Disclosure LibraryPractitioner guidance for every reporting disclosure
Home Disclosure Library GRI GRI 403 GRI 403-2
GRI 403: Occupational Health and Safety · 2018
Disclosure GRI 403-2

Hazard identification, risk assessment, and incident investigation

Practical guidance for preparing this disclosure. Use this card to identify datapoints, verify claims and organise supporting evidence. For exact requirements, always refer to the official GRI source.

Dr Ross Kurinko, GRI Certified Trainer
Reviewed by Dr Ross Kurinko · GRI Certified Trainer LRA educational guidance · Not issued or endorsed by GRI
To prepare this disclosure
Disclosure focus

This disclosure asks an organisation to explain how it identifies work-related hazards, assesses the risks they create, and investigates incidents when they happen. In practice, the report should show the approach used to spot hazards, judge their significance, and learn from events so that controls can be improved over time. The emphasis is on the process, not just on having a policy in place.

The practical focus is on whether this approach is applied across the organisation’s activities and locations, rather than only at a few well-managed or flagship sites. A useful explanation would make clear how consistently the organisation covers different operations, contractors or work settings where relevant, and how findings from investigations feed back into prevention and risk management.

This LRA educational guidance supports disclosure preparation. For the exact requirements, always refer to the official GRI source.

Before you start

A quick mental checklist before you prepare this disclosure — tick each as you settle it.

Preparation

Key datapoints to prepare

Datapoint What to capture Evidence hint Owner
Hazard and risk scanning How the organisation identifies work-related hazards and assesses risk for both routine and unusual tasks, covering employees and non-employee workers whose work or workplace it controls. Risk assessment method, site/task inspection records, hazard registers, contractor/agency inclusion rules, and review logs for routine and non-routine activities. Health and safety
Control selection process How the organisation decides which controls to use, following the order of preference that starts with removing the hazard and then reducing exposure. Control selection procedure, risk assessment templates, engineering/administrative/PPE decision records, and sign-off showing the chosen control path. Health and safety
Process quality checks How the organisation checks that these hazard and risk processes are done properly, including how it confirms the people doing them are competent. Competency matrix, training and authorisation records, internal review or audit results, and quality assurance checks on risk assessments. Health and safety / Learning and development
Safety system learning How findings from the hazard and risk processes are fed into reviewing the safety management system and used to drive ongoing improvement. Management review minutes, action trackers, trend analysis, lessons-learned logs, and evidence of changes made after risk reviews. Health and safety / Operations
Hazard reporting channels How workers can raise concerns about hazards or unsafe situations, including the channels available and how reports are received and tracked. Speak-up procedure, hotline or app records, toolbox talk materials, incident/near-miss forms, and escalation workflow. Health and safety / HR
Anti-retaliation protection How the organisation prevents punishment or disadvantage when workers report hazards or unsafe situations, including the safeguards and escalation route. Non-retaliation policy, manager guidance, grievance records, investigation outcomes, and communications to workers on protected reporting. HR / Legal / Health and safety
Right to stop work The rules and steps workers can use to step away from work they reasonably think could cause injury or illness, including who they tell and what happens next. Stop-work procedure, emergency escalation instructions, training materials, and records of any stop-work events and follow-up actions. Health and safety / Operations
Stop-work protection How workers are protected from retaliation when they leave a task or area because they believe it is unsafe, including the safeguards and complaint route. Non-retaliation policy, stop-work case logs, manager briefing notes, and worker communications explaining protection after refusal to continue work. HR / Legal / Health and safety
Incident investigation process How the organisation investigates work-related incidents, including who investigates, what evidence is gathered, and how findings are recorded and closed out. Incident investigation procedure, investigation reports, root-cause notes, witness statements, and corrective action tracking. Health and safety
Incident risk review How the organisation identifies hazards and assesses risk after a work-related incident, so the incident review feeds back into the risk process. Post-incident risk assessments, updated hazard registers, investigation follow-up actions, and revised task or site controls. Health and safety
Corrective action choice How the organisation decides what corrective action to take after an incident, using the control order that prioritises removing the hazard before weaker measures. Corrective action logs, incident close-out forms, control selection notes, and approval records showing why each action was chosen. Health and safety / Operations
System improvement actions How the organisation turns incident and risk findings into changes to the safety management system, including what needs improving and how it is tracked. Management review outputs, improvement plans, audit findings, action trackers, and evidence of policy, process, or control updates. Health and safety / Operations
+ Show GRI 403-2 sub-elements (LRA working checklist)

