Disclosure LibraryPractitioner guidance for every reporting disclosure
GRI 403: Occupational Health and Safety 2018 · Topic Standard · Cross-sectoral
Disclosure GRI 403-7

Prevention and mitigation of occupational health and safety impacts directly linked by business relationships

Practical guidance for preparing this disclosure. Use this card to identify datapoints, verify claims and organise supporting evidence. For exact requirements, always refer to the official GRI source.

Dr Ross Kurinko, GRI Certified Trainer
Reviewed by Dr Ross Kurinko · GRI Certified Trainer LRA educational guidance · Not issued or endorsed by GRI
Disclosure focus

This disclosure asks an organisation to explain how it identifies and manages occupational health and safety risks and impacts that are connected to its business relationships, not just those within its own direct operations. In practice, the focus is on whether the organisation has processes to prevent or reduce harm where its activities, products, services, contractors, suppliers or other linked parties may affect workers’ health and safety.

The practical emphasis is on the breadth and effectiveness of coverage: does the organisation look across the parts of the business where these risks can arise, or only at a few visible sites? The report should make clear how prevention and mitigation are applied in day-to-day operations and through relevant relationships, and whether the approach is limited to flagship locations or extends more widely across the organisation’s footprint.

* This LRA educational guidance supports disclosure preparation. For the exact requirements, always refer to the official GRI source.

Before you start

A quick mental checklist before you prepare this disclosure — tick each as you settle it.

Preparation
Key datapoints to prepare
DatapointWhat to captureEvidence hintOwner
OHS risk controlsA plain description of how the organisation prevents or reduces major work-related health and safety harm that is tied to its own activities, products or services through its business relationships, together with the main hazards and risks involved.Risk assessments, control plans, supplier or contractor safety requirements, incident logs, and internal H&S procedures showing the controls in place and the hazards they address.Health and safety
Show GRI 403-7 sub-elements (LRA working checklist)
  • Set out how you prevent or reduce material work-safety harms that arise through your business relationships and connect directly to your operations, products or services, together with the hazards and risks involved.

LRA working checklist - paraphrased; see official source

How to prepare
  1. Set the boundary for the disclosure first: decide which parts of the business, which products or services, and which business partners are in scope for the description.
  2. Define what you will treat as a significant negative health and safety impact, and identify the related hazards and risks you will use when assessing it.
  3. Gather the supporting material that shows how the organisation prevents or reduces those impacts, including any internal policies, procedures, assessments, or other records used in practice.
  4. Draft a clear narrative that explains the approach in plain language, making sure it covers the direct links through operations, products or services, and through business relationships.
  5. Record any exclusions, scope changes, or assumptions so a reviewer can see what was left out and why the reported description is framed the way it is.
  6. Check the final wording and evidence against the official source to confirm the disclosure matches the required content and that nothing material has been missed or added.
Want to do this on a real report? Practise GRI social disclosures live with Dr. Kurinko — GRI Standards Certified Training. Explore →
Request the supplier and contractor OHS risk controls evidence

Translate the disclosure into an internal business question — then adapt it to your organisation's own language.

What practical controls and supporting evidence do we have for managing serious health and safety risks that arise through suppliers, contractors, or other business partners linked to our operations, products, or services?

Use your organisation’s own terms first, then map them to the disclosure wording. For example, if you talk about contractors, vendors, site partners, or service providers, use those labels in the request and only translate them later for reporting.

Weak request

Please provide the GRI 403-7 evidence showing how we address occupational health and safety impacts directly linked by business relationships.

Why it fails: This uses framework language that many operational teams will not use day to day, so it is harder to route to the right owner and easier to return a generic narrative instead of usable records. It also does not specify the site, period, systems, or the kind of controls and references needed.
Better request

Please send the records for [reporting period] that show how [site/business area] manages serious safety risks linked to [contractors/suppliers/service partners]. Include the main risk types, the controls in place, and the supporting audit, review, incident, or action-tracking references, using your team’s own terms.

