A Maturity Model for Scope 3 Assurance-Grade Emissions
A Maturity Model for Scope 3 Assurance-Grade Emissions
Why Scope 3 Estimates Fails Under Scrutiny
Scope 3 emissions sit at the intersection of ambition and fragility. They are often the largest portion of a company’s emissions profile and the least controlled. What is less well understood is why Scope 3 collapses under assurance, regulatory review, or internal challenge. The failure is rarely ever because companies start with estimates, in fact they are unavoidable. The failure occurs because organisations do not treat Scope 3 as a data system that must mature over time. Instead, they treat it as a one-off modelling exercise repeated annually with incremental tweaks.
The UK Financial Reporting Council (FRC), in its Thematic Review on Climate-related Metrics and Targets (2023), observed that organisations relying on Scope 3 estimates frequently failed to explain why proxies were used, how boundaries were defined, and whether methodologies were stable year over year. The FRC stated that deficiencies were related to process and control, not emissions science.
This article sets out a maturity model for Scope 3 emissions—one that recognises estimates as a starting point, not an endpoint, and explains how organisations move from proxy-based calculations to assurance-grade emissions data.
The Core Misunderstanding: Estimates vs Uncontrolled Estimates
Every Scope 3 calculation begins with estimation. The difference between credible and non-credible reporting is not whether estimates exist, but whether their use is governed.
Uncontrolled estimates exhibit typical characteristics:
- Proxies are selected as convenient, not systematically
- Data sources change year to year without justification; for instance, many major multinational companies have quietly restated Scope 3 emissions year-over-year in sustainability reports, citing “methodology updates” or “improved data coverage,” without a clear explanation of the methodology
- Supplier coverage is inconsistent
- Assumptions are undocumented or overwritten. In fact, the European Securities and Markets Authority (ESMA), has called out unexplained assumptions and changes that materially affect reported emissions, being detrimental to assessments
- No one owns the transition to better data
A Tiered Data Confidence Model for Scope 3
A maturity model for Scope 3 emissions begins with a tiered data confidence model. This is not a disclosure construct. It is an internal management tool that allows leadership to understand what portion of Scope 3 emissions is based on which level of data quality. The ISSB (IFRS S2) mandates disclosure of measurement uncertainty and estimation techniques, which implicitly supports tiered confidence approaches. In addition, the ECB climate stress test (2022) highlighted that banks relying heavily on generic proxies were unable to meaningfully assess transition risk.
A practical model typically contains four tiers.
Tier 1: Generic Proxies
This tier relies on:
- Industry-average emission factors
- Spend-based calculations
- Public databases and secondary sources
Tier 1 data is acceptable as an entry point, particularly where supplier data is unavailable or supply chains are fragmented. However, Tier 1 data carries the highest estimation risk and the lowest defensibility under assurance. Organisations fail when Tier 1 proxies remain unchanged for years without challenge. The IEA and GHG Protocol both observe that spend-based methods are often the only feasible starting point for Scope 3. However, academic research has consistently shown that spend-based estimates can vary materially from activity-based estimates.
Tier 2: Category-Specific Proxies
Tier 2 improves specificity:
- Emission factors aligned to product categories
- Regionalised or technology-specific averages
- Adjustments for known operational characteristics
This tier reflects an understanding of the business’s actual activities rather than generic spend. While still estimated, Tier 2 data shows intent to improve accuracy, but still depends heavily on external assumptions. Without documentation and stability controls, it remains fragile.
Tier 3: Supplier-Reported Data (Unverified)
At Tier 3, suppliers provide emissions data directly:
- Product-level footprints
- Corporate inventories allocated to purchases
- Supplier questionnaires or portals
This represents a significant step forward, but it introduces new risks. Supplier data is often inconsistent, methodologically unclear, and unaudited. Blind acceptance of supplier-reported data is a common mistake. Tier 3 requires controls over intake, validation, and consistency—not just collection.
Tier 4: Assurance-Grade Primary Data
Tier 4 data is:
- Supplier-reported
- Methodologically aligned
- Traceable to activity data
- Subject to assurance or equivalent controls
Few organisations reach Tier 4 across all categories. The expectation is that material categories and high-risk suppliers progress toward this level over time.
When Proxies Are Acceptable and When They Are Not
One of the most persistent misconceptions is that proxies are inherently weak. In reality, proxies are acceptable when their use is justified, controlled, and time-bound. In fact, the SEC, ESMA, and UK FRC have observed that the issue is not proxy usage, but lack of justification and progression. There should also be an appropriately documented improvement plan.
Proxies are acceptable when:
- The category is immaterial relative to the total Scope 3
- Supplier fragmentation makes primary data infeasible
- The proxy choice is consistent year over year
- Sensitivity analysis shows limited impact on totals
Proxies become unacceptable when:
- They are used for high-impact categories indefinitely
- Changes in spend or volumes are not reflected
- Better data is available, but not pursued
- Assumptions change without explanation
The decision to use a proxy should be documented as a risk decision, not a convenience. Boards should be able to see where proxies are used, why, and what the exit plan is.
