If someone gets one of the values (who shouldn’t), what is the actual risk?
That depends; if all three values comp1, comp2, comp3 are 'random' (that is, unguessable by someone who doesn't know the appropriate secret) and independent (that is, the value of comp1 doesn't depend on the values of comp2, comp3), then revealing two of those three values doesn't tell the attacker anything about the key. If comp1 and comp2 are revealed, then the attacker is limited to guessing comp3 (which we assumed was difficult) or guessing key (which is essentially a brute force attack against AES; we also believe that is difficult).
On the other hand, if comp3 was based on, say, a human chosen password, then comp3 could be guessed - in that case, revealing comp1 and comp2 makes life a lot easier on the attacker.
And, if comp1, comp2, comp3 are not independent, well, things are bad. In the most extreme case, suppose comp3 = comp1 $\oplus$ comp2 - in that case, it doesn't matter if anything is revealed; the attacker can guess the key without knowing anything else. You'd be better off doing something like key = hash(comp1, comp2, comp3); revealing some of the comp variables might give the attacker some information (because of the lack of independence), however at least things might be secure if a leak doesn't occur.