How to prepare it

1Set the boundary for the write-up first: confirm which people are covered, including employees and any other workers whose tasks or workplace you control, and make sure the scope is consistent across every part of the disclosure.
2Map the main process areas you need to describe, covering hazard spotting and risk review for normal and unusual situations, the way controls are chosen to reduce or remove risk, the route for reporting hazards and unsafe conditions, the option for workers to step away from dangerous work, and the incident investigation and follow-up process.
3Gather proof that the processes actually operate in practice, such as procedures, records, training or competence checks, reporting logs, investigation files, and examples showing how findings feed into system improvements.
4Draft the narrative so each required process is clearly covered in plain business language, and keep the account specific enough to show how the organisation handles quality, worker protection from retaliation, and the use of results to improve the safety system.
5Record any exclusions, boundary choices, or changes from the prior reporting period, and explain them clearly so a reader can see what is included, what is not, and whether the approach has shifted.
6Check the final text against the official source and your evidence pack to confirm every required element is addressed, the wording is faithful in meaning, and nothing important has been missed or overstated.
Request the data

Request the safety process evidence from EHS / Operations

Translate the disclosure into an internal business question — then adapt it to your organisation's own language.

How do we show that our safety checks, incident reviews, worker reporting routes, and follow-up actions are working across the sites and activities we control?

Use your organisation’s own names first for safety checks, incident reviews, stop-work routes, near-miss reporting, corrective actions, and management-system reviews; then map those terms to the disclosure wording before sign-off.

Weak request

Please send anything you have for GRI 403-2 on hazard identification, risk assessment, hierarchy of controls, worker reporting, reprisal protection, stop-work rights, and incident investigation.

Why it fails: It uses framework language only, so the owner has to translate the ask themselves. It also does not say which teams, systems, time period, or internal process names to pull, so the response is likely to be incomplete or inconsistent.

Better request

Please send the safety process pack for [period] across [sites/teams], using your own terms for pre-task checks, hazard spotting, risk reviews, stop-work, near-miss reporting, incident reviews, and action close-out. Include the source system, date range, who is authorised to do the checks, how worker reporting is protected, and how findings lead to improvements.

Formal email template
Subject: Request for safety process evidence for [reporting period]

Hi [name/team],

I’m preparing the sustainability reporting pack and need your help with the safety process evidence for [reporting period] across [boundary/scope].

Please send the materials that show:
- how hazards are spotted and risks are assessed for both routine and unusual work;
- how controls are chosen and applied to reduce or remove risk;
- how we check the quality of these checks, including who is allowed to do them and what makes them competent;
- how the results feed into improvements to the safety management system;
- how workers can raise hazards or unsafe situations, and how they are protected from retaliation;
- how workers can step away from work they believe could cause harm, and how that protection is handled;
- how incidents are reviewed, how related hazards and risks are assessed, how follow-up actions are chosen, and how system improvements are identified.

Please include the source documents or extracts, the system of record, the date range, and any notes needed to explain the organisation’s own terminology.

A possible LRA training template is attached; please adapt this to your organisation’s language and check the official source before sign-off.

Thanks,
[preparer name]
Short Teams / Slack version
Hi [name] — could you share the safety process evidence for [period] across [sites/teams]? I need the docs or extracts showing hazard checks, risk assessment, control selection, worker reporting/stop-work routes, anti-retaliation steps, incident review, and how the findings feed into improvements. Please include source system, date range, and your internal terms. Thanks.
Industry examples
Manufacturing

Context. A plant with production lines, maintenance shutdowns, and contractor-led repairs.

Adapted request. Please share the plant safety evidence for [period] covering line work, maintenance, and contractor activities. I need the process notes, forms, and system extracts that show how hazards are identified before and during work, how controls are selected, how supervisors and safety leads are trained to do the checks, how operators can raise concerns or stop work, and how incidents are reviewed and turned into action.

Example response. The EHS manager returns the risk assessment register, permit-to-work procedure, near-miss app screenshots, incident investigation template, training matrix for assessors, and the corrective action tracker with closure dates.

Logistics / Warehousing

Context. A distribution network with warehouses, yard movements, loading bays, and agency staff.

Adapted request. Please send the warehouse and transport safety evidence for [period] across depots and yards. I need the documents and extracts showing how hazards are checked for routine picking and non-routine loading or vehicle movements, how controls are chosen, how workers report unsafe conditions, how they can step away from a task they believe is unsafe, and how incident reviews feed into changes in the safety system.

