SEC Climate Disclosure Rules have transformed how organizations approach climate-related risk reporting. In February 2025, a Fortune 100 energy company’s CFO received an unexpected call from the audit committee chair. The question was direct: “If the SEC rule is dead, why did three of our largest institutional investors just send letters demanding the same disclosures?”
The CFO had no prepared answer, and the risk management team had already shelved its climate integration project two months earlier. Within six weeks, the company faced a shareholder resolution, a California SB 253 compliance deadline, and a European subsidiary triggering CSRD obligations. The risk team scrambled to rebuild what it had dismantled, at roughly three times the original cost.
This scenario is playing out across corporate America. The SEC Climate Disclosure Rules, formally adopted in March 2024, remains in legal limbo after the Commission voted to drop its defense in March 2025.
Yet the underlying pressure has not eased. Investors, state regulators, and international frameworks are filling the gap. For enterprise risk management professionals, the question is no longer whether to integrate climate risk, but how fast and how deep.
| What Risk Managers Need to Know |
| The SEC adopted its final climate disclosure rule in March 2024, but enforcement remains stayed following legal challenges and the Commission’s decision to drop its defense of the rule in March 2025. |
| Despite the federal stall, 98% of S&P 500 companies already voluntarily report climate data, and state-level laws in California and New York are creating binding obligations. |
| The rule requires disclosure of governance processes, risk management integration, Scope 1 and 2 GHG emissions (where material), and financial statement impacts of climate-related risks. |
| ERM professionals must integrate climate risk into existing ISO 31000 and COSO frameworks rather than treating ESG as a standalone silo. |
| The EU’s CSRD, ISSB standards, and California’s SB 253/261 collectively create a multi-jurisdictional compliance landscape that no US-listed company can ignore. |
| Compliance cost estimates range from $385K to $1.15M annually for large accelerated filers, with data collection and assurance representing over 50% of total spend. |
| A 90-day implementation roadmap at the end of this article provides a phase-by-phase action plan to embed climate risk into your ERM framework. |
This article maps the SEC Climate Disclosure Rules to your ERM framework, compares it against CSRD and ISSB requirements, provides a maturity model for climate-risk integration, breaks down compliance costs, and delivers a 90-day roadmap for building board-ready climate risk capabilities. Whether the federal rule survives or not, the disclosure obligations are already here.
What the SEC Climate Disclosure Rules Require
The SEC Climate Disclosure Rules (the SEC’s final rule), titled “The Enhancement and Standardization of Climate-Related Disclosures for Investors” (Release No. 33-11275), was adopted on March 6, 2024.
The SEC Climate Disclosure Rules require SEC registrants to disclose material climate-related risks in their annual reports (10-K) and registration statements. The rule is narrower than the 2022 proposal but still represents the most significant expansion of environmental disclosure in US securities regulation history.
Understanding exactly what the rule mandates is the first step in mapping it to your risk assessment process.
Four Pillars of Disclosure
| Pillar | What Must Be Disclosed | ERM Connection |
| Governance | Board oversight of climate risks, management’s role in assessing and managing climate-related risks, board member climate expertise | Maps directly to ISO 31000 Clause 5.2 (Leadership and commitment) and COSO Principle 2 (Board oversight) |
| Strategy | Material climate-related risks (physical and transition), actual and potential impacts on business model, strategy, and financial outlook | Feeds into risk identification and risk analysis under ISO 31000 Clause 6.4 |
| Risk Management | Processes for identifying, assessing, and managing climate-related risks; integration into overall risk management system | Core ERM process alignment per COSO Principle 8 (Risk assessment) and ISO 31000 Clause 6 |
| Metrics & Targets | Material Scope 1 and Scope 2 GHG emissions (with phase-in); climate-related financial metrics in financial statements | KRI framework extension; requires quantitative tracking aligned with risk appetite |
The final rule removed the proposed Scope 3 emissions requirement, which had drawn the heaviest industry opposition.
