40+ ESG KRIs Mapped to SEC Climate Rules, ISSB, CSRD, GRI, and TCFD for US-Listed Companies
Introduction: Why ESG KRIs Matter More Than Ever in 2026
Here is a reality check for every risk and compliance professional at a US-listed company: the regulatory landscape for ESG and sustainability disclosure is not getting simpler. It is getting more fragmented.
The SEC voted in March 2025 to stop defending its climate disclosure rules. But that did not make the compliance obligation disappear. California’s SB 253 still requires Scope 1 and 2 emissions reporting starting in 2026 and Scope 3 in 2027.
The EU’s Corporate Sustainability Reporting Directive, while narrowed by the Omnibus package in late 2025, still catches US companies with significant European operations. And globally, 36 jurisdictions have now adopted or are finalizing steps toward the ISSB standards (IFRS S1 and S2), which have effectively replaced the TCFD framework.
The practical question facing risk managers and boards is not whether to monitor ESG risks. It is what to measure, how to set thresholds, and which frameworks to anchor your KRI program to. That is exactly what this guide delivers.
This article provides a complete, practitioner-ready framework with 40+ key risk indicators spanning environmental, social, and governance dimensions. Each KRI is mapped to the specific regulatory frameworks that require or expect it: the SEC climate disclosure rules (as adopted March 2024, currently stayed), the ISSB’s IFRS S2, the EU’s CSRD and ESRS, GRI Standards, and California’s SB 253/261.
If you are building, refreshing, or auditing an ESG KRI dashboard for a US-listed company, this is your reference document.
For foundational guidance on key risk indicators in general, see our detailed guide on key risk indicators and their essential characteristics. For financial-sector-specific KRIs, visit our post on KRI examples for banks.
The 2026 ESG Regulatory Landscape for US-Listed Companies
Before diving into specific KRIs, you need to understand which frameworks create your disclosure obligations. This is not academic. Each framework drives different data collection requirements, assurance expectations, and board reporting timelines.
SEC Climate Disclosure Rules (March 2024)
The SEC adopted its climate rules in March 2024, requiring registrants to disclose material climate-related risks in registration statements and annual reports. The rules required Scope 1 and 2 emissions disclosure for large accelerated and accelerated filers, scenario analysis for material climate risks, and financial statement disclosures for severe weather events.
However, the rules have never taken effect. They were voluntarily stayed during Eighth Circuit litigation, and in March 2025 the Commission voted to stop defending them. In September 2025, the Eighth Circuit put the case in abeyance, telling the SEC to either rescind or defend the rules. As of early 2026, the rules remain technically on the books but unenforced.
For a deeper understanding of how to translate risk data into board-ready financial language, see our guide on risk quantification for boards.
Practical implication: Even without enforcement, the SEC rules established the data architecture many companies are already building toward. Treat the rule’s disclosure categories as a planning baseline.
ISSB Standards: IFRS S1 and IFRS S2
The ISSB’s standards, launched in June 2023 and effective from January 2024, have rapidly become the global baseline for sustainability disclosure. IFRS S2 incorporates and effectively replaces the TCFD recommendations.
As of January 2026, 21 jurisdictions have adopted these standards on a mandatory or voluntary basis, with 16 more planning adoption. The four-pillar structure of governance, strategy, risk management, and metrics and targets is now the de facto organizing framework for climate risk disclosure worldwide.
For risk professionals looking to integrate these standards into broader enterprise risk management frameworks, the ISSB architecture aligns naturally with ISO 31000’s risk management process.
EU CSRD and ESRS (Post-Omnibus)
The EU’s CSRD underwent major recalibration in 2025. The European Parliament approved an Omnibus package in December 2025 that narrowed the scope dramatically: only EU companies with more than 1,000 employees and over €450 million turnover are now covered, along with non-EU groups exceeding €450 million EU turnover with a subsidiary or branch generating at least €200 million.
This reduced mandatory reporters by approximately 80%. The “stop-the-clock” directive delayed Wave 2 reporting to FY 2027 (reports published 2028). For US companies with significant EU operations, the CSRD remains relevant but the timeline is more forgiving than originally planned.
California SB 253 and SB 261
California’s climate disclosure laws are arguably the most immediately actionable framework for US companies. SB 253 requires companies with over $1 billion in annual revenue doing business in California to report Scope 1 and 2 emissions starting in 2026, with Scope 3 following in 2027.