Formal email template
Subject: Request for contractor and supplier safety control evidence for [reporting period]\n\nHi [name/team],\n\nI’m pulling together the evidence pack for our sustainability reporting and need your help with the records for [business area/site].\n\nPlease send a short summary of the controls we use to manage serious health and safety risks connected with [contractors/suppliers/service partners], together with the supporting evidence for [reporting period].\n\nPlease include:\n- the main risk types you track\n- the controls or checks in place\n- where the evidence is held\n- any relevant audit, review, incident, or action-tracking references\n- the current status of any open actions\n\nA possible LRA training template is attached below; please adapt this to your organisation’s own language and check the source material before sign-off.\n\nThanks,\n[preparer name]
Short Teams / Slack version
Hi [name] — could you share the evidence pack for [reporting period] on how we manage serious safety risks linked to [contractors/suppliers/service partners] in [site/business area]? Please include the controls in place, where the records sit, and any audit/action references. Please use your team’s own terms first, then we’ll map them for reporting. Thanks.
Industry examples
Construction

Context. A principal contractor needs evidence for subcontractor safety management across live sites.

Adapted request. Please share the evidence pack for [reporting period] covering how we manage high-risk work by subcontractors on [project/site]. Include the main hazards, the controls used before and during work, and any inspection, permit, or corrective-action records.

Example response. We use subcontractor pre-qualification, site induction, daily briefings, permit-to-work, and supervisor checks. Evidence is held in the contractor portal and site inspection logs. Open actions are tracked in the action register; closed items are marked with completion dates.

Logistics / Warehousing

Context. A warehouse operator needs evidence for third-party transport and maintenance activities on site.

Adapted request. Please provide the records for [reporting period] showing how we manage safety risks linked to third-party drivers, maintenance firms, and equipment service partners at [warehouse/site]. Include the key risk areas, the controls in place, and the supporting incident, audit, and training records.

Example response. We control vehicle movements through booking slots, yard rules, marshal checks, and induction for visiting drivers. Maintenance work uses permit-to-work and isolation checks. Evidence sits in the HSE tracker, visitor induction system, and audit folder, with actions tracked to closure.

The full request pack — response form, data table, evidence metadata and sign-off — is in the Download Centre.

Draft your disclosure

LRA training templates — adapt them to your organisation, and check the official source before sign-off.

Method note

Explain how you define the relevant hazards, which business relationships are included, and the basis used to decide whether a negative health and safety impact is significant enough to describe.

Context note

Set out what the figures and descriptions show about how the organisation is trying to stop or reduce serious work-related harm connected to its operations, products or services through other parties.

Fluctuation statement

If the approach changed during the period, note whether that was due to new hazards, changes in business relationships, revised assessments, or updated control measures.

Content index entry

GRI 403-7 Prevention and mitigation of occupational health and safety impacts directly linked by business relationships — [location / page] / [notes]

Assurance readiness
For each claim, check the evidence
ClaimRiskEvidence to check
We explain how we identified the work areas and relationships that could create the most serious health and safety harm, and how we decided which of those were included in the figure.An assurer will test whether the inclusion and exclusion choices were made consistently, and whether the reported coverage leaves out material parts of the disclosed operations or linked business relationships.Scoping notes, boundary-setting papers, risk registers, mapping of sites and business relationships, and any sign-off showing why particular areas were included or left out.
We describe the controls and actions we say are in place to reduce or avoid those harms, and we keep evidence showing how those controls were selected and applied in practice.An assurer will probe whether the stated controls are real, relevant to the identified hazards, and supported by implementation evidence rather than being generic policy language.Policies, procedures, contractor requirements, training records, inspection logs, incident follow-up records, and examples showing the controls operating during the reporting period.
We rely on source data that can be traced back to the underlying records, and we check that the data used for the disclosure is complete, current, and internally consistent before publication.An assurer will look for weak data lineage, missing records, outdated inputs, or unexplained changes between source systems and the published figure or narrative.Source extracts, data lineage notes, reconciliation files, version control, management review comments, and evidence of checks for completeness, accuracy, and consistency.
We keep supporting material that shows the hazards we identified, the decisions we made, and the basis for the final wording in the disclosure.An assurer will test whether the narrative is backed by contemporaneous evidence and whether the final statement matches the underlying assessment and records.Hazard assessments, meeting minutes, draft-to-final change logs, approval records, and working papers linking the published text to the underlying analysis.
Before publication, we carry out a review to confirm that the disclosure matches the underlying evidence and that any judgement calls are explained clearly.An assurer will examine whether the final review was robust, whether unresolved issues were cleared, and whether the published wording overstates what the evidence supports.Pre-publication checklists, review and approval emails, issue logs, sign-off records, and evidence of any corrections made before release.
Evidence pack to prepare
  • The governing policy or written commitment behind this disclosure
  • A methodology / definition note setting out how the disclosure was scoped and prepared
  • Source-system exports the figures or facts were drawn from
  • The internal approval / sign-off record for the disclosure before publication
  • Minutes or records evidencing the relevant engagement or consultation
Common reporting gaps
  • The information is presented without a date or as-at point.
  • The scope or boundary of the statement is left undefined.
  • Key terms are used inconsistently across the report.
  • Material changes since the previous period are not disclosed.
  • Assertions are made without supporting detail or a source record.
  • Boilerplate is used that does not actually answer what is asked.
Examples
Illustrative examples

Synthetic, written by LRA — not from a company report, not text from any standard.