Example response. The operations lead provides the hazard log, daily walk-through checklist, anonymous reporting route, stop-work escalation note, incident review records, and the action log showing changes to traffic management and training.

Draft your disclosure

Notes that turn data into a disclosure

LRA training templates — adapt them to your organisation, and check the official source before sign-off.

Method note

Describe the practical steps used to spot hazards, assess risk, investigate incidents and decide follow-up actions, including how the organisation checks the quality of those steps and the capability of the people doing them.

Context note

Explain what the disclosed processes mean in practice for workers: how risks are identified and controlled, how concerns can be raised safely, how people can withdraw from unsafe work, and how findings are used to strengthen the safety system.

Fluctuation statement

If the approach changed during the period, note whether that was due to new risks, incident findings, revised controls, or improvements to the safety management process, and explain the effect on the reported arrangements.

Content index entry
GRI 403-2 Hazard identification, risk assessment, and incident investigation — [location / page] / [notes]
Download Centre

Preparation tools & forms

Professional preparation tools for GRI 403-2 — free with an LRA Community membership. Register once (it's free) and every download unlocks, together with the Disclosure Library, templates and the LRA AI-assistant.

Free · Community members
Assurance readiness

For each claim, check the evidence

ClaimRiskEvidence to check
We documented how we spot work-related dangers and judge the level of risk for both planned activities and unusual situations across the covered workforce.Assurer may test whether the method actually covers both day-to-day and exceptional situations, and whether the stated coverage matches the disclosed population and sites.Written hazard-spotting and risk-rating procedure; site/task risk assessments; records showing routine and unusual scenarios were considered; scope list of workers, locations and activities included in the figure.
We set out how we decide on controls, starting with removal where possible and then moving through the remaining safeguards in a clear order.Assurer may probe whether the control-selection approach is real and consistently applied, rather than a generic statement or a list of controls chosen after the fact.Control-selection procedure; risk assessment templates showing the control order used; examples of completed assessments; approval records for selected controls.
We keep the process reliable by using trained people, defined review steps and documented checks on the quality of the work.Assurer may challenge whether the people doing the assessments were suitably competent and whether quality checks were actually performed before publication.Training and competence records; role profiles; internal review or sign-off logs; calibration or refresher materials; evidence of supervision or peer review.
We use the findings from these assessments to update our safety management approach and to drive ongoing improvements.Assurer may ask whether the results fed into real management decisions, or whether the disclosure overstates the link between findings and system improvement.Management review minutes; action trackers; improvement plans; revised procedures or controls; evidence of follow-up on prior findings.
We have a route for workers to raise concerns about dangers or unsafe conditions, and we can show how those reports are handled.Assurer may test whether the reporting route is accessible, used in practice and clearly described, not just stated in policy.Reporting policy or procedure; hotline/app/poster materials; logs of hazard reports; examples of triage, response and closure; worker communications explaining the route.
We explain the safeguards that are meant to stop people being treated badly for speaking up about a danger or unsafe situation.Assurer may probe whether anti-retaliation protections are specific, communicated and supported by evidence of enforcement.Non-retaliation policy; grievance or whistleblowing protections; training materials; investigation records for retaliation complaints; communications to workers on protections.

Evidence pack to prepare

Common reporting gaps

The information is presented without a date or as-at point.The scope or boundary of the statement is left undefined.Key terms are used inconsistently across the report.Material changes since the previous period are not disclosed.Assertions are made without supporting detail or a source record.Boilerplate is used that does not actually answer what is asked.
Common gaps

Mistakes to avoid when collecting the data

Wrong owner
The request goes to the wrong team or manager, so the information comes back in the wrong operational language and misses the people who actually run hazard checks, incident reviews, or worker reporting routes.
Scope not pinned down
The data pull does not state which employees and controlled-site non-employees are in scope, so the team mixes together populations that should be kept separate.
Routine and one-off work blurred
The collector asks for hazard and risk information without separating day-to-day work from unusual tasks, which makes the source data impossible to map cleanly.
Counting basis mixed
Different sites or teams report using different counting rules or time bases, and the final extract combines them as if they were the same measure.
Source labels stripped out
Original system tags, form names, or incident reference codes are removed during collation, so the evidence cannot be traced back to the first record.
Evidence details missing
The file contains the figures or narrative but not the date, version, author, or system trail needed to show where the information came from.
No sign-off trail
The draft data set is circulated without a named reviewer or approval record, so nobody can show who checked the numbers and wording before use.
Wrong timing basis
The team pulls records from the wrong period or at the wrong cut-off point, so the dataset does not match the reporting window being prepared.
Incident and prevention data merged too early
Incident reviews, hazard spotting, risk checks, and follow-up actions are collapsed into one pool before collection is complete, which hides gaps in the underlying process.

