California SB 261: CARB’s new checklist signals it’s time to prepare for 2026

In September, 2025, CARB released new guidance on SB 261 climate risk disclosures. Learn who must comply, what to include, and how to prepare for 2026 reporting.

LAST UPDATED: OCTOBER 2025

In September, the California Air Resources Board (CARB) released a draft checklist that offers the clearest picture yet of what’s expected under California Senate Bill 261 (SB 261), the state’s upcoming climate-related financial risk disclosure regulation.

SB 261 was signed into law in October 2023, and while it’s still facing legal challenges, CARB is moving ahead with implementation guidance. For covered companies, that means it’s time to start preparing. The first disclosures will need to be published starting January 1, 2026.

Click here for our full breakdown of both SB 253 and SB 261.

SB 261: Who’s covered and what you need to do

Under SB 261, climate-related financial risk disclosures are required for companies that meet all of the following criteria:

  • Operate in the United States
  • Do business in California
  • Have total annual revenues over $500 million

If that sounds like your organization, you’ll need to publish a climate-related financial risk report every two years, starting in 2026. Reports must be posted publicly on your website, and the URL to your report will need to be submitted to CARB using a webform that is expected to be available on their website on December 1, 2025.

Unlike SB 253, which focuses on greenhouse gas emissions, SB 261 is about the financial impacts of climate change. Think extreme weather, shifting regulations, insurance volatility, and supply chain disruptions.

So, what exactly needs to go into that climate risk report? Earlier this month, CARB released a draft checklist that outlines the key elements companies should include in their 2026 disclosures.

CARB’s draft checklist: How to prepare for SB 261 compliance

The checklist builds on earlier workshops and FAQs, offering the most detailed guidance to date on what companies should include in their 2026 climate risk reports.

It’s not a template, but it does lay out six core components that every report should cover. Here’s a closer look at each one, along with a few tips for how to get started.

1. Select and declare your framework

The first step is to decide which reporting framework you’ll use to structure your disclosure. CARB doesn’t require a specific one, but the two most commonly referenced are:

  • IFRS S2: The global baseline for climate-related disclosures, released in 2023
  • TCFD: The foundational framework many companies already use, and the basis for IFRS S2

SB 261 allows companies to use either framework. Our suggestion is that the right choice depends on where your company is today and what your goals are for the future.

If your company already reports using TCFD, or if you are just beginning your climate risk reporting journey, it makes sense to stick with TCFD since it is slightly simpler and already widely recognized.

However, IFRS S2 is quickly becoming the global standard. For companies with international operations or investor pressure, we recommend beginning to transition toward IFRS S2 to ensure your reporting is future-proofed and consistent across jurisdictions.

2. Map existing disclosures

Once you’ve chosen a framework, the next step is to see how your current disclosures measure up.

Many companies already publish climate risk information in places like an annual CDP report, annual company ESG reports, or investor updates. SB 261 doesn’t require you to start over, but it does require you to bring that content together in a way that aligns with the framework you’ve selected and with CARB’s checklist.

This process is about identifying gaps. Where your existing reports already address climate risk, you can carry that content forward. Where they don’t, you’ll need to add new detail to meet SB 261 requirements.

3. Draft governance language

SB 261 reports must describe how climate-related financial risks are overseen at the leadership level. At a minimum, your disclosure should explain:

  • Board oversight: How the board is informed about climate-related risks, which committees are involved (such as audit, risk, or sustainability), and how often the topic is reviewed
  • Management responsibilities: Which executives or teams are responsible for day-to-day risk assessment and management, and how their work is reported up to senior leadership or the board

Some companies place responsibility with the audit or risk committee, while others assign it to the CFO, CSO, or a cross-functional risk team. What matters most is being clear and specific about the structure you have in place.

4. Prepare a qualitative scenario narrative

CARB expects companies to include a forward-looking narrative that explains how climate risks could impact financial performance and strategic planning.

The regulation does not require highly technical forecasts or quantitative models, but for some companies, particularly those with significant physical infrastructure or supply chain exposure, a more detailed model-based analysis may be the most effective way to generate actionable insights. This type of analysis can also strengthen resilience planning by helping companies test strategies against different potential futures and identify where to invest in adaptation.

A strong scenario narrative usually covers:

  • Key risks: Identify the climate-related risks most relevant to your company, such as wildfire exposure, flood risk, heat-related operational disruptions, supply chain instability, or regulatory changes
  • Business impacts: Explain how those risks could affect strategy, operations, or financial planning in practical terms
  • Resilience planning: Describe the steps you are taking to prepare for and manage these risks under different potential futures

Some companies may choose to reference formal climate scenarios (for example, a 1.5°C or 4°C pathway), while others may rely on a qualitative discussion of material risks. The important thing is that your analysis is connected to your actual business strategy and provides information your leadership and stakeholders can act on.

5. Show ERM integration

SB 261 requires companies to demonstrate how climate risk is integrated into their broader enterprise risk management (ERM) systems. This means describing how climate-related risks are identified, assessed, and managed alongside other business risks.

In practice, this often includes:

  • Processes: How climate risk factors are incorporated into existing risk assessments or annual risk reviews
  • Internal controls: The mechanisms or tools used to monitor and track these risks, such as risk registers or dashboards
  • Escalation protocols: How material climate risks are raised to senior leadership or the board for review and action

The goal is not to build a brand-new ERM process, but to show that climate risks are managed through the same systems already used for financial, operational, or compliance risks.

6. Define metrics and targets

The final piece of SB 261 reporting is to disclose metrics and targets that show how your company is tracking and responding to climate-related risks. These do not have to be limited to emissions data. The focus should be on indicators that are relevant to your risk profile and business strategy.

Examples of metrics and targets might include:

  • Percentage of facilities or assets located in high-risk climate zones
  • Progress toward adaptation or resilience milestones, such as infrastructure upgrades or supply chain diversification
  • Internal risk indicators, such as insurance cost changes or disruption frequency
  • Emissions or energy intensity metrics, if they are directly tied to financial risk

The key is to select metrics that are meaningful for your business and can be reported consistently over time.

SB 261 compliance timeline

With the first deadline just a few months away, companies have only a short window to get their SB 261 reports ready. To help you plan ahead, here’s a summary of the key compliance dates.

Date Milestone
Now Begin aligning with your chosen framework and assess reporting gaps
Fall 2025 Final CARB checklist and guidance expected
December 1, 2025 CARB’s public docket opens; companies can begin submitting the URLs to their climate risk reports
January 1, 2026 First SB 261 reports are due; reports must be live on company websites and posted to CARB’s docket

This means companies have until January 1, 2026 to finalize and publish their first report, with the option to submit URLs to CARB starting December 1, 2025. Acting now will ensure your team has enough time to comply with confidence and avoid a last-minute scramble.

Final thoughts

CARB’s draft checklist provides long-awaited clarity on what SB 261 compliance will entail. Even with ongoing legal challenges, the state is clearly moving forward and companies should be too.

Starting now gives reporting teams the lead time to select a framework, align internal teams, and prepare disclosures that meet regulatory expectations and build investor trust.

Need support navigating this process? Learn about our California regulatory services.

Previous Back to all posts Next

Sign up to stay up to date with Optera and the latest developments in corporate sustainability.