Food processing · synthetic · written by LRA

Synthetic example only. We map the main work-related health and safety risks that arise through our contractors and logistics partners, then set controls to reduce the chance of harm where their activities connect to our sites and products.
- Our review covered 42 business partners; 18 were flagged as higher risk because of manual handling, vehicle movements, cleaning chemicals, or work at height, and all 18 had agreed action plans in place.
- During the year, 14 partner sites were checked against our safety requirements; 11 were found compliant, while 3 needed follow-up on training records, machine guarding, or emergency procedures, and those gaps were closed within 60 days.

This example shows how to describe the practical steps used to prevent or reduce serious safety harm linked to business partners, while naming the main hazard types and the follow-up taken.
Facilities management · synthetic · written by LRA

Synthetic example only. We use a partner-risk review to identify where outsourced cleaning, maintenance, and security work could create serious injury risks, and we then apply contract terms, site rules, and joint training to lower those risks.
- In the reporting year, 27 suppliers were in scope; 9 were classed as higher risk because of lone working, electrical tasks, work at height, or exposure to hazardous substances, and each received a targeted mitigation plan.
- We carried out 21 site audits across those partners; 16 met our expectations, and 5 required corrective action on permit-to-work controls, PPE use, or incident reporting, all of which were completed before year-end.

This example illustrates a narrative disclosure focused on how the company manages serious safety risks that arise through outsourced services, including the hazards considered and the actions used to address them.
Draft output & visualisation ideas

How to turn the collected data into a draft disclosure. Suggested visuals and a GRI content-index line generated from this disclosure's datapoints.

Suggested visuals

  • How the organisation manages work-related harm linked through business ties — table: A concise summary of the main prevention or mitigation measures, grouped by the type of business relationship and the related hazard or risk.
  • Controls by hazard type — stacked bar: The mix of actions used to address different workplace safety hazards, showing where several measures are applied to the same risk.
  • Coverage of linked business relationships — bar: Which parts of the value chain or other business relationships are covered by the approach, and where the response is strongest or weakest.
  • Risk-to-action summary — table: A side-by-side view of the key hazards identified and the practical steps taken to reduce or prevent harm.
  • Relative emphasis of response measures — donut: The share of the overall approach made up by different types of controls, such as prevention, mitigation, training, oversight or corrective action.
From a number to a disclosure

What separates a figure from a disclosure.

Basic

We identified 12 significant health and safety risks linked to our business partners and took action on all 12.

Better

We assessed 12 partner-linked health and safety risks, put controls in place for all 12, and focused those controls on the main hazards in our operations, products and services.

Best

We reviewed 12 partner-linked health and safety risks across our operations, products and services this year, applied mitigation measures to all 12, and the main reason the risk profile shifted was that two suppliers changed their work methods after our follow-up review.

From company reports
Real published reports Compare side by side →Get it free

Real reports where this topic is disclosed. The confidence label shows how closely each match maps to GRI 403-7 — these are report practice, not exact disclosure examples.

CompanySector · CountryYearMatchPageReportAssurance
Chang Hwa Commercial Bank, Ltd. Banks / Diverse Financials / Insurance · Taiwan 2024 Exact p. 167 →p. 201 →p. 203 → 2024 ESG Report → PwC
Evidence in Chang Hwa Commercial Bank, Ltd.’s report

What the report shows

Chang Hwa Commercial Bank's 2024 ESG Report includes a narrative reference to its occupational health and safety management system, specifically mentioning "403-8 165 Responsible Finance Operations with significant actual and potential negative" on page 201. This indicates some coverage of health and safety management related to responsible finance operations. However, the report does not provide further detailed data or metrics on occupational health and safety outcomes or performance, leaving the extent of disclosure unclear.

Evidence-based summary of this company’s own report — not a disclosure template to copy, and not a compliance verdict.