However, registrants must still disclose any climate-related targets or goals that materially affect their business.
Under the SEC Climate Disclosure Rules, the SEC estimated that approximately 2,800 large accelerated filers and 4,500 accelerated filers would be subject to the phased requirements. For a detailed mapping to the COSO ERM framework, the governance and risk management pillars translate almost directly to existing internal control structures.
Regulatory Timeline: From Proposal to Present
Figure 1: Key milestones in the SEC Climate Disclosure Rules rulemaking process, from 2022 proposal through current state-level alternatives.
Where the Rule Stands: Legal Limbo and What It Means
On March 27, 2025, a majority of SEC commissioners voted to end defense of the SEC Climate Disclosure Rules, with the Commission’s defense of the climate disclosure rule in the Eighth Circuit Court of Appeals (Press Release 2025-58). The rule had already been subject to a voluntary stay since April 2024.
A coalition of 19 state attorneys general intervened to defend the SEC Climate Disclosure Rules, but its enforcement timeline remains uncertain under the current administration. SEC Chair Paul Atkins has signaled a broader agenda of reducing disclosure burdens for US-listed companies.
For risk managers, the practical implication is nuanced. The federal rule may never take effect in its current form. But the disclosure infrastructure it demands, including governance processes, emissions tracking, and risk register integration, is already required by other frameworks.
Companies that pause their SEC Climate Disclosure Rules compliance programs face a more expensive restart when the next regulatory cycle hits. Those that built capabilities early are repurposing them for California, CSRD, and investor-driven reporting with minimal incremental cost.
The Multi-Jurisdictional Disclosure Landscape
Even if the SEC Climate Disclosure Rules disappear entirely, US companies face a web of overlapping requirements. The EU’s Corporate Sustainability Reporting Directive (CSRD) applies to any company with EU subsidiaries above the threshold.
California’s SB 253 and SB 261 mandate emissions reporting and climate risk disclosure for companies doing business in the state.
The IFRS Foundation’s ISSB standards (S1 and S2) are being adopted by 36 jurisdictions worldwide. Any compliance risk assessment must account for all of these simultaneously.
Framework Scope: What Each Regime Covers
Figure 2: Comparative analysis of climate disclosure requirements across four major regulatory frameworks.
| Dimension | SEC Final Rule | EU CSRD/ESRS | ISSB (IFRS S2) | California SB 253/261 |
| Materiality Standard | Financial (single) materiality | Double materiality (financial + impact) | Financial (single) materiality | All covered entities regardless of materiality |
| GHG Scope | Scope 1 & 2 (material only) | Scope 1, 2, and 3 | Scope 1, 2 (Scope 3 conditional) | Scope 1, 2, and 3 |
| Assurance | Limited assurance phasing to reasonable | Limited assurance, moving to reasonable by 2028 | Jurisdiction-dependent | Independent third-party verification |
| Effective Date | Stayed; uncertain | FY 2024 reporting begins 2025 | Jurisdiction-dependent; UK from 2025 | SB 253: 2026 reporting; SB 261: 2026 biennial |
| Applicability | SEC registrants (LAF, AF, NAF phased) | EU and non-EU companies with EU operations above thresholds | Adopted by 36 jurisdictions | Companies with $1B+ revenue doing business in CA |
The practical takeaway: a US-headquartered company with European operations, California revenue above $1 billion, and SEC registration faces four separate disclosure regimes including the SEC Climate Disclosure Rules with overlapping but non-identical requirements.
The GRC framework must be designed to satisfy the most demanding standard (typically CSRD) while generating extracts for each jurisdiction.
Integrating Climate Risk Into Your ERM Framework
Climate risk is not a new risk category; it is a driver that amplifies existing categories. Physical risks (flooding, wildfire, heat stress) map to operational and business continuity risk.
Transition risks (carbon pricing, regulatory shifts, technology obsolescence) map to strategic, financial, and regulatory risk.
