← Back to all briefings
Governance 8 min read Published Updated Credibility 40/100

Governance Briefing — January 1, 2025

Comprehensive roadmap for HKEX issuers to govern IFRS S2-aligned climate disclosures from 1 January 2025, with universal opt-out orchestration and audit-ready evidence controls.

Zeph Tech Research Lead

Research lead, Zeph Tech

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)

Executive briefing: Hong Kong Exchanges and Clearing Limited (HKEX) will require every Main Board and GEM issuer to adopt the enhanced climate-related disclosure framework for financial years commencing on or after 1 January 2025. The Listing Rules now embed IFRS S2-aligned governance statements, transition planning narratives, Scope 1-3 metrics, and scenario analysis commentary. Boards must evidence how they supervise climate topics, delegate to management, and integrate oversight into risk and remuneration structures. Cross-functional teams should design universal opt-out mechanisms that respect stakeholder data choices when aggregating climate inputs, while still supplying audit-ready evidence packs that withstand HKEX and Financial Reporting Council scrutiny.

Regulatory countdown and scope

HKEX confirmed in its November 2023 consultation conclusions that the new climate requirements apply to annual ESG reports covering financial years that begin on or after 1 January 2025. Early adoption is encouraged, yet the regulator expects issuers to use the 2024 financial year to road-test data flows, update board charters, and schedule assurance procedures. The framework applies to all issuers, regardless of industry or market capitalisation. Category-based phase-ins exist only for the quantitative greenhouse gas disclosures, where certain Scope 3 categories may be deferred by one year if immaterial or data is demonstrably unavailable. The governance, risk management, and strategy sections, however, have no transition relief: they must be fully addressed in the first reporting cycle.

Issuers must align climate reporting with the same reporting boundary as the financial statements and ESG report. Subsidiaries, joint ventures, and supply-chain impacts must be included where material. HKEX also emphasises that issuers should disclose how climate risks intersect with other regulatory obligations, including the Securities and Futures Commission’s circulars on asset manager climate reporting, Hong Kong Monetary Authority expectations, and cross-border disclosure regimes for dual-listed companies. Governance teams therefore need a consolidated regulatory mapping and a documented rationale when selecting reporting frameworks beyond IFRS S2, such as sectoral metrics under the Global Industry Classification Standard.

Board and management governance requirements

The Listing Rules require boards to describe their oversight structure in granular detail. This includes the cadence of climate discussions, standing agenda items, how management escalates incidents, and the competence framework used to refresh director knowledge. HKEX expects issuers to publish the specific committees involved, such as sustainability, audit, or risk committees, and the board’s approach to allocating climate responsibilities when there is no dedicated sustainability committee. The consultation conclusions referenced international best practice that boards should perform climate scenario reviews at least annually and whenever significant transactions occur. To comply, issuers should maintain documented board calendars, training registers, and director self-assessments that can be shared with auditors or regulators on request.

Management is obligated to demonstrate the execution structure beneath the board. HKEX’s guidance calls for disclosure of the functions tasked with climate data collection, internal control testing, and integration into enterprise risk management. Companies should publish an organisational chart that links business units, finance, risk, and sustainability roles, and indicates how cross-border operations report into headquarters. This governance mapping must also show how universal opt-out signals are captured from employees, suppliers, and customers whose data feeds emissions calculations or scenario models. For example, where travel data providers or employee commute surveys are used to estimate Scope 3 emissions, individuals must have a single opt-out channel that propagates across all systems, with clear documentation about how opt-outs affect data completeness and what proxy data is substituted.

Universal opt-out orchestration for climate data

Although the HKEX climate framework does not create new privacy rights, issuers must reconcile the requirement for granular emissions data with obligations under the Personal Data (Privacy) Ordinance (PDPO), Mainland China’s Personal Information Protection Law (PIPL), and other applicable regimes. A universal opt-out design ensures stakeholders can withdraw consent or object to non-essential processing without undermining mandatory reporting. Governance teams should maintain a register of data sources for climate metrics, identify which ones rely on personal data, and map them to existing consent or contract bases. When a stakeholder exercises an opt-out, the organisation should route the request through a central preference centre that updates travel booking tools, procurement systems, supplier portals, and sustainability data lakes. System owners then substitute aggregated or anonymised datasets to preserve reporting integrity while respecting the opt-out.

To evidence compliance, issuers should log every opt-out request with timestamps, identity verification steps, decision outcomes, and compensating controls. This log should integrate with the broader PDPO response management toolset, enabling auditors to review whether opt-outs were honoured within the statutory timeframes. For supply-chain data, issuers should extend universal opt-out clauses to vendor contracts, explaining how data will be used for climate reporting and providing standardised API endpoints for preference updates. HKEX has highlighted the importance of value chain readiness; issuers therefore need to show regulators that opt-out choices do not derail emissions completeness by documenting fallback emission factors, industry averages, or regional datasets used when individual-level data is unavailable.

Risk management and scenario analysis expectations

IFRS S2 requires issuers to disclose processes for identifying, assessing, and managing climate-related risks and opportunities. HKEX expects the disclosure to link directly to the enterprise risk management (ERM) framework, including risk taxonomy, thresholds, and board reporting. Issuers should publish how climate risk inputs flow into the risk register, how heatmaps are updated, and which internal control owners are accountable for monitoring. Scenario analysis should cover multiple time horizons, with at least one 1.5 °C pathway and a higher-emissions scenario, and must explain the assumptions, models, and data sources used. Evidence packages should include scenario workbooks, vendor model contracts, and management challenge logs that prove board engagement.