Datapoint coverage

DatapointStatusPage
OHS risk controlsA reported value was found on this page. covered p. 201

Source trail

  • p. 201occupational health and safety management system 403 -8 165 Responsible Finance Operations with significant actual and potential negative
London Luton Airport Operations Ltd. Air Transportation — Airport Services · United Kingdom 2024 Exact p. 71 →p. 38 →p. 36 → Sustainability Report 2024 → BSI
Evidence in London Luton Airport Operations Ltd.’s report

What the report shows

London Luton Airport Operations Ltd.'s Sustainability Report 2024 includes coverage of occupational health and safety impacts directly linked to business relationships, with relevant information found on page 71. The report specifically addresses workers covered by occupational health and safety measures in this context. However, the evidence map does not provide details on the extent or specifics of these impacts, nor does it clarify other related aspects that might be expected under this disclosure.

Evidence-based summary of this company’s own report — not a disclosure template to copy, and not a compliance verdict.

Datapoint coverage

DatapointStatusPage
OHS risk controlsA reported value was found on this page. covered p. 71

Source trail

  • p. 71occupational health and safety impacts directly linked by business relationships Y 71-74 403-8 Workers covered by an occupational
Delta Electronics, Inc. Technology Hardware and Equipment · Taiwan 2024 Exact p. 46 →p. 241 →p. 242 → 2024 Delta ESG Report → PwC
Evidence in Delta Electronics, Inc.’s report

What the report shows

Delta Electronics, Inc.'s 2024 ESG Report includes a narrative on occupational health and safety impacts directly linked by business relationships, referenced on page 242. The report points to a detailed section on occupational health and safety covering pages 219 to 228, which aligns with the disclosure requirements. However, the evidence map does not indicate specific quantitative data or further details on the extent of these impacts, leaving some aspects unclear.

Evidence-based summary of this company’s own report — not a disclosure template to copy, and not a compliance verdict.

Datapoint coverage

DatapointStatusPage
OHS risk controlsA reported value was found on this page. covered p. 242

Source trail

  • p. 242occupational health and safety impacts directly linked by business relationships 6.6 Occupational Health and Safety 219-228 403-8 Workers
Check your understanding
A logistics provider uses a subcontracted warehouse team to handle your finished goods. A recent site review found repeated manual-handling injuries among that team, and your own staff work alongside them in the same loading area.Should you describe the practical steps you are taking to reduce the injury risk in that shared work area, including how you are addressing the hazards tied to the subcontracted service?
Model answer. Yes. The disclosure should explain the approach used to prevent or lessen serious safety harm that is connected to your operations through a business partner, and it should cover the relevant hazards and risks. In this case, that means setting out the actions taken with the warehouse provider, the controls introduced, and how the risk is being managed in practice.
Why this matters. Focus on the real-world controls used where your activities and a partner’s work create the harm risk.
A cleaning contractor works overnight in your offices. One cleaner was injured after using a chemical stored in an unlabelled container, and the contractor has asked whether the issue should be mentioned in your sustainability reporting.Do you need to explain how you are preventing a repeat of this kind of harm when the risk sits with a contractor rather than your own employees?
Model answer. Yes. If the safety issue is tied to a business relationship and is linked to your services or operations, the narrative should cover how you are trying to stop it happening again. The explanation should describe the preventive or corrective measures, such as safer storage, clearer instructions, supervision, or contractor controls, as relevant to the case.
Why this matters. Contractor-related harm still belongs in the story when your business connection is part of the risk chain.
Your company buys maintenance services from an external firm that sends technicians to your sites. A near-miss involving faulty equipment was recorded, but no one was hurt and the supplier says the problem was isolated.Should you include this in the disclosure if you are only reporting on serious safety impacts, or only if an actual injury occurred?
Model answer. You should consider whether the issue is a significant negative safety impact or a meaningful risk of one, not just whether an injury already happened. If the hazard and risk are material and directly linked through the business relationship, the disclosure should explain the prevention or mitigation approach, even where the event was a near-miss.
Why this matters. The focus is on significant harm risk and the controls around it, not only on recorded injuries.
A transport partner delivers raw materials to your factory. Drivers have reported fatigue and rushed unloading, and you have introduced revised delivery slots, site induction, and checks on waiting times to reduce the risk.Is it enough to say that the issue is being monitored, or should you set out the actual measures being used to lower the risk?
Model answer. You should set out the actual measures. The disclosure is about the approach to preventing or reducing the linked safety impact, so a vague statement about monitoring alone is not enough if you have concrete actions in place. The narrative should explain the controls, how they address the hazard, and how they relate to the business relationship.
Why this matters. Describe the actions taken, not just the fact that the issue is being watched.
Analyse this disclosure across real reports

See how companies actually report GRI 403-7 — drawn from their own published reports, with the exact pages, and an LRA AI-assistant that works through it with you. Available to LRA Community members and to students throughout their platform access.

