What Is Corporate Duty of Care and What Are Employers Legally Responsible For?
Corporate duty of care is the legal and ethical responsibility an employer holds to take reasonable steps to protect employees, contractors and, in some cases, third parties from foreseeable harm connected to work. It applies whether work happens in an office, at home, on a project site, in transit or during business travel. For organisations with globally mobile people and complex supply chains, duty of care now reaches well beyond preventing slips, trips and equipment accidents. It takes in psychosocial risk, fatigue, harassment, violence, cyber and data exposure, public health threats, and the knock-on effects of disruption that can leave personnel stranded or unsupported.
This matters because the cost of getting it wrong is far wider than a lawsuit. A failure to anticipate and manage risk can trigger regulatory action, employer liability claims, reputational damage, staff attrition, and lasting harm to individuals and their families. At the same time, duty of care is not a promise of perfect safety. Most legal frameworks focus on what is reasonable in the circumstances, weighing what an employer knew or ought to have known, what controls were feasible, and whether the employer acted promptly when conditions changed.
Understanding corporate duty of care helps decision-makers build systems that protect people while also protecting the organisation. It clarifies how far responsibility extends, where liability can arise, and what reasonable steps look like both in day-to-day operations and in a crisis. At SPS, our teams have managed exactly these situations for globally mobile workforces for over two decades, from routine business travel through to complex medical and security evacuations, and the pattern is consistent: the organisations that cope best are the ones that treated duty of care as an operating capability long before an incident tested it.
The most useful question for leaders is not “Are we legally covered?” but “If something goes wrong tomorrow, can we show we took reasonable steps, and can we reach and help our people quickly?”
Corporate duty of care: definition, scope and why it matters
Corporate duty of care refers to an employer's obligation to provide a safe system of work and to take reasonable measures to prevent harm that is reasonably foreseeable. The corporate dimension is important: this is not only a manager's personal responsibility. It is embedded in governance, policy, resourcing and oversight. In practice it covers how work is designed, how risks are assessed, how controls are implemented, and how support is provided when something goes wrong.
The scope is broader than many organisations expect. It typically includes physical safety at workplaces and work sites, safe equipment and premises, competent supervision, appropriate staffing levels and access to medical assistance. It also extends to non-physical harm, such as stress-related illness driven by excessive workload, unsafe working cultures, discrimination, bullying, sexual harassment and exposure to traumatic events. For roles involving travel or remote work, duty of care can include trip planning, accommodation safety, local threat awareness and emergency response arrangements.
Foreseeability sits at the centre of it. An employer is expected to anticipate risks that a reasonable organisation would anticipate in similar circumstances. That expectation rises where the employer holds specialist knowledge, uses hazardous processes, sends people into higher-risk environments, or receives warnings about emerging threats. Duty of care is also continuous. Risk conditions change, particularly when employees travel, when a crisis escalates quickly, or when an individual's personal circumstances create vulnerabilities that need to be accommodated.
Why it matters is straightforward: it shapes decision-making before, during and after an incident. Before, it drives prevention. During, it drives response, communication and support. Afterwards, it drives care, rehabilitation and learning. A mature approach reduces injuries and disruption, builds employee trust, and strengthens operational resilience. It also creates defensible records that show reasonable steps were taken, which can prove decisive when the adequacy of those actions is later examined by regulators, insurers or the courts.
Legal foundations across key jurisdictions and when liability can arise
Across legal systems, corporate duty of care generally arises from a mix of statutory obligations, common-law negligence principles, employment law and health and safety regulation. Terminology and enforcement differ, but common themes recur: employers must identify hazards, reduce risk so far as is reasonably practicable, provide information and training, consult workers where required, and maintain safe working environments. Some frameworks impose strict or near-strict obligations for particular hazards; others weigh reasonableness more heavily.
Liability can arise in several ways. Regulatory liability can follow a breach of safety duties, a failure to report incidents, or a failure to maintain required systems and records. Civil liability can arise through negligence, where an employee argues the organisation owed a duty, breached it, and caused loss that was not too remote. Contractual liability can arise where an employer promised certain protections in a policy, a travel programme or a client contract and then failed to deliver them. In some settings, individuals in leadership roles can face personal liability where they consented to or neglected serious breaches.
