Climate Risk Factors Soar at Largest Public Companies

Dean Kingsley is a Principal and Matt Solomon is a Senior Manager at Deloitte & Touche LLP. Kristen Jaconi is an Associate Professor of the Practice in Accounting and Executive Director at Peter Arkley Institute for Risk Management at the USC Marshall School of Business. This post is based on their recent Deloitte report. Related research from the Program on Corporate Governance includes The Illusory Promise of Stakeholder Governance (discussed on the Forum here) and For Whom Corporate Leaders Bargain (discussed on the Forum here) both by Lucian A. Bebchuk and Roberto TallaritaRestoration: The Role Stakeholder Governance Must Play in Recreating a Fair and Sustainable American Economy—A Reply to Professor Rock (discussed on the Forum here) by Leo E. Strine, Jr.; and Stakeholder Capitalism in the Time of COVID (discussed on the Forum here) by Lucian Bebchuk, Kobi Kastiel, and Roberto Tallarita.

The past 12 months have continued to demonstrate the difficulty of effectively identifying and managing risk in the global business environment. Following the worst global pandemic in 100 years, U.S. companies have had to respond to the most significant armed conflict in Europe in over 80 years, the threat of use of nuclear weapons, a global trade and supply chain environment of unparalleled complexity, geopolitical tensions, the highest levels of inflation in 40 years, considerable global macro-economic uncertainty and volatility, and major tax, environmental, social, and governance (ESG) and cyber regulatory reforms.

In this highly dynamic environment, companies have had to continue to both manage and report publicly on their key risks in compliance with rules the Securities and Exchange Commission (SEC) finalized in 2020 to address the increasingly lengthy and generic risk factor disclosures of registrants. For a description of these rules, see Appendix: Summary of SEC’s Final Rule on Regulation S-K, Item 105. In order to understand the impact of these amended risk factor disclosure requirements, Deloitte and the Peter Arkley Institute for Risk Management at the USC Marshall School of Business are conducting a series of analyses on the risk factor disclosures filed by the Standard & Poor’s (S&P) 500 companies.

We published our initial results in March 2021, Many companies struggle to adopt spirit of amended SEC risk disclosure rules, reviewing 88 companies that had filed their annual reports by early February 2021. We concluded that risk factor disclosures were becoming lengthier contravening the SEC’s intention in the amended requirements. A follow-up report in November 2021, Limited adoption of amended SEC risk factor disclosure rules: ERM and ESG can chart a path for improved compliance, reviewing 439 companies that had filed reports between November 9, 2020 and May 15, 2021, confirmed our initial analysis.

In this latest report, we have reviewed the risk factor disclosures in the annual reports of 439 S&P 500 companies to identify trends during this second year of implementation, including an analysis of standalone climate-related risk factors disclosed for the first time this reporting season. We have also provided recommendations for companies to consider for the next reporting season.

Analysis of rules adoption

To assess the adoption of the amended requirements over two years of implementation, we have reviewed the risk factor disclosures of 439 S&P 500 companies that have filed two annual reports between November 9, 2020, the effective date of these requirements, and May 20, 2022. Key findings, which reaffirm those of our March 2021 report and our November 2021 report, are as follows:[1]

The number of pages has not decreased over the two-year period, but continues to increase.

  • The average number of pages is now nearly 13.5 per company, up from about 12 before the amendments and about 13 one year after the amendments.
  • 77% of companies actually increased the number of pages in the first year of adoption and 60% have increased the number of pages from year one to year two.

Source: Deloitte and Peter Arkley Institute for Risk Management Analysis

The number of risk factors continues to increase. 

  • The average number of risk factors per company was just over 31 the second year of implementation compared to just under 31 the first year and around 30.5 before the amendments.
  • 63% of companies also increased the number of risk factors in the first year of implementation and 46% increased the number from the first year to the second year. The change from disclosure of “most significant” to “material” risk factors under the revised rules seemed to have no impact on the average number of risk factors.

Source: Deloitte and Peter Arkley Institute for Risk Management Analysis

Most companies did not need to include a risk factor summary.

