California SB 261 Compliance Guide: Climate-Related Financial Risk Act

Overview

California Senate Bill 261, the Climate-Related Financial Risk Act, signed into law in October 2023, requires large companies doing business in California to publicly disclose their climate-related financial risks. The law mandates biennial reporting aligned with the Task Force on Climate-related Financial Disclosures (TCFD) framework, covering governance, strategy, risk management, and metrics and targets related to climate risk.

SB 261 complements SB 253 (the Climate Corporate Data Accountability Act) by focusing on the financial risk dimension of climate change rather than emissions quantification. While SB 253 asks "how much are you emitting?" SB 261 asks "how is climate change affecting your business?" Together, these laws create a comprehensive climate transparency regime in California that rivals European regulatory requirements in ambition.

The law applies to entities with annual revenues exceeding $500 million that do business in California, a lower threshold than SB 253's $1 billion, capturing a broader set of companies. CARB oversees implementation, and companies must publish their climate risk reports on their own websites and submit them to CARB for posting on a public platform.

Who Does It Apply To?

SB 261 applies to any entity—public or private, domestic or foreign—with total annual revenues exceeding $500 million that "does business in California" as defined under California Revenue and Taxation Code Section 23101.

• Revenue threshold: $500 million in total annual revenues (not California-specific revenue).
• Entity scope: Corporations, partnerships, LLCs, and other business entities. No exemption for private companies.
• Sector scope: All sectors, with no industry-specific exemptions.
• Estimated coverage: CARB estimates approximately 10,000 entities fall within scope, roughly double the SB 253 population.
• Insurance companies: The California Department of Insurance separately requires climate risk disclosures for insurers under its own regulatory authority, creating potential overlap for insurance entities also subject to SB 261.

Key Requirements

1. Biennial Climate Risk Report Covered entities must prepare and publish a climate-related financial risk report every two years. The report must describe the entity's climate-related financial risks and the measures adopted to reduce and adapt to those risks.

2. TCFD Framework Alignment Reports must be prepared "in accordance with" the TCFD framework, covering the four pillars: governance of climate-related risks and opportunities, strategy for addressing them, risk management processes, and metrics and targets used to assess and manage climate risks.

3. Scenario Analysis Consistent with TCFD recommendations, companies should describe the resilience of their strategy under different climate-related scenarios, including a 2°C or lower scenario. While the law does not prescribe specific scenario methodologies, the TCFD framework's guidance on scenario analysis sets the expectation.

4. Public Disclosure Reports must be published on the entity's website and submitted to CARB for posting on a publicly accessible platform. This dual publication requirement ensures broad public access to climate risk information.

5. Measures to Reduce and Adapt Beyond risk identification, companies must disclose the measures they are taking to reduce climate-related financial risks and adapt to climate impacts. This includes mitigation strategies, resilience planning, and adaptation investments.

Timeline & Milestones

*The first reporting deadline has been subject to discussion in CARB's rulemaking process. SB 219 made clarifying amendments. Monitor CARB for final confirmed dates.

Step-by-Step Compliance Roadmap

Step 1: Applicability and Scoping

Determine whether your entity exceeds the $500 million revenue threshold and meets the "doing business in California" standard. Map which subsidiaries or business units are in scope. Assign internal responsibility for the climate risk report—typically spanning sustainability, risk management, finance, and legal functions.

Step 2: Climate Risk Identification and Assessment

Conduct a systematic assessment of climate-related physical and transition risks relevant to your business. Physical risks include acute events (storms, floods, wildfires) and chronic changes (sea level rise, temperature increases, water stress). Transition risks include policy and regulatory changes, technology shifts, market dynamics, and reputational factors. Assess risks across short, medium, and long-term time horizons.

Step 3: Scenario Analysis

Develop or adopt climate scenarios to test the resilience of your business strategy. At minimum, consider a scenario consistent with the Paris Agreement (1.5°C–2°C warming) and a higher-warming scenario (3°C+). Assess how each scenario would affect your operations, supply chain, markets, and financial performance. You do not need to build proprietary scenarios—credible third-party scenarios from the IEA, NGFS, or IPCC are appropriate starting points.

