Disclosure LibraryPractitioner guidance for every reporting disclosure
Home Disclosure Library GRI GRI 403 GRI 403-7
GRI 403: Occupational Health and Safety · 2018
Disclosure GRI 403-7

Prevention and mitigation of occupational health and safety impacts directly linked by business relationships

Practical guidance for preparing this disclosure. Use this card to identify datapoints, verify claims and organise supporting evidence. For exact requirements, always refer to the official GRI source.

Dr Ross Kurinko, GRI Certified Trainer
Reviewed by Dr Ross Kurinko · GRI Certified Trainer LRA educational guidance · Not issued or endorsed by GRI
To prepare this disclosure
Disclosure focus

This disclosure asks an organisation to explain how it identifies and manages occupational health and safety risks and impacts that are connected to its business relationships, not just those within its own direct operations. In practice, the focus is on whether the organisation has processes to prevent or reduce harm where its activities, products, services, contractors, suppliers or other linked parties may affect workers’ health and safety.

The practical emphasis is on the breadth and effectiveness of coverage: does the organisation look across the parts of the business where these risks can arise, or only at a few visible sites? The report should make clear how prevention and mitigation are applied in day-to-day operations and through relevant relationships, and whether the approach is limited to flagship locations or extends more widely across the organisation’s footprint.

This LRA educational guidance supports disclosure preparation. For the exact requirements, always refer to the official GRI source.

Before you start

A quick mental checklist before you prepare this disclosure — tick each as you settle it.

Preparation

Key datapoints to prepare

Datapoint What to capture Evidence hint Owner
OHS risk controls A plain description of how the organisation prevents or reduces major work-related health and safety harm that is tied to its own activities, products or services through its business relationships, together with the main hazards and risks involved. Risk assessments, control plans, supplier or contractor safety requirements, incident logs, and internal H&S procedures showing the controls in place and the hazards they address. Health and safety
+ Show GRI 403-7 sub-elements (LRA working checklist)

How to prepare it

1Set the boundary for the disclosure first: decide which parts of the business, which products or services, and which business partners are in scope for the description.
2Define what you will treat as a significant negative health and safety impact, and identify the related hazards and risks you will use when assessing it.
3Gather the supporting material that shows how the organisation prevents or reduces those impacts, including any internal policies, procedures, assessments, or other records used in practice.
4Draft a clear narrative that explains the approach in plain language, making sure it covers the direct links through operations, products or services, and through business relationships.
5Record any exclusions, scope changes, or assumptions so a reviewer can see what was left out and why the reported description is framed the way it is.
6Check the final wording and evidence against the official source to confirm the disclosure matches the required content and that nothing material has been missed or added.
Request the data

Request the supplier and contractor OHS risk controls evidence

Translate the disclosure into an internal business question — then adapt it to your organisation's own language.

What practical controls and supporting evidence do we have for managing serious health and safety risks that arise through suppliers, contractors, or other business partners linked to our operations, products, or services?

Use your organisation’s own terms first, then map them to the disclosure wording. For example, if you talk about contractors, vendors, site partners, or service providers, use those labels in the request and only translate them later for reporting.

Weak request

Please provide the GRI 403-7 evidence showing how we address occupational health and safety impacts directly linked by business relationships.

Why it fails: This uses framework language that many operational teams will not use day to day, so it is harder to route to the right owner and easier to return a generic narrative instead of usable records. It also does not specify the site, period, systems, or the kind of controls and references needed.

Better request

Please send the records for [reporting period] that show how [site/business area] manages serious safety risks linked to [contractors/suppliers/service partners]. Include the main risk types, the controls in place, and the supporting audit, review, incident, or action-tracking references, using your team’s own terms.

Formal email template
Subject: Request for contractor and supplier safety control evidence for [reporting period]\n\nHi [name/team],\n\nI’m pulling together the evidence pack for our sustainability reporting and need your help with the records for [business area/site].\n\nPlease send a short summary of the controls we use to manage serious health and safety risks connected with [contractors/suppliers/service partners], together with the supporting evidence for [reporting period].\n\nPlease include:\n- the main risk types you track\n- the controls or checks in place\n- where the evidence is held\n- any relevant audit, review, incident, or action-tracking references\n- the current status of any open actions\n\nA possible LRA training template is attached below; please adapt this to your organisation’s own language and check the source material before sign-off.\n\nThanks,\n[preparer name]
Short Teams / Slack version
Hi [name] — could you share the evidence pack for [reporting period] on how we manage serious safety risks linked to [contractors/suppliers/service partners] in [site/business area]? Please include the controls in place, where the records sit, and any audit/action references. Please use your team’s own terms first, then we’ll map them for reporting. Thanks.
Industry examples
Construction

Context. A principal contractor needs evidence for subcontractor safety management across live sites.