Because climate scenario work often leverages geospatial, energy usage, and supplier data, universal opt-out orchestration must ensure that individuals who withdraw consent are either excluded or represented with anonymised data. Companies should maintain auditable data transformation scripts, aggregation logic, and data quality checks that flag when opt-outs reduce dataset coverage below acceptable thresholds. Risk owners should also document mitigation plans, such as procuring third-party datasets or using engineering estimates to backfill gaps, and include these plans in climate risk appetite statements reviewed by the board.

Metrics, targets, and assurance

HKEX requires issuers to disclose absolute and intensity-based greenhouse gas metrics, disaggregated by Scope 1, Scope 2 (market- and location-based), and material Scope 3 categories. Companies must explain methodologies, including the use of the GHG Protocol, sector-specific calculation tools, and any estimation techniques. Targets must be stated with baselines, interim milestones, and governance oversight. To maintain credibility, issuers should implement internal controls akin to financial reporting: segregation of duties for data entry, automated reconciliation against utility bills or fuel invoices, and variance analysis reviews. The Financial Reporting Council has emphasised that ESG assurance engagements will evaluate these controls, so issuers should build evidence folders that store raw data, calculation scripts, management review notes, and approval records.

Universal opt-out mechanisms intersect with metrics when personal data informs emissions factors, such as employee commute surveys, customer usage analytics, or telematics. Governance teams should define which metrics depend on personal data, track the number of opt-outs affecting each metric, and document how this influences accuracy. Disclosure controls should require management sign-off whenever opt-out volumes exceed predefined thresholds, with explanations of mitigation steps. External assurance providers should receive access to opt-out logs, anonymisation methodologies, and control narratives demonstrating that data subject rights were respected throughout the reporting cycle.

Evidence management and audit readiness

HKEX expects issuers to maintain records sufficient to substantiate every disclosure. Companies should implement a central evidence repository—ideally a governed document management system with role-based access—that stores climate policies, board minutes, scenario models, control testing results, opt-out logs, and assurance reports. Each document should be tagged with metadata describing the disclosure requirement it supports, retention schedules aligned with Listing Rules, and sensitivity labels reflecting PDPO classifications. Governance teams must schedule quarterly evidence reviews to ensure documents remain current, approvals are captured, and obsolete files are archived according to policy.

Audit trails are critical. Issuers should configure workflow tools to capture when data is uploaded, who approved it, and any subsequent edits. Change control logs for greenhouse gas calculation templates, scenario assumptions, and climate risk registers should be exported to PDF ahead of board meetings and kept in the evidence repository. Because HKEX may request supporting materials during thematic reviews, organisations should practice retrieval drills that confirm evidence can be produced within regulatory timelines. Linking evidence metadata to the universal opt-out register demonstrates that data subject rights were considered when assembling supporting documentation.

Cross-functional operating model

Delivering compliant disclosures requires a permanent operating model. Boards should approve a climate governance charter that defines decision rights, escalation paths, and reporting formats. Management should establish a climate disclosure steering committee chaired by the CFO or CRO, with members from sustainability, finance, risk, legal, procurement, HR, and IT. The committee should meet monthly in 2024 and quarterly thereafter, maintaining action trackers for data quality remediation, opt-out handling, and supplier engagement. Integrating the committee’s work with the company’s data governance council ensures universal opt-out logic aligns with enterprise data policies and privacy engineering standards.

Training is equally important. Directors need tailored sessions on IFRS S2, HKEX guidance, and industry-specific climate risks. Management and operational teams require training on emissions methodologies, data privacy obligations, and how to document evidence properly. Training records should sit alongside competence matrices in the evidence repository, allowing auditors to verify coverage. Companies should also conduct tabletop exercises simulating climate data incidents—such as a supplier refusing data or a mass opt-out event—to test response playbooks and confirm that universal opt-out processes do not compromise mandatory reporting.

Immediate next steps

  • Complete a governance gap assessment. Map current board and management disclosures against HKEX’s IFRS S2-aligned requirements, flagging missing committee charters, delegated authorities, or documentation.
  • Design universal opt-out workflows. Inventory every dataset used in climate reporting, document the lawful basis, and integrate opt-out signals with privacy response platforms and sustainability data lakes.
  • Strengthen evidence controls. Build a central repository with retention, access, and metadata standards that link to each disclosure item and include opt-out log references.
  • Run scenario and metrics rehearsals. Pilot FY2024 data collection, scenario analysis, and assurance walkthroughs, recording issues and remediation owners so that FY2025 reporting is audit-ready.
  • Engage suppliers and subsidiaries. Issue updated climate data requests with opt-out clauses, provide training, and test API or portal integrations that feed universal opt-out updates directly into reporting systems.

Zeph Tech supports HKEX issuers by building governance frameworks that withstand regulatory inspection, engineering universal opt-out orchestration across climate data pipelines, and assembling evidence dossiers ready for assurance.

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)
Horizontal bar chart of credibility scores per cited source.
Credibility scores for every source cited in this briefing. Source data (JSON)

Related briefings

Curated signals from the same pillar or overlapping topics.

Continue in the Governance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • Hong Kong
  • Climate governance
  • ISSB
  • Disclosure requirements
Back to curated briefings