SB 261 Compliance in Practice: A Roadmap for Legal and Sustainability Leaders

SB 261 Compliance in Practice: A Roadmap for Legal and Sustainability Leaders

SB 261 Compliance in Practice: A Roadmap for Legal and Sustainability Leaders 1200 628 Lynn Kuzneski

Part Two

This is Part 2 of our two-part series on California’s landmark climate risk disclosure law, the California Climate-Related Financial Risk Act (SB 261). In Part 1, we covered the scope of the law, its reporting requirements, what’s at stake for companies facing compliance, and how to approach preparing to comply with SB 261. 

As a quick recap, SB 261 requires companies doing business in California (other than insurance companies) with over $500 million in annual revenue to evaluate and publicly disclose their climate-related financial risks, organized around four core pillars: governance, strategy, risk management, and metrics & targets. With the first disclosure due by January 1, 2026, preparing well in advance can be critical to ensure internal alignment, data readiness and reduced compliance, legal, and reputational risk.

In Part 2 below, we delve deeper into the foundational steps for launching a successful SB 261 compliance program, including:

  • Designating the right legal and project leads
  • Preserving attorney-client privilege, if appropriate
  • Creating a project plan with realistic timelines
  • Assessing materiality
  • Managing related disclosure implications

01. Start with the Right People, Process and Legal Structure

Start with Legal.

As you start, consider clearly defining the scope of the internal work and identify the right internal leads—beginning with legal. An in-house or outside counsel can help shape the approach from the outset, assess legal risk, and advise on key decisions, including whether and how to preserve attorney-client privilege subject to the laws of the applicable jurisdiction(s).

Consider Attorney-Client Privilege.

Attorney-client privilege may not always apply to internal corporate audits in California, and compliance in and of itself may not suffice as a basis for privilege, so it is best to consider these issues from the outset of a project, especially if you anticipate sensitive internal investigations or analysis to follow. 

Tips That May to Help Preserve Privilege:
  • Engage legal early as project led or gatekeeper, which may help ensure the purpose and confidentiality of communications are understood.
  • Minimize the risk of waiver by avoiding broad email distribution and sharing with third-parties which could undermine privilege.
  • Clarify roles and scope, recognizing that privilege may depend on who (retained counsel) requests legal analysis, drafts documents, and prepares reports and for whom (usually only entities formally represented, not necessarily all affiliates under a parent company).

Even a project not led by counsel may reach a point where it becomes important to hand over portions of the project to counsel in order to seek legal advice. 

02. Build a Cross Functional Team.

SB 261 defines climate-related financial risk broadly,[1]1 impacting operations, supply chains, employee health, capital investments and more.  Since nearly every corporate vertical—from procurement and capital planning to real estate, governance, enterprise risk committee (for companies that have one) and investor relations, and marketing—is impacted by the risk assessment, seeking input from a broad set of internal stakeholders is important to consider.

Designating this team early could potentially help to establish clear roles and responsibilities, avoid duplication of effort and accelerate issue-spotting, which could result in alignment of climate-related reporting efforts with department business strategy, particularly with respect to the more complex aspects such as the materiality assessment, scenario analysis, risk modeling, and target setting.

03. Add Sustainability Expertise Where Needed

Not every company will have in-house sustainability professionals or the capacity to manage SB 261 preparation on their own. If you don’t have in-house professionals, consider taking a strategic approach by evaluating knowledge gaps and bandwidth to manage data, metrics, and scenario modeling.

When necessary, companies can potentially solve for these issues by hiring a full time employee dedicated to sustainability, engaging fractional sustainability support, or relying on outside consultants to help manage the scope of a process that spans functions, systems, and stakeholders. In addition to offering technical expertise, external advisors may help to keep efforts focused, coordinated and aligned with existing risk and governance frameworks; and when retained by counsel, may also help maintain privilege over strategic advice.

04. Secure Leadership Buy-in

Early engagement with company leadership is important to build executive buy-in. Consider securing time on board or committee agendas to brief them on the project launch and to provide regular updates key milestones, including:

  • Project scope and resourcing
  • Emerging climate-related risks and opportunities
  • Structure and timing of proposed disclosures
  • Interplay with insurance, financial reporting, and sustainability messaging
  • Embed climate risk into existing governance protocols

05. Suggested Project Timelines

Below, we’ve outlined the core phases and suggested timeframes for SB 261 compliance. Depending on your organization’s size and complexity, a 3- to 6-month project duration is likely a reasonable expectation. The first reporting deadline is January 1, 2026.

Project PhasesSuggested Timeframe
Project Mobilization & Scoping1-2 weeks
Materiality Assessment (Risk & Opportunity Identification)3-4 weeks
Scenario Analysis & Target Setting2-3 weeks
Strategy & Risk Management Integration1-3 weeks
Governance Assessment1-2 weeks
Disclosure Preparation3-4 weeks
Internal Alignment, Submission, and Documentation1-2 weeks

06. Conduct the Materiality Assessment

The materiality assessment is a foundational step in SB 261 compliance, which requires companies to identify their climate-related risks and opportunities and evaluate their likelihood and potential financial impact in order to determine what is material.