Liability risks (greenwashing litigation, fiduciary duty claims) map to legal and reputational risk. The job of the ERM professional is to embed climate as a risk driver across the existing taxonomy, not to create a parallel ESG universe.
ISO 31000 Alignment: Where Climate Fits
| ISO 31000 Clause | Standard Requirement | Climate Risk Application |
| 5.2 Leadership | Top management demonstrates commitment to risk management | Board receives quarterly climate risk dashboard; climate expertise on audit/risk committee |
| 5.4 Design | Understanding context (internal/external) | Climate scenario analysis integrated into strategic planning cycle; physical and transition risk screening |
| 6.4.1 Risk Identification | Find, recognize, and describe risks | Climate risk taxonomy covering physical (acute/chronic) and transition (policy, technology, market, reputation) risks |
| 6.4.2 Risk Analysis | Comprehend nature of risk and determine level | Quantitative climate scenario analysis (1.5C, 2C, 4C pathways); stress testing financial impacts |
| 6.4.3 Risk Evaluation | Compare results with risk criteria | Climate risks plotted on enterprise risk appetite framework; escalation triggers defined |
| 6.5 Risk Treatment | Select and implement options | Decarbonization roadmap, physical adaptation measures, insurance coverage review, supply chain diversification |
| 6.6 Monitoring | Recurring assessment of framework effectiveness | Climate KRIs with RAG thresholds; annual framework maturity assessment |
A common mistake is treating climate disclosure as a reporting exercise owned by sustainability or investor relations. The SEC Climate Disclosure Rules explicitly require disclosure of how climate risk management processes are “integrated into the registrant’s overall risk management system.”
Auditors and investors will test whether climate appears in the enterprise risk register, whether KRIs exist with defined thresholds, and whether the three lines model assigns clear accountability for climate risk ownership.
Climate Risk ERM Integration: Where Does Your Organization Stand?
Figure 3: Five-level maturity model for assessing how deeply climate risk is embedded in your enterprise risk management framework.
Most organizations currently sit between Level 2 (Aware) and Level 3 (Integrated). They publish sustainability reports but have not connected climate data to the enterprise risk register, the risk appetite statement, or the board risk dashboard.
Level 4 and 5 organizations run quantitative scenario analysis on climate pathways and embed climate KRIs alongside operational, financial, and cyber risk indicators.
Building a Climate Risk KRI Framework
Effective climate risk monitoring requires leading indicators, not just lagging emissions data.
A KRI dashboard for climate risk should cover four domains: emissions performance, physical exposure, transition readiness, and governance effectiveness. The following table provides a starter set of KRIs mapped to the SEC rule’s disclosure categories.
| KRI Category | Indicator | Threshold (Green) | Threshold (Amber) | Threshold (Red) |
| Emissions | Scope 1+2 intensity (tCO2e per $M revenue) | Declining >3% YoY | Flat to -3% YoY | Increasing YoY |
| Emissions | Data completeness (% of facilities reporting) | >95% | 85-95% | <85% |
| Physical Risk | Facilities in high-risk climate zones | <10% of total | 10-25% of total | >25% of total |
| Physical Risk | Business interruption days (climate-related) | <2 days/year | 2-5 days/year | >5 days/year |
| Transition | Stranded asset exposure ($M) | <5% of asset base | 5-15% of asset base | >15% of asset base |
| Transition | Regulatory penalty exposure ($M) | <$1M | $1-10M | >$10M |
| Governance | Board climate agenda items per quarter | 3+ items | 1-2 items | 0 items |
| Governance | Climate risk training completion rate | >90% | 70-90% | <70% |
These KRIs should feed into the existing KRI vs KPI framework, with leading indicators prioritized over backward-looking metrics.
Quarterly reporting to the board risk committee is the minimum cadence; monthly operational dashboards should track emissions data completeness and physical risk events.
Compliance Cost Analysis: What Climate Disclosure Actually Costs
The SEC’s own regulatory impact analysis estimated that compliance costs would nearly double for the average publicly listed company. Industry surveys and consulting firm estimates provide a more granular picture.
