handle, access, discuss, or transmit confidential information, and (ii) increased exposure to phishing and other scams as cybercriminals may, among other things, install malicious software and access sensitive information. We believe that the increased number of employees working remotely has incrementally increased our cyber risk profile, but we are unable to predict the extent or impact of those risks at this time. A significant disruption of our information technology systems, unauthorized access to or loss of confidential information, or legal claims resulting from our violation of privacy laws could each have a material adverse effect on our business.

Reputational harm could have a material adverse effect on our business, financial condition, and results of operations.

Our ability to maintain a positive reputation is critical to selling our services. Our reputation could be adversely impacted by any of the following (whether or not valid): the failure to maintain high ethical and social standards; the failure to perform our customer services in a timely manner; violations of laws and regulations; failure to adequately preserve information security; and the failure to maintain an effective system of internal controls or to provide accurate and timely financial information. Damage to our reputation or loss of our customers’ confidence in our services for any of these, or any other reasons, could adversely impact our business, revenues, financial condition, and results of operations, as well as require additional resources to rebuild our reputation.

Our operations are subject to laws and regulations that impose significant compliance costs and create reputational and legal risk.

Due to the nature of the services we offer, we are subject to significant commercial, trade, and privacy regulations. We cannot predict the nature, scope, or effect of future regulatory requirements to which our operations might be subject or the manner in which existing laws might be administered or interpreted, which could have a material and negative impact on our business and our results of operation. For example, recent years have seen an increase in the development or enforcement of legislation related to healthcare reform, privacy, and trade compliance. Additionally, some of the services we provide include information our customers need to fulfill regulatory reporting requirements. If our services result in errors or omissions in our customers’ regulatory reporting, we may be subject to loss of customers, reputational harm, or litigation, each potentially adversely impacting our business. Furthermore, although we maintain a variety of internal policies and controls designed to educate, discourage, prevent, and detect violations of such laws, we cannot guarantee that such actions will be effective or sufficient or that individual employees will not engage in inappropriate behavior in breach of our policies. Such conduct, or even an allegation of misbehavior, could result in material adverse reputational harm, costly investigations, severe criminal or civil sanctions, or could disrupt our business, and could negatively affect our results of operations or financial condition.

Ineffective internal controls could have a negative impact on our business, results of operations, and our reputation.

Our internal controls over financial reporting may not prevent or detect misstatements because of its inherent limitations, including the possibility of human error, failure or interruption of information technology systems, the circumvention or overriding of controls, or fraud. Even effective internal controls can provide only reasonable assurance with respect to the preparation and fair presentation of financial statements. If we fail to maintain the adequacy of our internal controls, including any failure to implement required new or improved controls, or if we experience difficulties in their implementation, including with the implementation of our internal controls in acquired companies, our business and operating results could be harmed and we could fail to meet our financial reporting obligations, which also could have a negative impact on our reputation.

13

Table of Contents

Our growth strategy includes future acquisitions, partnerships, and/or investments which involve inherent risk.

In order to expand services or technologies to existing customers and increase our customer base, we have historically, and may in the future, make strategic business acquisitions, partnerships with other organizations, and/or investments that we believe complement our business.

Acquisitions have inherent risks which may have material adverse effects on our business, financial condition, or results of operations, including, among other things: (1) failure to successfully integrate the purchased operations, technologies, products, or services and maintain uniform standard controls, policies, and procedures; (2) substantial unanticipated integration costs; (3) loss of key associates including those of the acquired business; (4) diversion of management’s attention from other operations; (5) failure to retain the customers of the acquired business; (6) failure to achieve any projected synergies and performance targets; (7) additional debt and/or assumption of known or unknown liabilities; (8) dilutive issuances of equity securities; (9) a write-off of goodwill, software development costs, customer lists, other intangibles and amortization of expenses; and (10) an acquisition target may have differing or inadequate cybersecurity, data protection, or financial reporting. If we fail to successfully complete acquisitions or integrate acquired businesses, we may not achieve projected results and there may be a material adverse effect on our business, financial condition, and results of operations. In addition, volatility in the equity markets could impair our financial position in general terms and our ability to effectively capitalize on potential merger and acquisition opportunities.

We have established a strategic partnership and intend to continue to establish strategic partnerships with third parties to enhance our solution offering. We currently depend on our partner’s technology to perform certain services for our customers. As a result, these services may not be provided in the manner or on the time schedule we currently expect, which may negatively impact our business operations. In addition, we cannot control the amount and timing of resources our partners may devote to their technology enhancements. Furthermore, there is no assurance that our partner-provided services will be purchased by our customers. Our partners may terminate their agreements with us for cause under certain circumstances and may elect not to renew our agreements, which could discontinue our ability to use their technologies and could result in our partners pursuing competing solutions. If our partners terminate or breach our agreements with them or otherwise fail to complete their obligations in a timely manner, it may have a detrimental effect on our financial position by reducing or eliminating the potential for us to receive technology access and perform our contractual obligations to our customers. These factors could have a material adverse effect on our business, financial condition, and results of operations.

If we are unable to achieve a proper revenue to cost ratio our profitability could decrease.

Our ability to achieve our goals and earnings growth depends on our ability to grow our revenue and achieve the appropriate cost structure for our revenues. Our revenue and margins have decreased in recent years. We have invested in product development, sales, and leadership in an effort to increase revenue. We have also adjusted spending in certain areas to reduce costs. If we are unsuccessful in increasing our revenue or we do not reduce costs sufficiently, our margins will continue to be compressed.

Risks Related to our Common Stock

Our principal shareholders effectively control the Company.