While the Ninth Circuit temporarily enjoined SB 261 (climate financial risk disclosure) in November 2025, SB 253 remains in effect. The California Air Resources Board has signaled enforcement discretion in Year 1, but the data collection obligation is real now.
GRI Standards
GRI remains the most widely used voluntary sustainability reporting framework globally, with approximately 53% adoption among reporting companies in 2025. While the ISSB standards focus on financial materiality (what affects investors), GRI uses a double-materiality lens that also covers the company’s impact on people and the environment. Many companies use both frameworks in tandem.
GRI’s topic-specific standards (300-series for environmental, 400-series for social) provide the most granular KRI definitions available.
Building an ESG KRI Framework: The Five-Step Process
If you already run a KRI dashboard for operational or financial risk, the ESG extension follows the same logic. Here is the process, adapted for ESG:
Step 1: Map your disclosure obligations. List every framework that applies to your company. For a US-listed company with EU subsidiaries, this could include SEC rules (as baseline), California SB 253, CSRD, and voluntary GRI/ISSB alignment. Cross-reference each framework’s specific disclosure requirements.
Step 2: Identify material ESG risk categories. Use a double-materiality assessment to surface which ESG topics are financially material (affect your company’s value) and impact-material (your company’s effect on people and planet). This aligns with both CSRD requirements and investor expectations under ISSB. For a structured approach, adapt your existing risk assessment methodology.
Step 3: Select KRIs for each material risk. This is where the tables below come in. Choose KRIs that are measurable, forward-looking, and tied to specific thresholds. Each KRI should have a clear owner, data source, and escalation trigger.
The principles for effective KRIs are the same whether you are tracking credit risk or carbon risk: they need to be leading indicators that predict undesirable events, not lagging metrics that confirm what already happened.
Step 4: Set thresholds and escalation rules. Green/amber/red thresholds should reflect your risk appetite statement. For example, if your board has stated a commitment to net-zero by 2050 aligned with a 1.5°C pathway, your carbon intensity KRI thresholds should be derived from that trajectory.
For compliance-related KRIs, thresholds may be binary: zero tolerance for material data breaches, 100% training completion rates.
Step 5: Integrate into board reporting. ESG KRIs should not live in a separate sustainability silo. They belong in the enterprise risk dashboard alongside financial, operational, and cybersecurity KRIs.
The ISSB’s governance pillar explicitly requires disclosure of board oversight of sustainability risks. Your KRI dashboard is the evidence of that oversight.
Environmental KRIs (16 Indicators)
Environmental indicators form the largest category in most ESG KRI frameworks, driven by the depth of regulatory requirements around GHG emissions and climate risk. These 16 KRIs cover the core disclosure areas required across all major frameworks.
| Category | KRI | Unit | Threshold Example | Regulatory Mapping |
| GHG Emissions | Scope 1 direct emissions (tCO2e) | tCO2e / year | Year-over-year reduction ≥3% | SEC, ISSB S2, CSRD, GRI 305-1, CA SB 253 |
| GHG Emissions | Scope 2 indirect emissions (tCO2e) | tCO2e / year | Aligned to 1.5°C pathway | SEC, ISSB S2, CSRD, GRI 305-2, CA SB 253 |
| GHG Emissions | Scope 3 value-chain emissions (tCO2e) | tCO2e / year | Baseline established, 2% annual reduction | ISSB S2, CSRD, GRI 305-3, CA SB 253 |
| GHG Emissions | Carbon intensity ratio | tCO2e / $M revenue | <50 tCO2e per $M revenue | SEC, ISSB S2, CSRD, GRI 305-4 |
| GHG Emissions | % emissions covered by third-party verification | % | ≥95% by Year 3 | SEC (limited assurance), CSRD, CA SB 253 |
| Climate Risk | Physical risk exposure (% assets in high-risk zones) | % | <15% of total asset value | SEC, ISSB S2 (TCFD-aligned), CSRD |