  • Although the SEC estimated that 40% of registrants would exceed the 15-page threshold and require a summary,[2] only 19% of 439 S&P 500 companies exceeded this threshold in the first year of implementation and 21% in the second year of implementation. Nine companies included a summary in both years of implementation even though their disclosures did not exceed the 15-page threshold either year.
  • Approximately 21% included a summary in the first year of implementation and 23% in the second year of implementation.
  • The average number of pages for the summaries was approximately 1.5 pages both years of implementation, with a range of .25 to 2.75 pages the first year and .25 to 2.5 the second year.
  • Financials and Health Care included the most companies providing summaries during both years of implementation, which is consistent with the fact that these sectors had among the largest number of pages.

Headings are being used, but they are often very generic.

  • Just over 80% of companies used the same number of headings during both years of implementation.
  • The average number of headings per company was five in both years of implementation.
  • The average number of risk factors per heading was six during both the first and second years of implementation. However, over 75 companies included 20 and up to 45 risk factors under one heading, clearly not meeting the SEC’s expectations of headings improving “readability.”[3]
  • The most common heading categories this second year of implementation were variants of legal, regulatory, and compliance; business; operational; financial; cyber, information technology, data security, privacy; COVID-19; common stock; indebtedness; industry; economic and macroeconomic conditions; strategic transactions; strategic; human capital; market; tax and accounting; international operations; and intellectual property.

Source: Deloitte and Peter Arkley Institute for Risk Management Analysis

Source: Deloitte and Peter Arkley Institute for Risk Management Analysis

One-third of companies used a “general risk factors” heading during the past two years, contrary to the SEC’s advice.[4]

  • Companies used an average of just under five risk factors under the general risk factors heading for the first and second years of implementation and a range of one to 19 during the first year and one to 18 during the second year.

Source: Deloitte and Peter Arkley Institute for Risk Management Analysis

  • The most common risk factors included under the general risk factors heading this second year of implementation were: recruitment and retention of talent; cybersecurity; economic conditions; natural and man-made disasters/catastrophes; stock price volatility; litigation and/ or regulatory investigation; COVID-19; accounting standard changes; tax law changes; financial reporting internal control weakness; exchange rate fluctuations; strategic transactions; international operations; legal and regulatory compliance; inability to pay dividends and/or repurchase shares; lack of adequate insurance coverage; and climate change.

Insights on climate-related risk factors

Given the SEC’s focus on climate change in 2021, we analyzed in our November 2021 report risk factors whose subcaption mentioned climate change and the topics those risk factors covered. Our analysis concluded that many of the topics covered in those risk factors—legislation, regulation, and international accords, physical risks, reputational risks, and consumer demand—aligned with the topics set forth in the 2010 Commission Guidance Regarding Disclosure Related to Climate Change.

We have continued to analyze climate-related risk factors, given that, on March 21, 2022, the SEC proposed much-anticipated rules to require registrants to provide specific climate-related information in their registration statements and annual reports.[5] The SEC’s proposed rules require registrants, among other things, to “[d]escribe any climate-related risks reasonably likely to have a material impact on the registrant” and specify whether these risks are physical risks and/or transition risks.[6] Physical risks relate to the physical impacts of climate and can be event-driven (acute), such as extreme weather events (e.g., hurricanes, floods), or longer-term shifts (chronic) (e.g., rising sea levels). Transition risks relate to the potential negative impacts due to regulatory, technological, market, liability, reputational, or other-transition related factors associated with the transition to a lower greenhouse gas-emitting economy.[7]

In light of the SEC’s proposal and to understand disclosure trends, we have compared the disclosures of risk factors mentioning climate-related risks, and specifically physical and transition risks, in the past two years of annual reports filed between November 9, 2020 and May 20, 2022 by 439 S&P 500 companies.[8]

The results are striking. The number of new stand-alone climate-related risk factors soared this past reporting season: Approximately one-third of companies added at least one new stand-alone climate-related risk factor. Two companies added three stand-alone risk factors each, another 16 companies added two each. The sector adding the greatest number of new stand-alone climate related risk factors was Financials, the sector adding the least, Communication Services. Over half of the companies in each of the Energy and Consumer Staples sectors among the 439 companies reviewed added new stand-alone climate-related risk factors, the most significant of the sectors. Less than one-quarter of the companies in the Communication Services, Real Estate, and Information Technology sectors added these stand-alone risk factors.