Supplier Engagement: Thresholds Matter More Than Coverage
Many organisations pursue supplier engagement as a volume exercise. They aim to “cover” as many suppliers as possible, regardless of impact. This approach is inefficient and ineffective. Financial institutions participating in the ECB and PRA climate stress tests were directed to focus on material suppliers, and not aim for full portfolio coverage.
Assurance-grade Scope 3 data does not require universal supplier participation. It requires targeted engagement based on risk and materiality.
Establishing Engagement Thresholds
Effective programmes define clear thresholds, such as:
- Top X% of suppliers by spend
- Suppliers representing Y% of category emissions
- Suppliers in high-risk geographies or industries
These thresholds should be reviewed annually and aligned to the organisation’s risk appetite.
Supplier engagement is not a questionnaire exercise. It involves:
- Clear data definitions and boundaries
- Methodology alignment expectations
- Timelines for improvement
- Consequences for non-participation
Without these elements, supplier data becomes noise rather than a signal.
The Transition to Primary Data Is a Managed Process
Organisations often speak about “moving to primary data” as though it were a single step. In practice, it is a multi-year transition that must be actively managed.
Stage 1: Stabilise Estimates
Before transitioning, estimates must be stabilised:
- Lock methodologies
- Freeze emission factor sources
- Document assumptions and boundaries
This creates a baseline against which improvement can be measured.
Stage 2: Pilot Supplier Data
Primary data should be piloted:
- In selected categories
- With willing, capable suppliers
- Using controlled templates or systems
Pilots reveal practical issues—data gaps, methodological differences, timing mismatches—that would otherwise surface during assurance.
Stage 3: Integrate, Do Not Overlay
A common failure is overlaying supplier data on top of estimates without reconciliation. Mature systems:
- Replace estimates with primary data where available
- Prevent double-counting
- Flag inconsistencies automatically
This requires system logic, not manual spreadsheets.
Stage 4: Expand with Controls
Only after controls are proven should primary data coverage expand. Scaling without controls increases risk rather than reducing it.
Documentation Is the Backbone of Assurance-Grade Scope 3
Documentation is often misunderstood as bureaucracy. In reality, it is the mechanism that makes Scope 3 defensible.
Assurance does not test whether assumptions were “reasonable.” It tests whether they were:
- Defined
- Applied consistently
- Approved appropriately
- Changed with justification
What Must Be Documented
At a minimum:
- Category boundaries and inclusions
- Data sources by tier
- Proxy selection rationale
- Supplier selection criteria
- Treatment of missing data
- Methodology changes and effective dates
The UK FRC and ESMA have both stated that post-hoc justifications are in reality weak evidence, particularly where material assumptions changed between reporting periods..
Version Control Is Non-Negotiable
Methodologies evolve. That is expected. What is not acceptable is undocumented change. Mature organisations maintain:
- Versioned calculation methodologies
- Change logs
- Approval records
This mirrors financial accounting policies and is increasingly expected for ESG.
Where Most Scope 3 Programmes Fail
Failure patterns are remarkably consistent across Scope 3 programmes.
Failure 1: Over-engineering the First Year
Organisations attempt to achieve perfection in year one, overwhelming teams and suppliers. The result is complexity without control.
Failure 2: Treating Supplier Data as Inherently Superior
Supplier data is assumed to be “better” than estimates without validation. In practice, poorly defined supplier data can be less reliable than a well-controlled proxy.
Failure 3: No Ownership of Data Quality Progression
Teams focus on producing numbers, not improving data quality. No one owns the roadmap from Tier 1 to Tier 3 or 4.
Failure 4: Spreadsheet Dependency
Spreadsheets obscure lineage, allow silent overrides, and collapse under scale. They are unsuitable for multi-tier Scope 3 management.
Assurance-Grade Scope 3 Is a System Outcome
Assurance does not attach to individual calculations. It attaches to systems.
An organisation is approaching assurance-grade Scope 3 when:
- Data confidence tiers are defined and tracked
- Proxy use is intentional and temporary
- Supplier engagement is risk-based
- Primary data replaces estimates systematically
- Documentation is complete and retrievable
- Controls exist over change, review, and approval
ISSB, SEC, and EU regulators have been known to increasingly assess whether the reporting system is reliable, not whether individual estimates are “bullet-proof.”
What Management Should Ask
What not to ask:
“Are our Scope 3 numbers accurate?”
What to ask:
- Which categories rely on Tier 1 data, and why?
- What is our plan to improve confidence in material categories?
- Which suppliers are critical to data quality?
- Where do controls prevent silent methodology drift?
- Could we explain our assumptions under regulatory challenge?
These questions force clarity. They shift Scope 3 from a modelling exercise to a governed system.
Closing Observation
Scope 3 emissions will never be perfect; rather it is a journey which organisations have to take to ensure that the estimates are controlled, improvements are deliberate, and its data quality is progressing in line with risk.
Learn more about our : Carbon Footprint Platform
Learn more about – Scope 1, 2 and 3 here..