Adapted request. Please share the evidence pack for [reporting period] covering how we manage high-risk work by subcontractors on [project/site]. Include the main hazards, the controls used before and during work, and any inspection, permit, or corrective-action records.

Example response. We use subcontractor pre-qualification, site induction, daily briefings, permit-to-work, and supervisor checks. Evidence is held in the contractor portal and site inspection logs. Open actions are tracked in the action register; closed items are marked with completion dates.

Logistics / Warehousing

Context. A warehouse operator needs evidence for third-party transport and maintenance activities on site.

Adapted request. Please provide the records for [reporting period] showing how we manage safety risks linked to third-party drivers, maintenance firms, and equipment service partners at [warehouse/site]. Include the key risk areas, the controls in place, and the supporting incident, audit, and training records.

Example response. We control vehicle movements through booking slots, yard rules, marshal checks, and induction for visiting drivers. Maintenance work uses permit-to-work and isolation checks. Evidence sits in the HSE tracker, visitor induction system, and audit folder, with actions tracked to closure.

Draft your disclosure

Notes that turn data into a disclosure

LRA training templates — adapt them to your organisation, and check the official source before sign-off.

Method note

Explain how you define the relevant hazards, which business relationships are included, and the basis used to decide whether a negative health and safety impact is significant enough to describe.

Context note

Set out what the figures and descriptions show about how the organisation is trying to stop or reduce serious work-related harm connected to its operations, products or services through other parties.

Fluctuation statement

If the approach changed during the period, note whether that was due to new hazards, changes in business relationships, revised assessments, or updated control measures.

Content index entry
GRI 403-7 Prevention and mitigation of occupational health and safety impacts directly linked by business relationships — [location / page] / [notes]
Download Centre

Preparation tools & forms

Professional preparation tools for GRI 403-7 — free with an LRA Community membership. Register once (it's free) and every download unlocks, together with the Disclosure Library, templates and the LRA AI-assistant.

Free · Community members
Assurance readiness

For each claim, check the evidence

ClaimRiskEvidence to check
We explain how we identified the work areas and relationships that could create the most serious health and safety harm, and how we decided which of those were included in the figure.An assurer will test whether the inclusion and exclusion choices were made consistently, and whether the reported coverage leaves out material parts of the disclosed operations or linked business relationships.Scoping notes, boundary-setting papers, risk registers, mapping of sites and business relationships, and any sign-off showing why particular areas were included or left out.
We describe the controls and actions we say are in place to reduce or avoid those harms, and we keep evidence showing how those controls were selected and applied in practice.An assurer will probe whether the stated controls are real, relevant to the identified hazards, and supported by implementation evidence rather than being generic policy language.Policies, procedures, contractor requirements, training records, inspection logs, incident follow-up records, and examples showing the controls operating during the reporting period.
We rely on source data that can be traced back to the underlying records, and we check that the data used for the disclosure is complete, current, and internally consistent before publication.An assurer will look for weak data lineage, missing records, outdated inputs, or unexplained changes between source systems and the published figure or narrative.Source extracts, data lineage notes, reconciliation files, version control, management review comments, and evidence of checks for completeness, accuracy, and consistency.
We keep supporting material that shows the hazards we identified, the decisions we made, and the basis for the final wording in the disclosure.An assurer will test whether the narrative is backed by contemporaneous evidence and whether the final statement matches the underlying assessment and records.Hazard assessments, meeting minutes, draft-to-final change logs, approval records, and working papers linking the published text to the underlying analysis.
Before publication, we carry out a review to confirm that the disclosure matches the underlying evidence and that any judgement calls are explained clearly.An assurer will examine whether the final review was robust, whether unresolved issues were cleared, and whether the published wording overstates what the evidence supports.Pre-publication checklists, review and approval emails, issue logs, sign-off records, and evidence of any corrections made before release.