Source: Deloitte and Peter Arkley Institute for Risk Management Analysis

In these new stand-alone risk factors, nearly 50% of companies described both transition and physical risks, over 45% described only transition risk, and approximately 5% described only physical risk. The sector with the greatest number of physical and transition risk stand-alone risk factors was Financials, the least, Communication Services. The sector with the greatest number of transition risk only stand-alone risk factors was Consumer Discretionary. Communication Services had none. The sectors with the greatest number of physical risk only stand-alone risk factors were Industrials and Materials.

Source: Deloitte and Peter Arkley Institute for Risk Management Analysis

With respect to transition risk, we may have reached a tipping point of companies disclosing the risk of meeting sustainability commitments: Over 75% of companies discussed in these new stand-alone risk factors their fear of not achieving their sustainability goals and meeting regulatory, investor, consumer, and/or other stakeholder expectations.[9]

With respect to physical risk, the focus on physical risk by 55% of the 150 companies is noteworthy. Of those companies, over 60% disclosed both acute and chronic risks, over 30% disclosed only acute risks, and over 7% did not specify acute or chronic risks.

Previous research has concluded that most companies disclosing climate-related risks in their annual reports focus on transition risk, not physical risk. For example, the proposed rule references an SEC staff analysis of the annual reports (not just risk factors) of 6,644 companies finding that “the majority of the disclosure is focused on transition risks, with comparatively fewer mentions of physical risk.”[10]

Given that in its 2020 rule amending the risk factor disclosures, the SEC adopted a materiality standard for disclosure (replacing the previous “most significant” risks standard), have nearly 20% of 439 S&P 500 companies in the past reporting season suddenly acknowledged climate related physical risks as material? Perhaps, given, among other things, the severe weather events experienced around the globe in 2021 and 2022.

However, another question could be raised: Are companies instead disclosing these risks not because of their materiality, but for other reasons? The candor of one company was particularly notable: The company stated that its newly-disclosed climate risk was not material.

Source: Deloitte and Peter Arkley Institute for Risk Management Analysis


Integrate risk factor disclosure processes, including climate-related risk disclosures, with enterprise risk management (ERM) reporting processes. The SEC has asked in its climate disclosure proposal for companies to discuss if the processes for identifying, assessing, and managing climate-related risks are integrated with their overall risk management processes. Companies should consider integrating their risk factor disclosure process, including their climate related risk disclosures, into their ERM reporting processes and dynamic risk programs. Not only would this contribute to meeting the SEC’s expectations about integrated climate-related risk reporting, but also meet the SEC’s goals set forth in the amended risk factor disclosure requirements of “disclosure that is more in line with the way the registrant’s management and its board of directors monitor and assess the business.”[11] In addition, given that a centralized ERM function typically maintains an internal risk register of material risks, this would also contribute to meeting the materiality standard set forth in the amended risk factor disclosure requirements. From a business perspective, better alignment between ERM and risk factor disclosures will increase focus on the most significant risks facing the organization and increase confidence in how risk is viewed and managed to achieve strategic goals.

Use risk taxonomies from ERM program for headings. During the second year of implementation, many companies were still using generic headings, such as “business” risks, “industry” risks, and “operations” risks. To bring more specificity to headings, companies could rely on their internal taxonomies used to catalogue risks for their ERM or risk reporting to management and boards of directors. This could lead to the more integrated external and internal reporting the SEC sought in the revised risk factor disclosure rules.

Avoid generic risks. The SEC suggested in its amended requirements that companies avoid using a “General Risk Factors” heading. However, one-third of companies have used this heading in both of the past two reporting seasons.[12] If companies are disclosing these “general” risks to their management and boards, companies could use the more descriptive headings they use in their risk taxonomies for management and board reporting.


During this second year of implementation of the SEC’s amended requirements, risk factor disclosures of 439 S&P 500 companies are generally becoming lengthier and not meeting the SEC’s expectations. Some of this length in this most recent reporting season is due to the introduction of new stand-alone climate-related risk factors by a striking one-third of these companies. Given the SEC’s pending climate disclosure proposal and the focus on climate change, we expect companies to continue to enhance these disclosures. In addition, we believe the SEC’s focus on integrating climate risk management processes with a company’s overall risk management processes provides companies the opportunity to enhance and more fully integrate their risk factor disclosure processes with their ERM reporting processes.