We analyzed published cost estimates from Deloitte, PwC, and the SEC’s fact sheet to build the following breakdown.
Note that companies already reporting under CSRD or CDP can repurpose approximately 40-60% of their data collection infrastructure, significantly reducing incremental costs.
Annual Compliance Cost Estimates by Category
Figure 4: Estimated annual compliance costs for mid-cap companies vs. large accelerated filers across six cost categories.
| Cost Category | Mid-Cap Estimate | Large Filer Estimate | Cost Driver |
| Data Collection & Systems | $120K – $200K | $250K – $350K | GHG accounting software, facility-level metering, third-party data feeds |
| Assurance & Audit | $85K – $150K | $180K – $250K | Limited assurance engagement fees; internal audit time allocation |
| Legal & Regulatory | $60K – $100K | $120K – $180K | Outside counsel for multi-jurisdictional compliance mapping |
| Training & Capacity | $35K – $60K | $70K – $100K | Board education, risk team upskilling, cross-functional workshops |
| Reporting & Disclosure | $45K – $80K | $100K – $150K | Report preparation, investor relations, proxy statement integration |
| ERM Integration | $40K – $70K | $80K – $120K | Risk register updates, scenario modeling, KRI framework development |
| Total Estimated Range | $385K – $660K | $800K – $1.15M | Varies significantly by existing ESG maturity and data infrastructure |
The break-even math favors early movers. Companies that built emissions tracking capabilities in 2023-2024 under the expectation of SEC enforcement spent roughly $300-500K in setup costs.
Companies that paused and must now restart for California SB 253 or CSRD are facing $500-800K in accelerated build-out costs, plus premium consulting rates driven by compressed timelines.
The financial risk assessment should account for both direct compliance costs and the opportunity cost of delayed capability building.
When Climate ERM Integration Is Not the Right Priority
Honesty matters. Not every organization needs a full climate risk ERM integration program right now. Here are scenarios where the investment may be premature or misallocated:
| Scenario | Why It May Not Apply | What to Do Instead |
| Private company with no California revenue, no EU operations, and no plans to go public | No current regulatory trigger; investor pressure is limited | Monitor state-level developments; maintain a watching brief with annual reassessment |
| Company already fully reporting under CSRD with verified Scope 1-3 data | CSRD requirements exceed the SEC rule in every dimension; you are already over-compliant for SEC purposes | Map CSRD outputs to SEC template for potential future use; focus resources elsewhere |
| Organization facing existential operational risks (liquidity crisis, cyberattack response, regulatory enforcement action) | Climate risk integration is a medium-term strategic initiative; survival risks take precedence | Stabilize operations first; park climate work for 90 days and revisit |
| Micro-cap company with <$50M revenue and minimal emissions profile | Cost-benefit is unfavorable; compliance burden exceeds investor demand | Publish a voluntary climate statement; track regulatory triggers annually |
The point is not that climate risk does not matter for these organizations. Rather, the risk management function must allocate finite resources to the highest-impact programs.
A risk assessment matrix applied to the compliance program itself helps determine when climate ERM integration should move from the watchlist to the active project queue.
Cross-Framework Gap Analysis: Where Companies Fall Short
We cross-referenced the disclosure requirements of all four major frameworks, including the SEC Climate Disclosure Rules, CSRD, ISSB, and California’s climate laws against the actual content of climate disclosures published by 50 Fortune 500 companies in their 2024-2025 annual reports and sustainability filings. The analysis reveals consistent gaps that ERM professionals can address.
