top of page

ISO 45003 in practice: governance of psychosocial risks

Definition
Governance of psychosocial risk under ISO 45003 means managing psychosocial risk through defined thresholds, clear ownership, decision logic, and follow-up cadence within the organisation’s management system.

 

Who this applies to
This guidance is intended for boards, executive management, HR leaders, and risk owners with responsibility for governance under ISO 45003, ESRS S1, or equivalent management systems.

 

ISO 45003 places psychosocial risk where it belongs: within the organisation’s management system.
This means that psychosocial risks must be governed, followed up, and improved — not merely measured.
This page describes how governance works in practice.

What does governance of psychosocial risk mean?

Governance means that the organisation has:

  • defined thresholds for when risk requires action

  • clear responsibility for decisions and follow-up

  • decided controls and actions

  • a recurring follow-up cycle that shows whether risk decreases over time

Without these elements, psychosocial risk becomes a matter of interpretation rather than a governable risk area.

 

The four governance components

  1. Threshold (when)
    What level of signals requires leadership decision or corrective action?

  2. Ownership (who)
    Who has the mandate and responsibility when the threshold is crossed?

  3. Action / control (what)
    What type of intervention or control should be activated — and at what level?

  4. Follow-up (how we know)
    How is the action followed up over 90 days and 12 months to ensure real change?

 

From signal to governance decision

  • Input: aggregated psychosocial signals (e.g. psychological safety, workload, role clarity)

  • Processing: thresholds and risk zones (red / watch / stable)

  • Output: leadership decisions, named ownership, activated controls, and documented follow-up

 

Minimally viable governance model (example)

  • Quarterly follow-up of psychosocial risk at leadership level

  • Clear risk zone (red / watch / stable)

  • Named responsibility per zone

  • Documented follow-up that can be reviewed over time

 

This is what is required for psychosocial risk to be governable — not merely indirectly visible through outcomes such as reduced productivity, investigations, increased use of occupational health services, silent attrition, or general workplace ill-health.

bottom of page