| Climate Risk | Transition risk – stranded asset value at risk | $M | Scenario-tested (1.5°C, 2°C, 4°C) | ISSB S2, CSRD, TCFD |
| Climate Risk | Internal carbon price applied to CAPEX decisions | $/tCO2e | ≥$50/tCO2e | ISSB S2, TCFD |
| Climate Risk | Climate scenario analysis completion rate | % | 100% of material business units | SEC, ISSB S2, CSRD |
| Energy | Total energy consumption (GJ) | GJ / year | 5% efficiency gain per annum | GRI 302-1, CSRD, ISSB S2 |
| Energy | Renewable energy as % of total consumption | % | ≥50% by 2030 | GRI 302-1, CSRD |
| Water & Waste | Water withdrawal in water-stressed regions | ML / year | Year-over-year reduction ≥2% | GRI 303-3, CSRD |
| Water & Waste | Waste diverted from landfill (%) | % | ≥75% | GRI 306-4, CSRD |
| Water & Waste | Hazardous waste generated (tonnes) | Tonnes / year | Zero-increase baseline | GRI 306-3, CSRD |
| Biodiversity | Operations in or adjacent to protected areas (#) | Count | 0 new operations without mitigation plan | CSRD (ESRS E4), GRI 304-1, TNFD |
| Biodiversity | Land use change / deforestation-linked procurement (%) | % | 100% deforestation-free supply chain by 2030 | CSRD (ESRS E4), EU Deforestation Reg. |
Implementation note: Scope 3 remains the most challenging metric. The ISSB proposed in April 2025 to remove certain Scope 3 sub-categories (derivatives, facilitated emissions, insurance underwriting) from S2 requirements.
For most industrial and consumer companies, the material Scope 3 categories remain purchased goods and services, transportation, and use of sold products.
Start with a Scope 3 screening using the GHG Protocol to identify your material categories before investing in detailed measurement.
For additional guidance on structuring these indicators with quantitative thresholds, see our article on KRI examples across multiple risk categories.
Social KRIs (13 Indicators)
Social KRIs cover workforce health and safety, diversity and inclusion, human rights in the supply chain, and community engagement.
These indicators are increasingly material for US companies under the SEC’s human capital management (HCM) disclosure requirements and the CSRD’s ESRS S1 (own workforce) and S2 (workers in the value chain) standards.
The EU’s Corporate Sustainability Due Diligence Directive (CS3D) adds a mandatory due diligence layer for human rights risks in global supply chains.
| Category | KRI | Unit | Threshold Example | Regulatory Mapping |
| Workforce | Total recordable incident rate (TRIR) | Per 200k hours | <1.0 | GRI 403-9, CSRD (ESRS S1), OSHA |
| Workforce | Lost-time injury frequency rate (LTIFR) | Per 1M hours | <2.0 | GRI 403-9, CSRD (ESRS S1) |
| Workforce | Employee turnover rate (%) | % | <15% voluntary turnover | GRI 401-1, CSRD (ESRS S1) |
| Workforce | Gender pay gap ratio | Ratio | ≤0.95:1.00 | GRI 405-2, CSRD (ESRS S1), SEC (HCM) |
| Workforce | % workforce covered by collective bargaining | % | Disclosed with trend | GRI 407-1, CSRD (ESRS S1) |
| Workforce | Training hours per employee per year | Hours | ≥40 hours | GRI 404-1, CSRD (ESRS S1) |
| DEI | Board gender diversity (%) | % | ≥40% underrepresented gender | SEC (Reg S-K), CSRD (ESRS S1), GRI 405-1 |
| DEI | Women in senior management (%) | % | ≥30% | GRI 405-1, CSRD (ESRS S1) |
| DEI | Ethnic/racial diversity in leadership (%) | % | Benchmark to workforce demographics | SEC (HCM), GRI 405-1 |
| Human Rights | % supply chain audited for human rights compliance | % | ≥80% tier-1 suppliers | CSRD (ESRS S2), GRI 414-1, EU CS3D |
| Human Rights | Child labor incidents in supply chain (#) | Count | Zero tolerance | GRI 408-1, CSRD (ESRS S2), EU CS3D |
| Community | Community grievances received and resolved (%) | % | ≥90% resolved within 60 days | GRI 413-1, CSRD (ESRS S1) |
| Community | Community investment as % of pre-tax profit | % | ≥1% | GRI 413-1, CSRD |
Implementation note: The gender pay gap ratio and DEI metrics are among the most scrutinized indicators by investors and rating agencies.
If your company operates in jurisdictions with pay transparency laws (several US states and the EU Pay Transparency Directive effective 2026), these KRIs double as compliance metrics.