A majority of our common stock and voting power was historically owned and/or held by Michael D. Hays, our Chairman of the Board. However, over the years Mr. Hays, for estate planning purposes, gifted and/or transferred almost all of his directly owned shares to trusts for the benefit of his family. Currently, the principal holder of shares previously owned by Mr. Hays is the Common Property Trust (the “Trust”).

As of February 28, 2026, approximately 37.5% of our outstanding common stock was owned by the Trust and approximately 46.8% of our outstanding common stock was held by the Trust and other entities controlled by trustees or special power holders for the benefit of members of Mr. Hays’ family. As a result, the Trust and these other entities, through the trustees or special power holders, have the power to indirectly control and significantly influence decisions such as whether to issue additional shares or declare and pay dividends and can control matters requiring shareholder approval, including the election of directors and the approval of significant corporate matters such as change of control transactions. The effects of such influence could be to delay or prevent a change of control of the Company unless the terms are approved by the Trust and these other entities.

14

Table of Contents

The market price of our common stock may be volatile and shareholders may be unable to resell shares at or above the price at which the shares were acquired.

The market price and trading volume of our common stock has historically been and may continue to be highly volatile, and investors in our common stock may experience a decrease in the value of their shares, including decreases that are in response to factors beyond our control, including, but not limited to:

Any of these factors, among others, may result in changes in the trading volume and/or market price of our common stock. Following periods of volatility in the market price of securities, shareholders have often filed securities class-action lawsuits. Our involvement in a class-action lawsuit would result in substantial legal fees and divert our senior management’s attention from operating our business, which could harm our business and net income.

General Risk Factors

Our operating results may fluctuate and this may cause our stock price to decline.

Our overall operating results may fluctuate as a result of a variety of factors, including the size and timing of orders from customers, customer demand for our services (which, in turn, is affected by factors such as accreditation requirements, enrollment in managed care plans, operating budgets, and customers’ operating performance), the hiring and training of additional staff, expense increases, and industry and general economic conditions. Because a significant portion of our overhead is fixed in the short term, particularly some costs associated with owning and occupying our building and full-time personnel expenses, our results of operations may be materially adversely affected in any particular period if revenue falls below our expectations. These factors, among others, make it possible that in some future period our operating results may be below the expectations of securities analysts and investors, which would have a material adverse effect on the market price of our common stock.

Our business and operating results could be adversely affected if we are unable to attract or retain key managers and other personnel.

Our future performance may depend, to a significant extent, upon the efforts and ability of our key personnel who have expertise in gathering, interpreting, and marketing survey-based performance information for healthcare markets. Although customer relationships are managed at many levels within our company, the loss of the services of Trent Green, our Chief Executive Officer, or one or more of our other executive officers or Chairman, could have a material adverse effect, at least in the short to medium term, on most significant aspects of our business, including strategic planning, product development, sales, and customer relations. Our success will also depend on our ability to hire, train, and retain skilled personnel in all areas of our business. Competition for qualified personnel in our industry is intense, and many of the companies that compete with us for qualified personnel have substantially greater financial and other resources than us. Furthermore, we expect competition for qualified personnel to become more intense as competition in our industry increases. We cannot assure you that we will be able to recruit, retain, and motivate a sufficient number of qualified personnel to compete successfully.

15

Table of Contents

Like many other companies, we experienced higher attrition rates in the last several years. We may incur higher costs to attract, train, and retain associates. Attrition in our sales and service areas can also impact our ability to retain and attract new business. We may need to develop or adapt to new ways of doing business that challenge our leadership, our associate training, our human resources, and our business practices, and we cannot assure you that we will be successful in doing so. The short and long-term costs associated with these potential changes are difficult to quantify.

Increases in income tax rates, changes in income tax laws or regulations, or unfavorable resolutions of tax matters could adversely impact our profitability.

We are subject to income tax in the United States. Our overall effective income tax rate is a function of the federal and local tax rates and the geographic mix of our income before taxes in the jurisdictions in which we operate. The U.S. administration and certain members of Congress have indicated a desire to amend the federal tax laws. Changes in tax rates could negatively impact our net income. Tax laws and regulations, including rates of taxation, are subject to revisions by individual taxing jurisdictions. It is possible that these types of changes could materially impact our net income and cash flows. Significant judgment is required in determining our annual income tax expense and in evaluating our tax positions. Although we believe our tax estimates are reasonable, the final determination of tax audits could materially differ from our historical income tax provisions, estimates, and accruals and could materially adversely impact our financial statements for the period or periods which the statute of limitations is open.

Failure to comply with public company regulations could adversely impact our profitability.

As a public company, we are subject to the reporting requirements of the Securities Act of 1933, the Securities Exchange Act of 1934, the Sarbanes-Oxley Act of 2002, the Dodd-Frank Wall Street Reform and Consumer Protection Act, the listing requirements of NASDAQ, and other applicable securities rules and regulations. Additionally, laws, regulations and standards relating to corporate governance and public disclosure are subject to varying interpretations and continue to develop and change. If we misinterpret or fail to comply with these rules and regulations, our legal and financial compliance costs and net income may be adversely affected.

We may change our dividend policy at any time.

We have historically paid quarterly dividends to holders of our common stock. Although we expect to continue to pay dividends to holders of our common stock, the declaration and amount of any future dividends is subject to approval of our Board of Directors and various risks and uncertainties, including, but not limited to, our cash flow and cash needs, compliance with applicable law, restrictions on the payment of dividends under existing or future financing arrangements, changes in tax laws relating to corporate dividends, and deterioration in our financial condition or results of operations. Accordingly, our dividend policy may change at any time without notice, and our Board of Directors may determine to terminate payment of dividends, or reduce the amount or frequency of dividend payments, and we may not pay dividends at our historical rates or at all.

16

Table of Contents