In aligning to the TCFD framework, materiality under SB 261 is based on what a reasonable investor would consider important to decision-making.

Consider beginning your assessment by:

  • Reviewing the company’s existing public disclosures (e.g., 10-Ks)
  • Benchmarking against peer reports to identify gaps and opportunities
  • Gathering cross-functional (legal, finance, HR, ops) insights of both a qualitative and quantitative nature

07. Embed Climate Risk within Corporate Governance

Embedding climate risk analysis into existing governance structures can be key to long-term effectiveness. Legal counsel often plays a pivotal role in the materiality assessment process, and can advise on preserving privilege when sharing preliminary findings with governance committees (e.g., audit, risk, or both) for evaluation and integration with the company’s broader risk register. Retaining outside counsel to support these discussions may further protect privilege.

The Corporate Secretary may also consider updating committee charters to reflect new responsibilities related to climate risk and sustainability¾such as assigning financial impact reviews to the audit committee, and scenario analysis oversight to the enterprise risk committee.

08. Plan for Disclosures

Under SB 261, a full Climate Risk Disclosure report must be published by January 1, 2026, and submitted to the California Air Resources Board (CARB). SB 261 requires the report to disclose climate-related risks, as well as measures adopted to reduce and adapt to climate-related financial risk. 

With respect to timing, companies may consider targeting completing data collection by the end of 3Q25 to then include it in a report draft  available in October 2025, in order to allow time for engaging in actions such as 4Q25 internal review, leadership briefing and synching with insurance related disclosures and coverage.
If a company is unable to fully comply complete a report consistent with all required disclosures, SB 261 allows[2]2 a company to:

  • Disclose what it can to the best of its ability
  • Provide a detailed explanation of any reporting gaps
  • Describe steps for future reporting

In assessing any penalties for non-compliance, the statute[3]3 also notes that “all relevant circumstances, including good-faith efforts, will be considered in enforcement.  

09. If SB 261 Doesn’t Apply, Why it Still Matters

Smaller companies that do not meet the $500M revenue compliance threshold may still wish to begin evolving their sustainability strategies and metrics in order to meet the growing sustainability expectations of large customers, align with investor or other stakeholder (employees, consumers) expectations, and prepare for evolving state and federal regulations. Stay tuned for future blogs where we will explore how companies of any size can further their sustainability goals.

For more information, please contact Kate Cronin at kcronin@outsidegc.comSusan Doherty at susan@samasustainability.com or and Renée Soulliard at renee@samasustainability.com.

Authors

Kate Cronin, Partner at Outside GC, has been practicing law for over 30 years, including tenures with a Washington D.C. law firm, Citigroup and AT&T before joining Outside GC. She brings significant experience in corporate governance, internal corporate investigations, corporate supplier responsibility, corporate compliance and policy development, and environmental law, in addition to a regular commercial agreement transactional practice including data privacy and information security. 

Susan Doherty and Renée Soulliard co-founded Sama Sustainability to help companies navigate the complexities of today’s sustainability landscape. Susan is a sustainability and communications strategist with over 20 years of experience aligning ESG, social impact, and brand strategy with business goals. Renée brings more than two decades of global business experience helping companies identify and address both risks and opportunities on their sustainability journey.

[1] Under Section 38533(a)(2) (2024), ”climate-related financial risk” means “material risk of harm to immediate and long-term financial outcomes due to physical and transition risks, including but not limited to, risks to corporate operations, provision of goods and services, supply chains, employee health and safety, capital and financial investments, institutional investments, financial standing of loan recipients and borrowers, shareholder value, consumer demand, and financial markets and economic health.” 

[2] Section 38533 (b)(ii)(B

[3] Section 38533(f)(2)

Navigating Tariff Hikes and Contractual Risk in Commercial Agreements
Smart Legal Resourcing Part 2: Cost, Continuity, or Control —Why Not Have It All?

YOUR PARTNER

Outside GC.
Inside Advantage.

Business-minded counsel, delivered with an in-house perspective.

Get Started
Outside GC Logo
501 Boylston Street,
10th Floor Boston, MA 02116

Stay In The Know

Quicklinks

Home
Practice Areas
Industries
Contact Us
FAQS
Careers
Blog
Our Attorneys
About Us

Privacy Policy   |  Terms of Use  |  CA Privacy Policy  |  CA Notice at Collection
Attorney Advertising. Prior results do not guarantee a similar outcome. © 2026 Outside General Counsel, LLP. All Rights Reserved.
Enter your
text here
Privacy Preferences

When you visit our website, it may store information through your browser from specific services, usually in the form of cookies. Here you can change your Privacy preferences. It is worth noting that blocking some types of cookies may impact your experience on our website and the services we are able to offer.

Click to enable/disable Google Analytics tracking code.
Click to enable/disable Google Fonts.
Click to enable/disable Google Maps.
Click to enable/disable video embeds.
Our website uses cookies, mainly from 3rd party services. Define your Privacy Preferences and/or agree to our use of cookies.