Appendix: Summary of SEC’s Final Rule on Regulation S-K, Item 105


1In this report, we have used the sectors set forth in the Global Industry Classification Standard (GICS). We have disclosed average data rather than median data given the limited difference between the average data and median data for the 439 S&P 500 companies reviewed and ten of the 11 sectors. However, we caution that due to the small sample size of eight companies in the Communication Services sector, the average numbers for this sector do not reflect as closely the median numbers as the data provided for the other sectors.(go back)

2Securities and Exchange Commission, Final Rule: Modernization of Regulation S-K Items 101, 103, and 105, Release No. 33-10825 (Aug. 26, 2020) [85 FR 63726, 63744 (Oct. 8, 2020)] [hereinafter Final Rule].(go back)

3Id. at 63746.(go back)

4Id. at 63761, §229.105(a) (“The presentation of risks that could apply generically to any registrant or any offering is discouraged, but to the extent generic risk factors are presented, disclose them at the end of the risk factor section under the caption ‘General Risk Factors.’’’).(go back)

5SEC, Proposed Rule: The Enhancement and Standardization of Climate-Related Disclosures for Investors, Release No. 33-11042 [87 FR 21334 (April 11, 2022)] [hereinafter Proposed Climate Disclosure Rule].(go back)

6d. at 21467, §229.1502(a). The Proposed Climate Disclosure Rule permits the registrant to include this new climate-related information in a separate section of its registration statement or annual report or incorporate by reference from another section, such as the Risk Factors, Description of Business, or Management’s Discussion and Analysis. Id. at 21346.(go back)

7The SEC has based the definitions of physical risks and transition risks in the Proposed Climate Disclosure Rule on those set forth in the 2017 Recommendations of the Task Force on Climate-related Financial Disclosures [hereinafter TCFD Recommendations]. Id. at 21349. (“We have based our definitions on the TCFD’s definitions because they provide a common terminology that allows registrants to disclose climate-related risks and opportunities in a consistent and comparable way. Grounding our definitions in a framework that is already widely accepted also could help limit the burden on issuers to identify and describe climaterelated risks and improve the comparability and usefulness of the disclosures for investors.”).(go back)

8Only three of these companies filed their second annual reports after the issuance of the SEC’s proposal. However, as noted by the SEC in the Proposed Climate Disclosure Rule, the definitions of physical risk and transition risk are based on those set forth in the “widely accepted” framework of the Task Force on Climate-related Financial Disclosures. Id. at 21349. In October 2022, the Task Force on Climate-related Financial Disclosures issued its fifth status report describing companies’ implementation of the TCFD Recommendations. Task Force on Climate-related Financial Disclosures, 2022 Status Report (2022).(go back)

9These sustainability goals often relate to achieving not only climate-related goals, but also other ESG-related matters, such as diversity, equity, and inclusion.(go back)

10Proposed Climate Disclosures Rule at 21415-21419. The SEC staff analysis did not look at one disclosure item in the annual reports, such as Risk Factors, but the entire annual report. The Proposed Climate Disclosure Rule cites another study analyzing the Form 10-Ks of Russell 3000 firms from 2009 to 2020 and concluding that the majority of climate disclosures focus on transition risks rather than physical risks. Id. at 21421. See P. Bolstad, S. Frank, E. Gesick, and D. Victor, Flying Blind: What Do Investors Really Know About Climate Change Risks in the U.S., Equity and Municipal Debt Markets, Hutchins Center Working Paper 67 (2020).(go back)

11Final Rule at 63748.(go back)

12Companies may be disclosing these generic risk factors with the aim of these disclosures being afforded the “meaningful cautionary statement” safe harbor under the Private Securities Litigation Reform Act. See Final Rule at 63745 for the SEC’s description of a comment letter on the proposal describing the use of the risk factor disclosure to satisfy the Private Securities Litigation Reform Act safe harbor. See also SEC, Concept Release: Business and Financial Disclosure Required by Regulation S-K, Release No. 33-10064 [81 FR 23916, 23955 (Apr. 22, 2016)].(go back)

13Final Rule at 63744.(go back)

14Id. at 63743.(go back)

Both comments and trackbacks are currently closed.