A frequent misunderstanding is that liability only arises after a dramatic incident. In reality, it can build from patterns of preventable harm, such as repeated stress-related absence, ongoing harassment complaints, or recurring near-misses that were ignored. Another misunderstanding is that outsourcing transfers responsibility. Contractors, security providers, medical providers and travel management companies can form part of the control environment, but the employer typically retains responsibility to select competent partners, define roles, monitor performance and intervene when controls begin to fail.
Work-related travel and remote work add complexity. Many systems treat work travel as within the course of employment, including transit and accommodation in some circumstances. That does not make an employer liable for everything that happens while someone is away, but it usually means the employer must plan appropriately, brief travellers, and provide accessible support. Liability is more likely where risk was foreseeable and avoidable: sending someone into a volatile situation without a briefing, ignoring credible warnings, failing to provide an emergency contact, or having no means to locate and assist people during disruption. This is precisely the ground SPS operates on. In the first half of 2026 alone our operations teams managed over 500 assistance cases comprising medical, security and crisis-management response, and the recurring lesson is that the plan to locate and reach a traveller matters as much as the intent to protect them.
Causation and documentation are decisive. Even where something goes wrong, an employer can reduce its exposure by showing it ran a structured risk-management process, put practical controls in place, responded promptly to new information, and treated affected people fairly and consistently.
What employers are responsible for: assessment, prevention, training and support in practice
Employers are responsible for creating and maintaining a safe system of work. In practical terms this begins with risk assessment specific enough to be useful. Generic checklists have their place, but legal and operational expectations increasingly point to role-based and journey-based assessment. The risks facing an employee on a short client visit differ from those facing a technical team deployed for weeks, or a lone worker in a high-stress role. A good assessment considers hazards, likelihood, consequences, existing controls, and who might be especially vulnerable.
Prevention means implementing controls that match the risk. Common controls include safe work procedures, engineering controls, access restrictions, fatigue management, safeguarding measures, secure transport and accommodation standards, communication plans and clear escalation triggers. For psychosocial risk, prevention can include reasonable workloads, role clarity, respectful workplace standards, confidential reporting channels and timely investigation. For data and device risk while travelling, it may include secure configurations, guidance on public networks and clear incident-reporting routes.
Training and information are core obligations. Employers are expected to provide induction, role-specific training and refreshers where risk changes or performance reveals gaps. For globally mobile staff this can mean pre-travel briefings, cultural and legal considerations that affect safety, situational awareness, and clear guidance on what to do if documents are lost, if someone is detained, or if a medical issue arises. Training must be understandable and accessible, and supported by practical tools such as checklists, contacts and reporting apps.
Support and response obligations are where most programmes are truly tested. Employees should be able to reach help quickly, including outside business hours. Response spans triage, medical assistance, security advice, evacuation decision-making and family liaison where appropriate. After an incident, employers carry further responsibilities: recording and reporting, welfare checks, access to counselling, rehabilitation planning, and protection from retaliation for those who raise concerns. Learning loops are part of duty of care in practice. Where an incident exposes a systemic weakness, the organisation should adjust policy, controls and training. This is the stage where an experienced assistance partner earns its place, because a 24/7 response capability, sound evacuation judgement and consistent post-incident care are difficult to stand up internally and expensive to get wrong.
Governance ties it together. Clear ownership, senior oversight, adequate resourcing and regular audit demonstrate that duty of care is not ad hoc. The strongest programmes align HR, security, health and safety, travel, legal and operations so that information flows and decisions are made quickly when conditions change.
Frequently asked questions
Does corporate duty of care apply to remote and hybrid workers?
Yes. When someone works from home or another remote location, the employer's duty of care typically still applies, because the work is being done for the employer's benefit and under its direction. The expectation is not that the employer controls the home environment, but that it takes reasonable steps to identify foreseeable risks and support safe working. That can include ergonomics guidance, safe-equipment policies, training on breaks and fatigue, and clear routes for reporting hazards or injury. It also extends to psychosocial protections such as reasonable workload management, respectful communication, and support around isolation or stress. A sensible approach sets clear minimum standards, provides tools and training, and uses periodic check-ins focused on safety and wellbeing rather than surveillance.