Evidence pack to prepare

Common reporting gaps

The information is presented without a date or as-at point.The scope or boundary of the statement is left undefined.Key terms are used inconsistently across the report.Material changes since the previous period are not disclosed.Assertions are made without supporting detail or a source record.Boilerplate is used that does not actually answer what is asked.
Common gaps

Mistakes to avoid when collecting the data

Wrong owner
The team asks the safety lead alone and misses the people who manage contractors, suppliers, or service partners where the controls actually sit.
Framework language only
The request is sent in disclosure jargon, so the business cannot map it to its own hazard, incident, or contractor-control records.
Scope left vague
No one states which linked operations, products, services, or partner groups are in scope, so different teams collect different sets of cases.
Wrong time basis
The data pull uses a different reporting period or cut-off date from the rest of the pack, which makes the figures impossible to align.
Mixed counting basis
One source counts sites, another counts people, and a third counts events, so the final dataset blends unlike measures.
Source labels lost
Original file names, system tags, or case IDs are stripped out, making it hard to trace each figure back to the underlying record.
Populations merged
Contractor, supplier, and other partner records are rolled into one pool even though they need to stay separate for review.
No evidence trail
The pack has numbers but no note of where they came from, who checked them, or when they were approved.

Where judgement is often needed

Acquisition or disposal during the reporting period
Use the cut-off date you apply for the period, explain whether newly acquired or sold entities are included for the full year or only from the transaction date, and note any resulting gap or overlap in the description.
Different local safety rules across countries
Describe the approach in the language used by the business, then explain how local legal or site-level practices are reconciled where country rules differ so readers can see the common method behind the variation.
Contractors, agency staff, and other near-boundary workers
State the rule you use to decide when a worker supplied through another party is treated as part of the operating footprint for this topic, and disclose any exclusions where the link to your activities is too indirect or too remote.
Suppliers and service partners at different tiers
Clarify how far along the chain you look when the hazard sits with a partner rather than inside your own sites, and explain the practical limit you set for including linked risks and controls.
Mixed evidence from site checks and estimates
If some locations are measured and others are inferred, say which parts come from inspections, incident records, or other direct checks and which parts rely on estimates, including the basis used for those estimates.
Timing of controls and follow-up actions
Explain whether you report the position at period end or the average position over the year, and make clear how you treat actions that started, changed, or finished part-way through the period.
Aggregation for privacy or small-number protection
Combine results where needed to avoid identifying individuals or tiny teams, but disclose the level at which you have grouped the information and any effect this has on how clearly the linked hazards and responses can be seen.
Rounding and internal consistency
Round figures in a consistent way, state the rounding rule if it affects the presentation, and check that any totals still align with the underlying site or business-unit detail.
Examples

Illustrative examples

Synthetic, written by LRA — not from a company report, not text from any standard.

Illustrative (synthetic) example — Food processing

*Synthetic example only.* We map the main work-related health and safety risks that arise through our contractors and logistics partners, then set controls to reduce the chance of harm where their activities connect to our sites and products. - Our review covered 42 business partners; 18 were flagged as higher risk because of manual handling, vehicle movements, cleaning chemicals, or work at height, and all 18 had agreed action plans in place. - During the year, 14 partner sites were checked against our safety requirements; 11 were found compliant, while 3 needed follow-up on training records, machine guarding, or emergency procedures, and those gaps were closed within 60 days.

This example shows how to describe the practical steps used to prevent or reduce serious safety harm linked to business partners, while naming the main hazard types and the follow-up taken.

Illustrative (synthetic) example — Facilities management

*Synthetic example only.* We use a partner-risk review to identify where outsourced cleaning, maintenance, and security work could create serious injury risks, and we then apply contract terms, site rules, and joint training to lower those risks. - In the reporting year, 27 suppliers were in scope; 9 were classed as higher risk because of lone working, electrical tasks, work at height, or exposure to hazardous substances, and each received a targeted mitigation plan. - We carried out 21 site audits across those partners; 16 met our expectations, and 5 required corrective action on permit-to-work controls, PPE use, or incident reporting, all of which were completed before year-end.

This example illustrates a narrative disclosure focused on how the company manages serious safety risks that arise through outsourced services, including the hazards considered and the actions used to address them.

Company reports

How companies report GRI 403-7

Real reports where this topic is disclosed. These are report practice, not exact disclosure templates to copy.