For an integrated view of how risk management connects to overall business objectives and operational risk, consider embedding these social KRIs within your broader ERM framework.
Governance KRIs (14 Indicators)
Governance KRIs are the connective tissue between ESG risk identification and board-level accountability.
Both the ISSB (IFRS S1, Governance pillar) and the CSRD (ESRS 2, GOV-1 through GOV-5) require detailed disclosure of how sustainability risks are overseen at the board and management level. These 14 indicators provide the evidence base for those disclosures.
| Category | KRI | Unit | Threshold Example | Regulatory Mapping |
| Board | Independent directors as % of board | % | ≥60% | SEC (Reg S-K), CSRD (ESRS G1) |
| Board | Board ESG/sustainability committee existence | Yes/No | Yes, with defined charter | SEC, ISSB S1, CSRD (ESRS 2) |
| Board | Board ESG competency (% with ESG expertise) | % | ≥25% | ISSB S1, CSRD (ESRS 2) |
| Board | Frequency of board ESG risk reviews per year | Count | ≥4 per year (quarterly) | ISSB S1, CSRD (ESRS 2) |
| Ethics | Anti-corruption training completion rate (%) | % | 100% | GRI 205-2, CSRD (ESRS G1) |
| Ethics | Confirmed corruption/bribery incidents (#) | Count | Zero tolerance | GRI 205-3, CSRD (ESRS G1) |
| Ethics | Whistleblower reports received and investigated (%) | % | 100% investigated within 30 days | CSRD (ESRS G1), SEC (SOX) |
| Compliance | Regulatory fines and sanctions ($) | $ | $0 target; trend monitoring | GRI 2-27, CSRD (ESRS G1), SEC |
| Compliance | ESG data restatements (#) | Count | 0 | SEC, CSRD |
| Compliance | Lobbying and political spending alignment with stated ESG positions (%) | % | 100% alignment | GRI 415-1, CSRD (ESRS G1) |
| Supply Chain | % critical suppliers with validated ESG scores | % | ≥70% by Year 2 | CSRD (ESRS G1, S2), EU CS3D, GRI 308-1 |
| Supply Chain | Supplier ESG audit non-conformance rate (%) | % | <10% | CSRD (ESRS S2), GRI 414-2 |
| Cyber/Data | Data privacy breach incidents (#) | Count | 0 material breaches | SEC (Reg S-K Item 106), GRI 418-1 |
| Cyber/Data | % workforce completing data ethics training | % | 100% | CSRD (ESRS G1), SEC |
Implementation note: Cyber/data governance KRIs are included here because the SEC’s cybersecurity disclosure rules (Regulation S-K Item 106, effective December 2023) require description of board oversight of cybersecurity risk.
ESG and cybersecurity governance overlap substantially at the board level. For detailed guidance on cyber-specific KRIs, see our dedicated article on NIST cybersecurity key risk indicators.
Cross-Regulatory Mapping: Which KRIs Apply Under Which Framework?
Not every KRI applies under every framework. This mapping helps you prioritize based on your specific compliance obligations:
| KRI Category | SEC Rules | ISSB S1/S2 | EU CSRD | GRI | CA SB 253 |
| Scope 1 & 2 Emissions | ✓ | ✓ | ✓ | ✓ | ✓ |
| Scope 3 Emissions | – | ✓* | ✓ | ✓ | ✓ |
| Climate Scenario Analysis | ✓ | ✓ | ✓ | – | – |
| Physical / Transition Risk | ✓ | ✓ | ✓ | – | – |
| Energy & Water Metrics | – | ✓ | ✓ | ✓ | – |
| Biodiversity Indicators | – | Planned | ✓ | ✓ | – |
| Workforce H&S / DEI | ✓ (HCM) | ✓ | ✓ | ✓ | – |
| Human Rights Due Diligence | – | – | ✓ | ✓ | – |
| Board ESG Oversight | ✓ | ✓ | ✓ | ✓ | – |
| Anti-Corruption / Ethics | – | – | ✓ | ✓ | – |
| Supply Chain ESG Scores | – | – | ✓ | ✓ | – |
| Cyber / Data Privacy | ✓ | – | ✓ | ✓ | – |
* ISSB proposed in April 2025 to remove certain Scope 3 sub-categories; final amendments expected 2026.
