In 2026 the state of California is set to enforce two landmark climate disclosure laws: Senate Bill 253 (the Climate Corporate Data Accountability Act) and Senate Bill 261 (the Climate-Related Financial Risk Act). As such, governance, risk and compliance (GRC) professionals will play a key role in integrating the regulatory demands into enterprise risk-management and reporting frameworks.
The rule set
SB 253 requires companies doing business in California with annual revenues exceeding $1bn to publicly report their greenhouse-gas (GHG) emissions on an annual basis. Scope 1 (direct emissions) and Scope 2 (indirect emissions from purchased electricity) disclosures must begin in 2026, using 2025 fiscal-year data. Scope 3 reporting (value-chain emissions such as supplier, downstream and customer use emissions) must start in 2027.
Meanwhile SB 261 covers companies doing business in California with revenues above $500mn and requires a bi-yearly climate-related financial-risk report starting on or before January 1, 2026. The law mandates the disclosure of both physical and transition climate risks along with the measures the company has adopted to respond. Both laws remain subject to regulation drafting by the California Air Resources Board (CARB), which has released draft guidance and FAQs but has not yet finalised all rules.
What this means for GRC professionals?
For GRC professionals these laws signal a fundamental shift: climate-related disclosures are becoming mandatory rather than voluntary and must be managed through governance, risk identification and compliance programmes.
GRC teams will need to ensure board and senior-executive oversight over climate issues. SB 261 specifically requires reporting entities to describe the role of the board in overseeing climate-related financial risk and how senior management integrates it into business strategy. In addition, governance frameworks will need to be extended to incorporate climate triggers, scenario analysis and risk management plans.
Speaking to Thomson Reuters, Bill Tarantino, a partner at Morrison Foerster in San Francisco, said: ‘For better or worse, it’s a regulatory burden for a lot of companies.’
In terms of risk management, the new reporting rules require identifying and quantifying physical risks such as wildfires, floods and droughts, as well as transition risks like regulatory change, carbon pricing or reputational exposure, as part of the climate risk disclosure. GRC professionals will therefore need to integrate climate risks into enterprise-risk registers, modelling and scenario planning processes.
There are also data and process compliance implications. Under SB 253 companies must track and report GHG emissions (Scopes 1, 2 and eventually 3) using a standard such as the GHG Protocol. This imposes significant data-collection, metric-calculation, system-integration and assurance burdens. GRC teams will need to co-ordinate cross-functional data flows (operations, procurement, supply chain and sustainability functions, for example) and build controls around data integrity, auditability and disclosure readiness. Under SB 261 the first report is due in early 2026 and but the regulations are still unfinalized, so risk professionals must guide their business in preparation while navigating uncertainty.
In an interview with ESG Dive, KPMG department of professional practice sustainability reporting leader Julie Santoro said: ‘Those reporting dates are not going to be pushed back; that is abundantly clear. So don’t pray that they will be. Start preparing.’
Furthermore, companies will need publicly available disclosures on their websites and will face administrative penalties for non-compliance this could cost up to $500,000 a year for SB 253 and up to $50,000 a year for SB 261 as the principal estimates. GRC functions will need to map regulatory requirements into compliance workflows, monitor deadlines, assess materiality and ensure the accuracy of the disclosures.
The new regime means climate reporting is becoming a core part of corporate strategy rather than being siloed within sustainability. GRC professionals should drive the alignment of climate risk disclosures with broader corporate strategy, financial planning, investor relations and internal controls. For example, companies will need to demonstrate how they have adapted business models, strengthened supply chain resilience, diversified asset profiles and managed transition pathways.
Looking ahead
For GRC professionals, California’s new climate-disclosure laws mark a defining inflection point in corporate accountability. The transition from voluntary to mandatory climate reporting moves climate from a sustainability concern to a core governance and enterprise-risk priority.
These laws demand end-to-end integration across governance, data management, internal controls, assurance and public disclosure. It marks a structural shift requiring alignment between sustainability, finance, audit and risk functions under clear board oversight.
Although regulatory details are still being finalized, the deadlines are firm and regulators have made it clear that expectations will not be deferred. The organizations best positioned for success will be those embedding climate considerations into their processes now, not later.
For GRC leaders, the real challenge is no longer whether to comply, it is how to lead: how to embed climate risk and disclosure within the company’s governance framework, controlling environmental and long-term strategic resilience.