The landscape of climate disclosure for businesses in the United States has become more complex in recent months. While the Securities and Exchange Commission (SEC) recently adopted final rules standardizing climate-related disclosures for public companies, these regulations take a different approach to Scope 3 emissions reporting compared to California’s recently enacted requirements.

The SEC’s new rules mandate disclosures on material climate risks and require large accelerated filers (LAFs) and accelerated filers (AFs) to report on Scope 1 and 2 emissions with independent assurance. Notably, however, the SEC eliminated mandatory Scope 3 reporting for most companies, unlike California’s SB 253 which requires disclosure of all three Scopes for large businesses operating in the state with over $1 billion in revenue.

Legal challenges arose almost immediately from both sides of the issue – some arguing the SEC’s final rule is beyond the Commission’s mandate, yet others believe the final rule does not go far enough. Wisely, the SEC chose to stay their final rule to avoid regulatory uncertainty until the US Court of Appeals, and possibly the Supreme Court, figures this out. However, ESG disclosure pundits caution that climate disclosure is here to stay, one way or another and that ignoring the reporting challenges associated with ESG would NOT be wise.

The fuzzy math behind the Scope 1, Scope 2 and especially Scope 3 Emission disclosures, as well as the anticipated investment required from public companies to comply with mandatory climate risk disclosures makes ESG look like SOX 2.0. Apply the lessons learned from SOX 404 and leverage an enterprise risk management framework to drive a more effective ESG disclosure process.


Since the SEC issued its proposed rule regarding mandatory climate risk disclosure in March 2022, the rule has been met with a fair amount of skepticism. As is typical with such proposals, the SEC sought comments on their proposal giving “issuers” (a.k.a., public companies) and other interested parties – including the public accounting and legal services professions, various industry peer groups, public companies and just about anyone else – approximately 60 days to respond with thoughtful comments either “for” or “against” the rule change, as well as suggestions to improve the proposal. The SEC subsequently extended the public comment period another month to June 17, 2022. No wonder – The PROPOSED rule change was 490 pages in length and the FINAL rule is NEARLY 900 pages…and not an easy read particularly when you get into Green House Gas (“GHG”) emission and materiality disclosure requirements.

It continues to strike me as overtly unfair for the SEC to expect thoughtful, accurate, and materially complete disclosure on an esoteric subject regarding burdensome regulatory reporting for certain large companies (a.k.a., large accelerated filers) by 2025 and other companies (a.k.a., non-accelerated filers) by 2026 without significant effort and cost…assuming the legal challenges are resolved relatively soon.


When reading through the SEC’s ESG final rule, the analogies to the issuance of the Sarbanes-Oxley Act in August 2002 were striking.

  • Hastily established rule? Check.
  • Politically motivated? Check (At least the SOX Act had widespread public support.)
  • Burdensome and costly compliance regulation? Check
  • Substantial skepticism from the business community regarding the value of such reporting? Check
  • Inadequate processes and systems to comply with the proposed regulation? Check

Similar to SOX 404, the cost of compliance with mandatory climate risk disclosures is likely to be substantial…assuming you surpass the materiality thresholds for disclosure. Why? There are several factors to consider.


Identifying and gathering the associated data to report GHG emissions is something very few US based organizations have undertaken. The SEC’s final rule contemplates “direct” and “indirect” emissions of greenhouse gasses expressed in metric tons of carbon dioxide equivalent (CO2e). Such emissions are expressed in three categories – Scope 1, 2 and 3.

  • Direct emissions are generated from operations that are owned or controlled by the enterprise. These are known as Scope 1 Emissions.
  • Indirect emissions are generated by vendors who supply electricity, steam, heat and cooling to the enterprise. These are known as Scope 2 Emissions.
  • The third category, known as Scope 3 Emissions, relates to all other indirect sources from an enterprise’s value chain…think of these as “indirect-indirects”. Remember the expression “fuzzy math”? This will become a big data challenge.

While Scope 3 emission disclosures have been removed from the SEC’s final rule, Scope 3 emissions are required by California’s ESG disclosure requirements and cannot be ignored for organizations subject to California’s law.

All of this data will require validation for accuracy, completeness and timeliness. First, the information must be gathered and validated by management. Once management is satisfied with its validity, the independent accounting firms that audit public companies must then validate the data’s accuracy, completeness and timeliness which adds to audit and compliance costs.

Fortunately, the SEC is pointing public companies to an established framework to aid in gathering and reporting such information, specifically the Task Force on Climate-Related Financial Disclosures (“TCFD”) Framework which was created by the Financial Stability Board. Regardless, the devil will be in the details – it always is.


