The fuzzy math behind the Scope 1, Scope 2 and especially Scope 3 Emission disclosures, as well as the anticipated investment required from public companies to comply with climate risk disclosures makes ESG look like SOX 2.0. Apply the lessons learned from SOX 404 and leverage an enterprise risk management framework to drive a more effective ESG disclosure process.  

SEC Climate-Risk Disclosure - ERM Exchange


The SEC’s proposed a rule change regarding  climate risk disclosure in March 2022 has been met with a fair amount of skepticism.  As is typical with such proposals, the SEC is seeking comments on their proposal giving “issuers” (a.k.a., public companies) and other interested parties – including the public accounting and legal services professions, various industry peer groups, public companies and just about anyone else – approximately 60 days to respond with thoughtful comments either “for” or “against” the rule change, as well as suggestions to improve the proposal. 

The SEC subsequently extended the public comment period another month to June 17, 2022.  No wonder –  The proposed rule change is 490 pages in length…and not an easy read particularly when you get into Green House Gas (“GHG”) emission and materiality disclosure requirements. 

It strikes me as overtly unfair for the SEC to expect thoughtful comments on an esoteric subject regarding burdensome regulatory reporting within such a short period of time. 


When reading through the SEC’s ESG proposal, the analogies to the issuance of the Sarbanes-Oxley Act in August 2002 were striking. 

  • Hastily established rule?  Check. 
  • Politically motivated? Check (At least the SOX Act had widespread public support.)
  • Burdensome and costly compliance regulation? Check
  • Substantial skepticism from the business community regarding the value of such reporting? Check
  • Inadequate processes and systems to comply with the proposed regulation? Check

Similar to SOX 404, the cost of compliance with climate risk disclosures is likely to be substantial…assuming you surpass the materiality thresholds for disclosure.  Why?  There are several factors to consider.


Identifying and gathering the associated data to report GHG emissions is something very few US based organizations have undertaken.  The SEC’s proposed rule contemplates “direct” and “indirect” emissions of greenhouse gases expressed in metric tons of carbon dioxide equivalent (CO2e). Such emissions are expressed in three categories – Scope 1, 2 and 3.  

  • Direct emissions are generated from operations that are owned or controlled by the enterprise.  These are known as Scope 1 Emissions. 
  • Indirect emissions are generated by vendors who supply electricity, steam, heat and cooling to the enterprise.  These are known as Scope 2 Emissions. 
  • And there is third category, known as Scope 3 Emissions, that related to all other indirect sources from an enterprise’s value chain…think of these as “indirect-indirects”.  Remember the expression “fuzzy math”?  This will become a big data challenge. 

All of this data will require validation for accuracy, completeness and timeliness.  First, the information must be gathered and validated by management.  Once management is satisfied with its validity, the independent accounting firms that audit public companies must then validate the data’s accuracy, completeness and timeliness which adds to audit and compliance costs.  

Fortunately, the SEC is pointing public companies to an established framework to aid in gathering and reporting such information, specifically the Task Force on Climate-Related Financial Disclosures (“TCFD”) Framework which was created by the Financial Stability Board.  Regardless, the devil will be in the details – it always is.


Initial compliance with SOX 404 was a significant and costly burden for public companies to adopt…and many argue the costly burden continues.  Most public companies – both large and small – were not ready for such an undertaking. 

SOX 404 related to external financial reporting disclosure controls and procedures when issuing annual financial statements to investors and the public.  However, with the SEC’s ESG disclosure proposal, issuers may be forced to evaluate the design and operating effectiveness of internal controls which ensure complete, accurate, timely and authorized reporting of operational and financial data reporting of GHG emissions.

While it is possible some of these internal controls are incorporated in management’s evaluation of internal controls over external financial reporting (“ICOEFR”) for SOX 404 purposes, it is likely that many of these controls have never been fully evaluated and therefore may not be sufficiently designed or operating effectively.  This lack of readiness is analogous to the multiple delays in enforcing SOX 404 between 2002 and 2004, as well as the record number of reported “material weaknesses” in internal control throughout the 2004, 2005 and 2006 reporting periods.  It took several years for large, sophisticated companies to adapt to the regulatory burden of SOX 404…smaller public companies required even more time.

Designing, developing, instituting, and operating internal control procedures to ensure the complete, accurate, timely and authorized reporting of operational and financial data to report GHG emissions will take time…probably a lot of time when you add the need to document and test climate-related disclosure controls.


The SEC’s proposed rule is explicit in expecting issuers to provide “robust and company-specific disclosures” on climate-related risks.  The SEC’s proposal provides a number of examples in which to apply an assessment of risk across various industries including –  

  • An agricultural producer or distributor might disclose the likely impacts of drought on its own product mix or that of its suppliers, including increased expenses for additional water or due to the procurement of alternative product sources.
  • A mining company that operates in areas susceptible to extreme rise in temperatures might disclose the likely impacts that this temperature rise has on its workforce and on its production schedule, including a reduction in output and future earning capacity.
  • A real estate company that owns coastal property might disclose the likely impacts of rising sea levels on such property, including the potential diminution in value of, and a potential change in its strategy and outlook regarding such properties.
  • An oil company might determine that a likely change in demand for fossil fuel-based products would require it to modify its business model or alter its product mix to emphasize advanced diesel gas and biofuels in order to maintain or increase its earning capacity.
  • An electric utilities company might disclose an increase in the amount of electricity generated from less carbon-intensive sources, such as wind turbines, nuclear, hydroelectric, or solar power to meet current or likely regulatory constraints. [JM1] [D2] 

A number of other thoughtful examples are provided throughout the SEC’s proposal.  The use of each of these examples implicitly describes the cause and effects of climate-related risks that should be contemplated by management and affirmed by the Board through a designated committee. 


However, perhaps more importantly, the proposal explicitly describes how climate-related risks should be incorporated into the enterprise-wide risk management process.  Specifically, the proposal requires the disclosure of how the enterprise –

  • determines the relative significance of climate-related risks as compared to other risks
  • considers existing or likely regulatory requirements or policies to identify climate-related risks
  • considers shifts in customer preferences, technological changes, or changes in market prices and their impact on risks
  • determines the materiality of climate related risks including size and scope
  • decides whether to mitigate, accept, or adapt to particular risks
  • addresses and prioritizes mitigating actions to reduce climate related risks including the use of insurance products, the reallocation of capital and other business strategies

How is ERM Related to ESG Disclosures (SOX 2.0)

Essentially, the proposal requires major components of an Enterprise Risk Management program to help investors evaluate whether a company has implemented adequate processes for identifying, assessing and managing climate-related risks so that an individual investor can make better investment and voting decisions.

Many large, multinational public companies have established formal Enterprise Risk Management Programs.  However, many mid-cap and smaller public companies have neither formally nor informally established such programs.  And this becomes another reason many mid-cap and smaller public companies have difficulty accepting the burden of the SEC’s climate risk disclosure proposal – most especially the time and cost to get it right.

How to Get Started on ESG Regulatory Compliance 

Let’s assume the SEC’s climate-related disclosure proposal becomes a regulatory requirement similar to its present form. If so, here are three suggestions in getting started: 

  1. Read the Taskforce on Climate-Related Financial Disclosure (TCFD) Framework document and begin to think about its use by your industry, as well as your company
  2. Dust-off your copy of COSO’s Internal Control – Integrated Framework document which has been used for SOX 404 and begin to speculate how your enterprise will apply its Principles and Points of Focus to your climate-related operations and reporting
  3. Consider how your Enterprise Risk Management program will absorb climate-related matters as a Top 10 Risk

About the Author