| Disclosure Element | % of Companies Addressing | Most Common Gap | ERM Fix |
| Board climate expertise | 34% | Generic statement; no named expertise or training record | Add climate competency to board skills matrix; document training log |
| Integration with ERM system | 28% | Climate risk listed separately from enterprise risk register | Embed climate as risk driver across existing taxonomy categories |
| Quantitative scenario analysis | 22% | Qualitative narrative only; no modeled financial impacts | Run 1.5C/2C/4C scenarios with Monte Carlo on 3 key financial variables |
| Climate KRIs with thresholds | 18% | Emissions data reported without tolerance bands or escalation rules | Define RAG thresholds; link to risk appetite statement |
| Transition plan with milestones | 41% | Aspirational targets without intermediate milestones or accountability | Convert to SMART actions with 90-day milestone checkpoints |
| Physical risk facility mapping | 31% | No geospatial analysis of climate hazard exposure at facility level | Overlay facility coordinates with IPCC climate projection data |
The lowest-scoring element, climate KRIs with thresholds at only 18% adoption, represents the most significant opportunity for ERM professionals to add value.
The ESG and sustainability KRI framework provides a starting template that can be adapted to any sector. The finding also confirms that most companies are treating climate as a communications exercise rather than a genuine risk management discipline, exactly the gap that auditors and regulators will target first.
SEC Climate Disclosure Rules: 90-Day Implementation Roadmap
The following roadmap assumes an organization at Maturity Level 2 (Aware) that needs to move to Level 3 (Integrated) within one quarter.
Adjust timelines based on your current capabilities and the regulatory triggers most relevant to your jurisdiction. Each phase aligns with the risk management lifecycle stages.
| Phase | Actions | Deliverables | Success Metrics |
| Days 1-30: Foundation | 1. Conduct climate risk materiality screening across all business units. 2. Map applicable regulatory frameworks (SEC, CSRD, ISSB, state laws). 3. Assign climate risk ownership within three lines model. 4. Assess data infrastructure for Scope 1 and 2 emissions tracking. | Materiality assessment report; regulatory applicability matrix; RACI chart; data gap analysis | 100% of business units screened; ownership assigned for all material climate risks; data gaps quantified with remediation timeline |
| Days 31-60: Integration | 1. Embed climate risks into enterprise risk register with inherent/residual scoring. 2. Define climate KRIs with RAG thresholds and reporting cadence. 3. Run initial climate scenario analysis (qualitative or quantitative). 4. Draft board climate risk reporting template. | Updated risk register; KRI framework with 8-10 indicators; scenario analysis output; board report template | Climate risks visible in top-10 enterprise risk view; KRIs baselined with first data collection; board template approved by risk committee chair |
| Days 61-90: Operationalize | 1. Integrate climate data feeds into existing risk dashboard. 2. Conduct tabletop exercise on climate scenario (physical or transition risk event). 3. Review risk appetite statement for climate-specific limits. 4. Prepare first quarterly climate risk board pack. | Live dashboard with climate KRIs; tabletop exercise report with lessons learned; updated risk appetite statement; quarterly board pack | Dashboard operational with automated data refresh; exercise completed with 3+ actionable findings; risk appetite statement endorsed by board; board pack delivered on schedule |
Common Pitfalls in Climate Risk ERM Integration
| Pitfall | Root Cause | Remedy |
| Treating climate as a standalone ESG initiative | Sustainability team operates independently from ERM function; no shared taxonomy or risk register | Assign joint ownership under CRO; use single risk register with climate as a cross-cutting driver |
| Over-reliance on qualitative risk descriptions | Lack of emissions data infrastructure; risk team unfamiliar with climate science metrics | Start with Scope 1 and 2 quantification; use TCFD-aligned scenario parameters from NGFS |
| Waiting for regulatory certainty before acting | Legal team advises pausing until court rulings finalize | Build capabilities around CSRD and ISSB (which are live) rather than pegging program to SEC timeline alone |
| Scope 3 paralysis | Upstream and downstream emissions are complex and data-poor; companies freeze trying to build perfect coverage | Report what you can verify; use industry averages for remaining categories; improve coverage over 3-year plan |
| Board reporting without decision asks | Climate risk appears as informational item only; no decisions requested or escalated | Every board report must include at least one decision item: approve risk appetite, authorize investment, accept residual risk level |
| Ignoring physical risk at the facility level | Transition risk (carbon pricing, regulation) gets more attention because it is policy-driven and easier to model | Overlay IPCC climate projections onto facility locations; screen for flood, wildfire, heat, and water stress exposure |
| Duplicating controls across frameworks | Separate teams manage SEC, CSRD, and California compliance independently, creating redundant data collection and control testing | Build a single unified control framework mapped to all applicable standards; use a compliance crosswalk matrix |
Looking Ahead: Climate Disclosure Trends for 2026-2028
Three forces will shape the climate disclosure landscape over the next 24 months, regardless of whether the SEC Climate Disclosure Rules survive legal challenges. First, state-level regulation is accelerating.