Initial compliance with SOX 404 was a significant and costly burden for public companies to adopt…and many argue the costly burden continues. Most public companies – both large and small – were not ready for such an undertaking.

SOX 404 related to external financial reporting disclosure controls and procedures when issuing annual financial statements to investors and the public. However, with the SEC’s ESG disclosure ruling, issuers will very likely be forced to evaluate the design and operating effectiveness of internal controls which ensure complete, accurate, timely and authorized reporting of operational and financial data reporting of GHG emissions.

While it is possible some of these internal controls are incorporated in management’s evaluation of internal controls over external financial reporting (“ICOEFR”) for SOX 404 purposes, it is likely that many of these controls have never been fully evaluated and therefore may not be sufficiently designed or operating effectively. This lack of readiness is analogous to the multiple delays in enforcing SOX 404 between 2002 and 2004, as well as the record number of reported “material weaknesses” in internal control throughout the 2004, 2005 and 2006 reporting periods. It took several years for large, sophisticated companies to adapt to the regulatory burden of SOX 404…smaller public companies required even more time.

Designing, developing, instituting, and operating internal control procedures to ensure the complete, accurate, timely and authorized reporting of operational and financial data to report GHG emissions will take time…probably a lot of time when you add the need to document and test climate-related disclosure controls.


The SEC’s final rule softened the language in the proposed rule to include processes for “identifying, assessing, and managing material climate-related risks.” However, it may continue to be beneficial to consider the examples appearing in The SEC’s proposal which to apply an assessment of risk across various industries including –

  • An agricultural producer or distributor might disclose the likely impacts of drought on its own product mix or that of its suppliers, including increased expenses for additional water or due to the procurement of alternative product sources.
  • A mining company that operates in areas susceptible to extreme rise in temperatures might disclose the likely impacts that this temperature rise has on its workforce and on its production schedule, including a reduction in output and future earning capacity.
  • A real estate company that owns coastal property might disclose the likely impacts of rising sea levels on such property, including the potential diminution in value of, and a potential change in its strategy and outlook regarding such properties.
  • An oil company might determine that a likely change in demand for fossil fuel-based products would require it to modify its business model or alter its product mix to emphasize advanced diesel gas and biofuels in order to maintain or increase its earning capacity.
  • An electric utilities company might disclose an increase in the amount of electricity generated from less carbon-intensive sources, such as wind turbines, nuclear, hydroelectric, or solar power to meet current or likely regulatory constraints. [JM1] [D2]

A number of other thoughtful examples are provided throughout the SEC’s proposal. The use of each of these examples implicitly describes the cause and effects of climate-related risks that should be contemplated by management and affirmed by the Board through a designated committee.

The final rule removed explicit reference as to how climate-related risks should be incorporated into the enterprise-wide risk management process and “(adopts) a less prescriptive approach” so as to avoid a “one-size-fits-all disclosure model that fails to account for differences in industries and businesses”. However, the final rule requires disclosure about “how a registrant integrates its climate risk management process into its overall risk management system”. Specifically, the final rule encourages disclosure of how the enterprise –

  • decides whether to mitigate, accept, or adapt to particular risks; and
  • prioritizes whether to address climate-related risk.

Unfortunately, the “less prescriptive approach” taken in the final rule will require additional interpretive guidance in the months to come.

How is ERM Related to ESG Disclosures (SOX 2.0)

Effectively, the final rule implies the evaluation of climate-related risks has become a major component of an Enterprise Risk Management program for many organizations. As a result, management’s disclosures must help investors evaluate whether a company has implemented adequate processes for identifying, assessing and managing climate-related risks so that an individual investor can make better investment and voting decisions.

Many large, multinational public companies have established formal Enterprise Risk Management Programs. However, many mid-cap and smaller public companies have neither formally nor informally established such programs. And this becomes another reason many mid-cap and smaller public companies have difficulty accepting the burden of the SEC’s mandatory climate risk disclosure proposal – most especially the time and cost to get it right.

How to Get Started on ESG Regulatory Compliance

Let’s assume the SEC’s final climate-related disclosure rule is ultimately upheld by the Federal Courts and becomes a regulatory requirement starting in 2026, as planned . If so, here are three suggestions in getting started:

  1. Read the Taskforce on Climate-Related Financial Disclosure (TCFD) Framework document and begin to think about its use by your industry, as well as your company
  2. Dust-off your copy of COSO’s Internal Control – Integrated Framework document which has been used for SOX 404 and begin to speculate how your enterprise will apply its Principles and Points of Focus to your climate-related operations and reporting
  3. Consider how your Enterprise Risk Management program will absorb climate-related matters as a Top 10 Risk

About the Author