Questions this page answers
How do I use the GRI 403-7 page to prepare an occupational health and safety disclosure draft from scratch?

Start with the plain-language explainer, then follow the step-by-step preparation section to turn the page into a draft. The page also gives narrative starters, visualisation ideas and a GRI content-index line to help you shape the final output. ↑ section

What data do I need to collect for GRI 403-7 on occupational health and safety risk controls?

The page says the key datapoint to prepare is OHS risk controls. Use that as the starting point for collecting the underlying information you will need for the disclosure and for the evidence pack. ↑ section

How should I define the scope and methodology for GRI 403-7 risk controls using this page?

Use the page’s step-by-step preparation guidance to decide what is in scope and how you will describe the controls. Keep the approach aligned to the page’s plain-language explanation and the evidence you can actually show. ↑ section

Who should own the GRI 403-7 data and sign-off in practice?

The page is designed for sustainability/ESG managers, HR or data owners, and assurance reviewers, so ownership should sit with the person who can explain the controls and provide the evidence. Use the workbook and evidence pack to make responsibilities clear before drafting. ↑ section

What evidence should I keep to make a GRI 403-7 occupational health and safety disclosure assurance-ready?

The page includes an evidence pack with five items for assurance readiness, plus five assurance claims to verify. Use both together so each claim is backed by a clear risk and supporting evidence. ↑ section

What are the common mistakes to avoid when reporting GRI 403-7?

The page lists common reporting gaps and mistakes, so use that section as a pre-submission check. It is especially useful for spotting missing detail, weak evidence, or a draft that does not match the data you have collected. ↑ section

How do I use the Prep & Assurance workbook for GRI 403-7?

The Download Centre includes a Prep & Assurance workbook in .xlsx format and a printable Library Card in PDF. Use the workbook to organise the preparation, evidence and assurance checks before turning the information into a draft. ↑ section

What should I put in the draft output for GRI 403-7 occupational health and safety risk controls?

The page gives draft-output support in the form of visualisation ideas, narrative starters and a GRI content-index line. Use those to convert your prepared data into a concise disclosure draft. ↑ section

Can I reuse GRI 403-7 data for ESRS S1 (Own Workforce)?

The page notes ESRS S1 (Own Workforce) as the closest correspondence, so the data may be reusable across both. Treat that as a practical cross-check, but still confirm the wording and reporting approach for each framework separately. ↑ section

Are there example disclosures for GRI 403-7 that I can use as a model?

Yes. The page includes synthetic illustrative example disclosures, including a quantitative table, which you can use to see how the disclosure might be presented without treating it as a real company example. ↑ section

More questions this page can help with
  • GRI 403-7 occupational health and safety risk controls: what is the minimum data I should gather before drafting?
  • How do I build an evidence pack for GRI 403-7 OHS risk controls?
  • What does the step-by-step preparation section on GRI 403-7 actually help me do?
  • How do I turn OHS risk control data into a narrative for GRI 403-7?
  • What should an assurance reviewer check in a GRI 403-7 draft?
  • What are the five assurance claims to verify for GRI 403-7?
  • What are the five items in the GRI 403-7 evidence pack?
  • How do I use the GRI 403-7 content-index line in a report draft?
  • Where can I find downloadable support materials for GRI 403-7?
  • What common reporting gaps appear on the GRI 403-7 page?
  • How do the synthetic examples on the GRI 403-7 page help with drafting?
  • Is ESRS S1 data reusable for a GRI 403-7 occupational health and safety disclosure?
Dr Ross Kurinko
✓ LRA AI Assistant · human-in-the-loop
Ask Study Studio AI assistant about this disclosure

Get a practical answer for your reporting context. Your first answer is free — create a free account to continue the conversation.

Try
Sources, status and disclaimer

This LRA assistance tool is designed for educational and internal data-collection purposes. It is not an official interpretation of the GRI Standards, IFRS Sustainability Disclosure Standards or EU CSRD/ESRS requirements. When applying these frameworks in professional practice, users should consult and double-check the official standards, guidance and applicable regulatory sources.