Are employers responsible for employee safety during business travel?
Generally, yes, and the responsibility is significant where travel is required or strongly encouraged. Duty of care usually includes pre-trip planning proportional to risk, sharing relevant intelligence and advisories, ensuring travellers know how to reach help, and holding a plan to locate and support staff during disruption. It can also include selecting safe accommodation and transport and ensuring medical and security assistance is accessible. Employers are not, however, guarantors of safety. Liability tends to turn on whether harm was foreseeable and whether reasonable controls were in place. If an employee ignores clear instructions or engages in high-risk personal activity unrelated to work, that may reduce employer responsibility, but it does not remove the need for reasonable baseline planning and support.
What does “reasonable” mean in duty of care, and how do organisations prove they met it?
Reasonable usually means what a prudent organisation would do in similar circumstances, weighing the likelihood and severity of harm, what the organisation knew or ought to have known, and what controls were feasible. It is not static: if conditions change or warnings arrive, the reasonable response can shift quickly. Organisations typically evidence reasonableness through documented risk assessments, policies and procedures, training records, evidence of consultation and communication, incident reports, and records showing timely decisions. Proof that controls were applied in practice matters more than a well-written policy that was never operationalised. Regular review, audit and post-incident improvement all help demonstrate an active system rather than a paper one.
Can an employer be liable for stress, burnout or harassment?
Yes, depending on the circumstances. Many legal systems recognise that psychological harm can be a workplace injury and that employers must take reasonable steps to prevent it. The risk rises where harm is foreseeable, for example through repeated excessive hours, sustained understaffing, known toxic behaviour by supervisors, or earlier complaints that were mishandled. On harassment, employers can be responsible for preventing and responding to conduct by managers, peers and sometimes third parties such as clients or vendors, where the working environment makes that conduct foreseeable. Practical steps include clear behavioural standards, multiple reporting channels, prompt and fair investigation, protection against retaliation, and manager training. For workload-related stress, role redesign, prioritisation, staffing adjustments and enforced rest can all be key controls.
Does outsourcing travel, security or medical support reduce an employer's duty of care?
Outsourcing can strengthen an employer's ability to meet its duty of care, but it rarely removes the duty itself. Employers usually remain responsible for selecting competent providers, defining scope and service levels, integrating those services with internal policy, and monitoring performance. If a provider falls short, the questions tend to focus on whether the employer carried out appropriate due diligence, whether the provider suited the organisation's risk profile, and whether the employer acted once shortcomings became apparent. Clear contracts help, and so do operational measures such as shared escalation protocols, joint exercises and consistent incident reporting. In short, third parties can deliver key controls, but the employer still owns the obligation to ensure those controls exist and work. The value of a specialist partner lies in taking on delivery while giving the employer the assurance, and the records, to show the duty is being met.
The bottom line for leaders
Corporate duty of care is the practical expression of an employer's responsibility to protect people from foreseeable, work-related harm. It spans physical safety, psychological wellbeing, travel and remote-work risk, and the quality of support available when normal operations break down. Across legal frameworks the core expectation is consistent: identify hazards, apply proportionate controls, train and inform your people, and respond effectively when something happens. The organisations that perform best treat duty of care as a living system rather than a static policy. They keep risk assessments current, resource prevention properly, rehearse crisis response, and learn from near-misses as well as incidents.
Answering the harder question, whether you could show reasonable steps and reach your people quickly if something went wrong tomorrow, demands coordination across functions, clear decision rights, and reliable access to medical, security and crisis-response capability.
Benchmark your duty of care approach with SPS
SPS supports globally mobile workforces with 24/7 medical, security and crisis-management assistance, from pre-travel planning to evacuation and post-incident care. If you are reviewing or strengthening your global duty of care programme, our team can help you benchmark where you stand and close the gaps that matter most.
Speak to our team → www.sps-global.com