For a comparison of the two foundational risk management standards that underpin many of these frameworks, see our analysis of COSO ERM vs. ISO 31000.
90-Day ESG KRI Implementation Roadmap
Days 1–30: Foundation
Complete a regulatory applicability assessment: list every ESG disclosure framework that applies to your entity. Conduct a materiality assessment using a double-materiality approach. Identify data owners for each material ESG risk category. Inventory existing ESG data sources and identify gaps, particularly for Scope 3, supply chain human rights, and biodiversity metrics.
Days 31–60: Design
Select 15–20 priority KRIs from the tables above (you do not need all 43 on Day 1). Define green/amber/red thresholds aligned to your risk appetite statement and stated climate targets. Assign a KRI owner for each metric. Design the data collection workflow and frequency (quarterly for most, annual for some). Build the dashboard structure, integrating ESG KRIs into your existing key risk indicators dashboard.
Days 61–90: Launch
Populate the first data cycle. Run a tabletop exercise with KRI owners to test escalation triggers and reporting workflows. Present the initial ESG KRI dashboard to the board or risk committee. Document the methodology, data sources, and limitations. Schedule a 6-month review to assess whether selected KRIs are decision-useful and whether new regulatory requirements demand additions.
Common Pitfalls to Avoid
Trying to measure everything at once. Start with KRIs that directly address your most material ESG risks and your most immediate compliance obligations. You can expand later. A focused dashboard of 15 well-measured KRIs is more valuable than 50 KRIs with spotty data.
Treating ESG KRIs as a sustainability team exercise. Effective ESG KRIs live in the risk management function, reported through enterprise risk management structures, not in a standalone CSR report. The ISSB and CSRD both require integration with financial reporting. Your ERM framework should be the home for these indicators.
Ignoring assurance requirements. The SEC rules (if they ever take effect) require limited assurance on Scope 1 and 2 data for large accelerated filers starting two years after initial compliance. The CSRD requires limited assurance from Day 1. California’s SB 253 requires third-party verification. Build assurance-readiness into your KRI data collection from the start. It is far cheaper to design for assurance than to retrofit later.
Forgetting about financial KRI integration. ESG risks have direct financial consequences: carbon pricing affects operating costs, physical climate risk affects asset valuations, social license failures affect revenue. Link your ESG KRIs to financial risk indicators so the board sees the full picture.
What to Watch: Regulatory Developments in 2026 and Beyond
The Eighth Circuit’s eventual decision on the SEC climate rules will set the legal boundary for federal disclosure mandates. Watch for whether the Commission takes action to formally rescind the rules or whether the litigation continues indefinitely.
The EU’s simplified ESRS standards are expected around mid-2026, which will clarify exactly what data points are required for companies still in CSRD scope. The ISSB is working on nature-related disclosure standards (building on the TNFD) and amendments to SASB industry-specific standards, with publication expected through 2026. California’s SB 253 begins its first reporting cycle in 2026 and CARB is developing detailed compliance checklists.
For risk professionals, the message is clear: even in a fragmented regulatory environment, the direction of travel is toward more standardized, more quantitative, and more assured ESG disclosure. Building a robust KRI framework now positions your organization to comply efficiently regardless of which regulatory requirements crystallize. For ongoing updates on risk management frameworks and KRI development, explore our full library at riskpublishing.com.
Your Next Step
Download this framework and use it as your starting template. Identify the 15–20 KRIs most material to your company, set your thresholds, assign ownership, and build your first ESG KRI dashboard. If you are already running KRI programs for operational or financial risk, you have the infrastructure. ESG is the extension, not a rebuild.
For more practitioner content on enterprise risk management, business continuity, and KRI development, visit riskpublishing.com. For risk register templates and implementation tools, see our guide on key elements of a risk register.
References and External Sources
• SEC Climate Disclosure Rules (March 2024)
• SEC Press Release: Votes to End Defense of Climate Rules (March 2025)
• ISSB Standards (IFRS S1 and S2)
• ISSB Adoption Tracker – S&P Global
• EU CSRD – European Commission
• California SB 253 and SB 261
• GHG Protocol – Corporate Standard
• ISO 31000:2018 Risk Management Guidelines
• Taskforce on Nature-related Financial Disclosures (TNFD)
• Harvard Law Forum: 2025 Sustainability Reporting Trends
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.