Step 4: Report Preparation

Structure your report around the four TCFD pillars. For governance, describe board and management oversight of climate risk. For strategy, detail identified risks and opportunities and their business implications. For risk management, explain how climate risks are identified, assessed, prioritized, and monitored within your enterprise risk framework. For metrics and targets, disclose relevant climate metrics and any targets you have set.

Step 5: Publication and Iteration

Publish the report on your corporate website and submit it to CARB. Establish a biennial review and update process. Use stakeholder feedback and evolving climate science to improve risk assessments and disclosures in subsequent cycles. Consider integrating the SB 261 report with other climate disclosures (SEC, CSRD, CDP) to maintain consistency and reduce reporting burden.

Common Pitfalls

Treating TCFD alignment as a narrative exercise. TCFD-aligned reporting requires analytical substance, not just qualitative descriptions of climate awareness. Reports that lack quantitative risk assessment, specific scenario analysis, and concrete metrics will fall short of both the regulatory expectation and investor scrutiny.

Disconnecting climate risk from enterprise risk management. SB 261 asks how climate risk is integrated into your overall risk management framework. Companies that maintain a separate, siloed climate risk process will struggle to provide a credible answer. Climate risk identification and assessment should feed into the same enterprise risk governance that covers financial, operational, and strategic risks.

Overlooking physical risk for transition risk. Many companies focus on transition risks (regulation, technology, market shifts) while underestimating physical risks. California's own exposure to wildfire, drought, and sea level rise makes physical risk particularly salient for companies with California operations. Ensure balanced coverage of both risk categories.

Publishing generic boilerplate. The public nature of SB 261 reports means they will be read, compared, and evaluated by investors, NGOs, journalists, and competitors. Generic disclosures that could apply to any company signal a lack of genuine risk assessment. Reports should be specific to your business, geography, and value chain.

How Council Fire Can Help

Climate risk assessment is at the core of Council Fire's practice. We help companies move beyond generic risk registers to develop rigorous, location-specific climate risk analyses that satisfy SB 261's requirements and genuinely inform business strategy.

Our scenario analysis capabilities combine climate science with financial modeling, enabling clients to quantify the potential impacts of different climate pathways on their operations, supply chains, and markets. We work with clients to develop scenarios that are both analytically defensible and strategically actionable.

For companies with coastal, marine, or water-dependent operations, Council Fire's ocean and climate resilience expertise provides uniquely informed physical risk assessments. We help clients understand exposure to sea level rise, storm surge, marine ecosystem shifts, and water resource risks that generic risk frameworks often miss.

Council Fire also helps clients craft climate risk narratives that communicate genuinely with investors and stakeholders. In a public disclosure environment, the quality of your storytelling matters as much as the quality of your analysis.

Frequently Asked Questions

How does SB 261 differ from SB 253?

SB 253 requires disclosure of Scope 1, 2, and 3 GHG emissions—it is an emissions quantification law. SB 261 requires disclosure of climate-related financial risks aligned with the TCFD framework—it is a risk disclosure law. They have different revenue thresholds ($1 billion for SB 253, $500 million for SB 261), different reporting frequencies (annual for SB 253, biennial for SB 261), and different content requirements. Companies above $1 billion in revenue doing business in California will need to comply with both.

Do we need to hire a third-party consultant to prepare the report?

SB 261 does not require third-party preparation or assurance of the climate risk report (unlike SB 253's assurance requirement for emissions data). Companies can prepare the report internally. However, companies without existing climate risk assessment capabilities will likely benefit from external expertise, particularly for scenario analysis, quantitative risk modeling, and alignment with TCFD best practices.

What happens if we don't comply?

SB 261 authorizes CARB to impose administrative penalties for non-compliance. The specific penalty amounts and enforcement procedures will be detailed in CARB's implementing regulations. Beyond regulatory penalties, non-compliance carries reputational risk, as the public nature of the reporting platform makes non-reporters conspicuous.

Can we use our existing TCFD report to comply?

If you already publish a TCFD-aligned climate risk report, you have a significant head start. Review your existing report against CARB's specific requirements and the TCFD's full recommendations to identify any gaps. Ensure the report covers measures taken to reduce and adapt to climate risks, as this is an explicit SB 261 requirement that goes slightly beyond the standard TCFD framework. You will need to submit the report to CARB's platform in addition to publishing it on your website.