Part Two
This is Part 2 of our two-part series on California's landmark climate risk disclosure law, the California Climate-Related Financial Risk Act (SB 261). In Part 1, we covered the scope of the law, its reporting requirements,what's at stake for companies facing compliance, and how to approach preparing to comply with SB 261.
As a quick recap, SB 261 requires companies doing business in California (other than insurance companies) with over $500 million in annual revenue to evaluate and publicly disclose their climate-related financial risks, organized around four core pillars: governance, strategy, risk management, and metrics & targets. With the first disclosure due by January 1, 2026, preparing well in advance can be critical to ensure internal alignment, data readiness and reduced compliance, legal, and reputational risk.
In Part 2 below, we delve deeper into the foundational steps for launching a successful SB 261 compliance program, including:
- Designating the right legal and project leads
- Preserving attorney-client privilege, if appropriate
- Creating a project plan with realistic timelines
- Assessing materiality
- Managing related disclosure implications
01. Start with the Right People, Process and Legal Structure
Start with Legal.
As you start, consider clearly defining the scope of the internal work and identify the right internal leads—beginning with legal. An in-house or outside counsel can help shape the approach from the outset, assess legal risk, and advise on key decisions, including whether and how to preserve attorney-client privilege subject to the laws of the applicable jurisdiction(s).
Consider Attorney-Client Privilege.
Attorney-client privilege may not always apply to internal corporate audits in California, and compliance in and of itself may not suffice as a basis for privilege, so it is best to consider these issues from the outset of a project, especially if you anticipate sensitive internal investigations or analysis to follow.
Tips That May to Help Preserve Privilege:
- Engage legal early as project led or gatekeeper, which may help ensure the purpose and confidentiality of communications are understood.
- Minimize the risk of waiver by avoiding broad email distribution and sharing with third-parties which could undermine privilege.
- Clarify roles and scope, recognizing that privilege may depend on who (retained counsel) requests legal analysis, drafts documents, and prepares reports and for whom (usually only entities formally represented, not necessarily all affiliates under a parent company).
Even a project not led by counsel may reach a point where it becomes important to hand over portions of the project to counsel in order to seek legal advice.
02. Build a Cross Functional Team.
SB 261 defines climate-related financial risk broadly,1 impacting operations, supply chains, employee health, capital investments and more. Since nearly every corporate vertical—from procurement and capital planning to real estate, governance, enterprise risk committee (for companies that have one) and investor relations, and marketing—is impacted by the risk assessment, seeking input from a broad set of internal stakeholders is important to consider.
Designating this team early could potentially help to establish clear roles and responsibilities, avoid duplication of effort and accelerate issue-spotting, which could result in alignment of climate-related reporting efforts with department business strategy, particularly with respect to the more complex aspects such as the materiality assessment, scenario analysis, risk modeling, and target setting.
03. Add Sustainability Expertise Where Needed
Not every company will have in-house sustainability professionals or the capacity to manage SB 261 preparation on their own. If you don't have in-house professionals, consider taking a strategic approach by evaluating knowledge gaps and bandwidth to manage data, metrics, and scenario modeling.
When necessary, companies can potentially solve for these issues by hiring a full time employee dedicated to sustainability, engaging fractional sustainability support, or relying on outside consultants to help manage the scope of a process that spans functions, systems, and stakeholders. In addition to offering technical expertise, external advisors may help to keep efforts focused, coordinated and aligned with existing risk and governance frameworks; and when retained by counsel, may also help maintain privilege over strategic advice.
04. Secure Leadership Buy-in
Early engagement with company leadership is important to build executive buy-in. Consider securing time on board or committee agendas to brief them on the project launch and to provide regular updates key milestones, including:
- Project scope and resourcing
- Emerging climate-related risks and opportunities
- Structure and timing of proposed disclosures
- Interplay with insurance, financial reporting, and sustainability messaging
- Embed climate risk into existing governance protocols
05. Suggested Project Timelines
Below, we've outlined the core phases and suggested timeframes for SB 261 compliance. Depending on your organization's size and complexity, a 3- to 6-month project duration is likely a reasonable expectation. The first reporting deadline is January 1, 2026.
Project Phases | Suggested Timeframe |
Project Mobilization & Scoping | 1-2 weeks |
Materiality Assessment (Risk & Opportunity Identification) | 3-4 weeks |
Scenario Analysis & Target Setting | 2-3 weeks |
Strategy & Risk Management Integration | 1-3 weeks |
Governance Assessment | 1-2 weeks |
Disclosure Preparation | 3-4 weeks |
Internal Alignment, Submission, and Documentation | 1-2 weeks |
06. Conduct the Materiality Assessment
The materiality assessment is a foundational step in SB 261 compliance, which requires companies to identify their climate-related risks and opportunities and evaluate their likelihood and potential financial impact in order to determine what is material.
In aligning to the TCFD framework, materiality under SB 261 is based on what a reasonable investor would consider important to decision-making.
Consider beginning your assessment by:
- Reviewing the company's existing public disclosures (e.g., 10-Ks)
- Benchmarking against peer reports to identify gaps and opportunities
- Gathering cross-functional (legal, finance, HR, ops) insights of both a qualitative and quantitative nature
07. Embed Climate Risk within Corporate Governance
Embedding climate risk analysis into existing governance structures can be key to long-term effectiveness. Legal counsel often plays a pivotal role in the materiality assessment process, and can advise on preserving privilege when sharing preliminary findings with governance committees (e.g., audit, risk, or both) for evaluation and integration with the company's broader risk register. Retaining outside counsel to support these discussions may further protect privilege.
The Corporate Secretary may also consider updating committee charters to reflect new responsibilities related to climate risk and sustainability¾such as assigning financial impact reviews to the audit committee, and scenario analysis oversight to the enterprise risk committee.
08. Plan for Disclosures
Under SB 261, a full Climate Risk Disclosure report must be published by January 1, 2026, and submitted to the California Air Resources Board (CARB). SB 261 requires the report to disclose climate-related risks, as well as measures adopted to reduce and adapt to climate-related financial risk.
With respect to timing, companies may consider targeting completing data collection by the end of 3Q25 to then include it in a report draft available in October 2025, in order to allow time for engaging in actions such as 4Q25 internal review, leadership briefing and synching with insurance related disclosures and coverage.
If a company is unable to fully comply complete a report consistent with all required disclosures, SB 261 allows2 a company to:
- Disclose what it can to the best of its ability
- Provide a detailed explanation of any reporting gaps
- Describe steps for future reporting
In assessing any penalties for non-compliance, the statute3 also notes that "all relevant circumstances, including good-faith efforts, will be considered in enforcement.
09. If SB 261 Doesn't Apply, Why it Still Matters
Smaller companies that do not meet the $500M revenue compliance threshold may still wish to begin evolving their sustainability strategies and metrics in order to meet the growing sustainability expectations of large customers, align with investor or other stakeholder (employees, consumers) expectations, and prepare for evolving state and federal regulations. Stay tuned for future blogs where we will explore how companies of any size can further their sustainability goals.
Footnotes
1. Under Section 38533(a)(2) (2024), "climate-related financial risk" means "material risk of harm to immediate and long-term financial outcomes due to physical and transition risks, including but not limited to, risks to corporate operations, provision of goods and services, supply chains, employee health and safety, capital and financial investments, institutional investments, financial standing of loan recipients and borrowers, shareholder value, consumer demand, and financial markets and economic health."
2. Section 38533 (b)(ii)(B
3. Section 38533(f)(2)
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.