Where judgement is often needed

Acquired or sold sites during the year
State whether you include newly bought or disposed operations in the description for the period, and if the scope changed, explain the cut-off date and keep the basis consistent across the hazard, incident and improvement processes you describe.
Different local safety terms across countries
If local teams use different labels or thresholds for the same kind of unsafe condition or event, map them to one internal definition for reporting and say where local practice differs so readers can see how the organisation aligned the data.
People close to the boundary of control
Decide and explain whether contractors, agency staff and others working at or under your sites are treated as in scope when your organisation controls the work or workplace, and apply that boundary consistently across all process descriptions.
Routine checks versus one-off or unusual work
Separate everyday inspections and assessments from those done for unusual tasks, shutdowns, maintenance or emergency work, and explain how each feeds into the way you identify hazards and judge risk.
Reported events versus investigated events
If some incidents are logged but not fully investigated, or only higher-severity cases trigger a formal review, say which events are covered by the investigation process and how you decide when a deeper review is needed.
Measured data versus informed estimates
Where direct records are incomplete, use a clearly explained estimate method, identify the source of the estimate, and note any material assumptions so readers can judge the reliability of the process description.
Rounding and small-number presentation
Choose one rounding approach for counts or percentages linked to these processes, apply it consistently, and explain it if rounding changes the apparent picture, especially where small numbers could be misleading.
Protecting privacy in small teams or rare events
If naming locations, roles or incident details could identify individuals, aggregate the information or remove identifiers, and say how you balanced privacy with enough detail to show how the reporting and protection process works.
Examples

Illustrative examples

Synthetic, written by LRA — not from a company report, not text from any standard.

Illustrative (synthetic) example — Food processing

*Synthetic illustration only.* We use a mix of planned site inspections, task-based reviews, and checks for unusual or one-off activities to spot dangers and judge risk for both employees and agency staff working under our control. - We apply a stepwise control approach: first trying to remove the hazard, then substituting, isolating, engineering out, changing procedures, and finally relying on training and protective equipment where needed. - The people who run these checks are trained and signed off for the task, and we review the findings to tighten our safety system, update controls, and track whether the changes are working. - Workers can raise unsafe conditions through supervisors, a hotline, or a digital form; they may also stop work if they believe it is unsafe, and our rules prohibit retaliation for either speaking up or stepping away. We also investigate incidents by looking at what happened, what hazards were present, and what fixes are needed, then use the same control hierarchy to decide corrective actions and wider system improvements.

Illustrative only; shows one way a reporter might describe the required processes in plain language.

Illustrative (synthetic) example — Warehousing and logistics

*Synthetic illustration only.* Our checks cover routine warehouse activity and unusual events such as peak-season overtime, contractor work, equipment breakdowns, and temporary traffic changes, for both our own staff and third-party workers under our day-to-day control. - We identify risks through walk-throughs, job reviews, incident trend analysis, and pre-task assessments, then choose controls in order of preference from removal of the hazard through to last-line safeguards. - We keep the process reliable by using trained assessors, refresher training, and periodic quality reviews, and we feed the results into our safety management cycle so that procedures, training, and controls are updated where needed. - Workers may report hazards through team leads, QR-code reporting, or the safety mailbox, and may leave a task they believe could harm them without penalty; when incidents occur, we investigate the event, reassess the related risks, decide follow-up actions using the same control order, and record any system changes needed.

Illustrative only; shows a second plausible reporter with different wording and operational context.

Company reports

How companies report GRI 403-2

Real reports where this topic is disclosed. These are report practice, not exact disclosure templates to copy.