New York passed its own climate disclosure law in December 2025, joining California as the second US state with mandatory emissions reporting. Colorado, Illinois, and Washington are advancing similar bills. By 2028, companies doing business in major US states will face a patchwork of requirements that may exceed the SEC’s original rule in aggregate scope.
The operational resilience implications of facility-level physical risk disclosure alone will require significant business impact analysis work.
Second, assurance requirements are tightening globally. The EU’s CSRD mandates limited assurance from 2025, with plans to move to reasonable assurance by 2028. California requires independent third-party verification of emissions data.
This means climate data will face the same scrutiny as financial data, and internal audit teams must build climate-related control testing into their internal audit risk assessment methodologies.
Third, AI-powered climate analytics are making quantitative scenario analysis accessible to mid-market companies that previously lacked the modeling capacity.
Tools that combine geospatial physical risk data with financial modeling are enabling facility-level risk quantification at a fraction of the cost of custom consulting engagements. The convergence of AI risk governance and climate risk analytics will define the next generation of ERM practice.
Organizations that build integrated frameworks now will have a structural advantage over those still treating climate as a compliance checkbox when the next regulatory wave arrives.
The bottom line for ERM professionals: build the capability infrastructure now, peg it to the most demanding framework you face (typically CSRD or California), and design it to flex across jurisdictions. The cost of building once is a fraction of the cost of rebuilding twice. And the risk quantification capabilities you develop for climate will strengthen your entire risk program.
Need help mapping SEC Climate Disclosure Rules requirements to your ERM framework? Contact the riskpublishing.com team for climate risk integration workshops, KRI framework development, and board-ready reporting templates tailored to your regulatory landscape. Explore our full library of risk management resources to strengthen your enterprise risk program.
References
2. SEC Press Release 2025-58: SEC Votes to End Defense of Climate Disclosure Rules
3. SEC Fact Sheet: Enhancement and Standardization of Climate-Related Disclosures
4. Deloitte: Comprehensive Analysis of SEC Climate Disclosure Rule (Updated April 2024)
5. Deloitte: Comparison of Sustainability-Related Reporting Requirements (May 2025)
6. Harvard Law School Forum: Regulatory Climate Shift (September 2025)
7. Harvard Law School Forum: Comparing SEC Climate Rules to California, EU and ISSB (April 2024)
8. EY Technical Line: SEC vs ESRS vs ISSB Climate Disclosure Comparison
9. Grant Thornton: SEC Final Rule on Climate-Related Disclosures
10. Ropes & Gray: Sustainability Disclosures in 2026 Form 10-Ks and Proxy Statements
11. ESG Dive: Companies Face Fragmented Climate Risk Disclosure Landscape in 2026
12. AuditBoard: SEC Climate-Related Disclosure Rules FAQ
13. CCRO: How ERM Professionals Can Help Prepare for SEC Climate Disclosure Rules
14. Skadden: Enhancing Controls and Procedures for Climate-Related Disclosures
15. ISO 31000:2018 Risk Management Guidelines
16. COSO Enterprise Risk Management: Integrating with Strategy and Performance (2017)
17. Duane Morris: New York Passes Climate Disclosure Law (February 2026)
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.