Chang Hwa Commercial Bank, Ltd.
Banks / Diverse Financials / Insurance · Taiwan · 2024
Open report →
Chang Hwa Commercial Bank's 2024 ESG Report includes a narrative reference to its occupational health and safety management system, specifically mentioning "403-8 165 Responsible Finance Operations with significant actual and potential negative" on page 201. This indicates some coverage of health and safety management related to responsible finance operations. However, the report does not provide further detailed data or metrics on occupational health and safety outcomes or performance, leaving the extent of disclosure unclear.
London Luton Airport Operations Ltd.
Air Transportation — Airport Services · United Kingdom · 2024
Open report →
London Luton Airport Operations Ltd.'s Sustainability Report 2024 includes coverage of occupational health and safety impacts directly linked to business relationships, with relevant information found on page 71. The report specifically addresses workers covered by occupational health and safety measures in this context. However, the evidence map does not provide details on the extent or specifics of these impacts, nor does it clarify other related aspects that might be expected under this disclosure.
Delta Electronics, Inc.
Technology Hardware and Equipment · Taiwan · 2024
Open report →
Delta Electronics, Inc.'s 2024 ESG Report includes a narrative on occupational health and safety impacts directly linked by business relationships, referenced on page 242. The report points to a detailed section on occupational health and safety covering pages 219 to 228, which aligns with the disclosure requirements. However, the evidence map does not indicate specific quantitative data or further details on the extent of these impacts, leaving some aspects unclear.
✓ LRA AI Assistant · Human-in-the-loop
Dr Ross Kurinko
Ask Study Studio AI assistant about this disclosure
Get a practical answer for your reporting context. Your first answer is free — create a free account to continue the conversation.
TryHow do I prepare GRI 403-7?What data do I need to collect?Where can I see a real-report example?What mistakes should I avoid?
1 free answer
Check your understanding

Scenarios to work through

A logistics provider uses a subcontracted warehouse team to handle your finished goods. A recent site review found repeated manual-handling injuries among that team, and your own staff work alongside them in the same loading area.

QShould you describe the practical steps you are taking to reduce the injury risk in that shared work area, including how you are addressing the hazards tied to the subcontracted service?
Reveal model answer →

A cleaning contractor works overnight in your offices. One cleaner was injured after using a chemical stored in an unlabelled container, and the contractor has asked whether the issue should be mentioned in your sustainability reporting.

QDo you need to explain how you are preventing a repeat of this kind of harm when the risk sits with a contractor rather than your own employees?
Reveal model answer →

Your company buys maintenance services from an external firm that sends technicians to your sites. A near-miss involving faulty equipment was recorded, but no one was hurt and the supplier says the problem was isolated.

QShould you include this in the disclosure if you are only reporting on serious safety impacts, or only if an actual injury occurred?
Reveal model answer →

A transport partner delivers raw materials to your factory. Drivers have reported fatigue and rushed unloading, and you have introduced revised delivery slots, site induction, and checks on waiting times to reduce the risk.

QIs it enough to say that the issue is being monitored, or should you set out the actual measures being used to lower the risk?
Reveal model answer →
Framework references

Related framework references

How this disclosure maps across the major reporting frameworks.

GRI
GRI 403-7
within GRI 403: Occupational Health and Safety
Open official source →
Primary
Related & explore
FAQ

Questions this page answers

How do I use the GRI 403-7 page to prepare an occupational health and safety disclosure draft from scratch?+
What data do I need to collect for GRI 403-7 on occupational health and safety risk controls?+
How should I define the scope and methodology for GRI 403-7 risk controls using this page?+
Who should own the GRI 403-7 data and sign-off in practice?+
What evidence should I keep to make a GRI 403-7 occupational health and safety disclosure assurance-ready?+
What are the common mistakes to avoid when reporting GRI 403-7?+
How do I use the Prep & Assurance workbook for GRI 403-7?+
What should I put in the draft output for GRI 403-7 occupational health and safety risk controls?+
Can I reuse GRI 403-7 data for ESRS S1 (Own Workforce)?+
Are there example disclosures for GRI 403-7 that I can use as a model?+
More questions this page can help with
GRI 403-7 occupational health and safety risk controls: what is the minimum data I should gather before drafting?How do I build an evidence pack for GRI 403-7 OHS risk controls?What does the step-by-step preparation section on GRI 403-7 actually help me do?How do I turn OHS risk control data into a narrative for GRI 403-7?What should an assurance reviewer check in a GRI 403-7 draft?What are the five assurance claims to verify for GRI 403-7?What are the five items in the GRI 403-7 evidence pack?How do I use the GRI 403-7 content-index line in a report draft?Where can I find downloadable support materials for GRI 403-7?What common reporting gaps appear on the GRI 403-7 page?How do the synthetic examples on the GRI 403-7 page help with drafting?Is ESRS S1 data reusable for a GRI 403-7 occupational health and safety disclosure?