ReNew Energy Global Plc
Electric Utilities / IPP / Energy Traders · United Kingdom · 2025
Open report →
ReNew Energy Global Plc's 2025 Annual Integrated Report provides data on the number of employees and workers in various categories, including gender breakdowns, on page 150. The report also details the management of environmental risks related to the polysilicon supply chain on page 160 and indicates that 275 workers are covered by an occupational health and safety management system on page 164. However, there is no clear narrative on methodology or other specific narrative items, and several expected disclosures are not found or remain unclear in the report.
Zydus Wellness Limited
Food Production — Agricultural · India · 2025
Open report →
Zydus Wellness Limited’s Integrated Annual Report 2024-25 provides specific data on employee numbers, reporting 20 employees including differently abled workers (p.116), and details on workers covered by an occupational health and safety management system (p.52). The report also outlines processes for internal control of identified risks and business continuity plans (p.98), with some supporting context on risk identification and hazard assessment, though without headline values (p.21, p.131). However, several narrative items relevant to the disclosure are not found or lack quotable evidence, indicating gaps in comprehensive reporting on certain aspects.
Grupo Cibest S.A.
Banks / Diverse Financials / Insurance · Colombia · 2025
Open report →
Grupo Cibest S.A.'s 2025 Management Report provides partial information regarding the disclosure, noting on page 201 that workers have been excluded from the disclosure, including details on the type of worker and reasons for exclusion, covering all subsidiaries. However, the report lacks a clear headline value or comprehensive narrative on the methodology or detailed findings related to the disclosure. Additionally, multiple narrative items relevant to the disclosure are not found or remain unclear throughout the report.
✓ LRA AI Assistant · Human-in-the-loop
Dr Ross Kurinko
Ask Study Studio AI assistant about this disclosure
Get a practical answer for your reporting context. Your first answer is free — create a free account to continue the conversation.
TryHow do I prepare GRI 403-2?What data do I need to collect?Where can I see a real-report example?What mistakes should I avoid?
1 free answer
Check your understanding

Scenarios to work through

A warehouse team uses a new pallet wrapper for the first time, while a contractor is also working in the same loading bay. The safety lead has a routine walk-through checklist, but no separate check for unusual tasks or shared work areas.

QHave we described how we spot dangers and judge risk for both day-to-day work and one-off or unusual situations affecting employees and other people whose work or workplace we control?
Reveal model answer →

After a minor chemical splash, the site manager says the team now uses gloves and eye protection, but the incident note does not show how the fix was chosen or whether the earlier risk review was updated.

QDoes our incident follow-up show how we chose the corrective action and how the findings feed back into improving the safety system?
Reveal model answer →

A production worker reports a loose guard on a machine, but the supervisor asks them to keep working until the end of the shift. The worker is unsure whether speaking up could affect their overtime allocation next week.

QHave we explained how workers can raise a hazard or step away from unsafe work, and how we protect them from negative treatment for doing so?
Reveal model answer →

A maintenance contractor and an in-house supervisor both investigate a near miss, but neither has formal training in incident review. The resulting note lists what happened, yet it does not show who checked the quality of the review or whether the reviewers were competent for the task.

QHave we shown how we make sure the hazard and incident processes are reliable, including the skills of the people doing them?
Reveal model answer →
Framework references

Related framework references

How this disclosure maps across the major reporting frameworks.

GRI
GRI 403-2
within GRI 403: Occupational Health and Safety
Open official source →
Primary
Related & explore
FAQ

Questions this page answers

How do I use the GRI 403-2 page to build a draft disclosure from the datapoints listed for occupational health and safety?+
What data do I need to collect for GRI 403-2 on occupational health and safety before I start writing?+
How should I decide the scope and methodology for the GRI 403-2 occupational health and safety disclosure?+
Who should own the GRI 403-2 data and sign-off process in practice?+
What should I put in the evidence pack for GRI 403-2 to be assurance-ready?+
What are the common mistakes people make when reporting GRI 403-2 occupational health and safety?+
How do I use the Prep & Assurance workbook for GRI 403-2?+
What can I take from the synthetic example disclosure for GRI 403-2 without copying it?+
Can I reuse my GRI 403-2 occupational health and safety data for ESRS S1 (Own Workforce)?+
How do I turn the GRI 403-2 page into a content-index line and narrative draft?+
More questions this page can help with
What is the best order to work through the GRI 403-2 page when preparing an occupational health and safety disclosure?How do I map hazard and risk scanning, control selection and process quality checks into a GRI 403-2 draft?How do I evidence anti-retaliation protection and the right to stop work for GRI 403-2?What should a reviewer look for in the incident investigation and corrective action evidence for GRI 403-2?How do I use the common reporting gaps section to quality-check a GRI 403-2 draft?What does the GRI 403-2 evidence pack need to contain for assurance readiness?How do I use the printable Library Card PDF for GRI 403-2?Where can I find real company report examples for GRI 403-2 on the page?How do I make sure my GRI 403-2 figures are internally consistent in the example table and in my own draft?What should I ask the HR or H&S data owner to provide for GRI 403-2?How do I use the page’s assurance claims to build a claim-risk-evidence checklist?What is the closest ESRS reference on the page for GRI 403-2 and how should I use it?