10 min read | Last Updated 30 January 2026

Australian employers face a new reality. Since December 2025, psychosocial hazards now carry the same regulatory weight as physical safety hazards under workplace health and safety law. PCBUs must identify, assess, control, and continuously manage psychosocial risks or face serious regulatory consequences.

This guide walks you through the psychosocial risk assessment process step by step, explains what regulators actually expect, and shows you how to build a compliant, defensible system your organisation can maintain over time.

What Is a Psychosocial Risk Assessment?

A psychosocial risk assessment identifies hazards in your workplace that could cause psychological harm to workers. It evaluates how likely those hazards are to cause harm, how severe that harm might be, and what controls you need to put in place.

Unlike traditional safety assessments that focus on physical hazards like machinery or chemicals, psychosocial risk assessments examine how work itself is designed, managed, and experienced. They look at workloads, relationships, job security, change management, and dozens of other factors that affect mental health.

The Managing Psychosocial Hazards at Work Code of Practice 2024 identifies 17 specific hazards PCBUs must consider:

1. Job demands

2. Low job control

3. Poor support

4. Lack of role clarity

5. Poor organisational change management

6. Inadequate reward and recognition

7. Poor organisational justice

8. Traumatic events or materials

9. Remote or isolated work

10. Poor physical environment

11. Violence and aggression

12. Bullying

13. Harassment including sexual harassment

14. Conflict or poor workplace relationships

15. Fatigue

16. Job insecurity

17. Intrusive surveillance

Your assessment must address every one of these hazards. Missing even one creates a compliance gap and, more importantly, leaves your workers exposed to harm.

Why Psychosocial Risk Assessment Matters Now

Work-related psychological injuries already cost Australian businesses billions annually. They result in longer recovery times, higher compensation costs, and more days away from work than physical injuries. The human cost runs even higher.

Regulators have noticed. SafeWork NSW, SafeWork SA, Comcare, and other state regulators now conduct psychosocial inspections and issue improvement notices for inadequate risk management. Courts treat the Code of Practice as evidence of what constitutes reasonable and practicable conduct.

The regulatory shift also reflects scientific consensus. Decades of research confirm that psychosocial hazards cause real, measurable harm. Stress is not just discomfort. Sustained exposure to psychosocial hazards causes anxiety, depression, post-traumatic stress disorder, sleep disorders, musculoskeletal injuries, and chronic disease.

Organisations that treat psychosocial risk assessment as a tick-box exercise will struggle. Those that build genuine systems will protect their people and their operations.

The Four-Step Risk Management Process

Safe Work Australia applies the same risk management framework to psychosocial hazards that applies to all workplace risks. The process has four steps.

Step 1: Identify Hazards

Start by identifying which of the 17 psychosocial hazards exist in your workplace. Every workplace will have some exposure to most hazards, but the nature and extent varies enormously.

Identification requires multiple information sources:

Consult your workers. Regulations require worker consultation on psychosocial hazards. Your people know where the problems are. Use surveys, focus groups, one-on-one conversations, and anonymous reporting channels. Consultation must be genuine and ongoing, not a one-time exercise.

Review existing data. Workers compensation claims, incident reports, grievances, turnover statistics, absenteeism patterns, and exit interviews all reveal psychosocial hazards. Look for trends across teams, locations, and time periods.

Observe work practices. Walk the floor. Sit in on meetings. Review workloads, deadlines, and communication patterns. Examine rosters, leave policies, performance management systems, and change management processes.

Analyse job roles. Consider the inherent demands of each role. Some jobs carry unavoidable exposure to trauma, isolation, high workloads, or customer aggression. These exposures require specific controls.

Document what you find. Your hazard identification records form the foundation of your risk assessment and demonstrate compliance to regulators.

Step 2: Assess Risks

Once you identify hazards, assess the risk they create. Risk assessment considers three factors:

Duration: How long are workers exposed to the hazard?

Frequency: How often does exposure occur?

Severity: How harmful is the exposure?

A one-off difficult conversation with a customer creates lower risk than daily exposure to verbal abuse. Occasional tight deadlines create lower risk than chronic understaffing. Assess each hazard in context.

Risk assessment also considers how hazards interact. Psychosocial hazards rarely occur in isolation. High job demands combined with low job control and poor support creates much higher risk than any single hazard alone. The Code of Practice explicitly requires you to consider combined and cumulative effects.

Some hazards carry inherently high risk. Exposure to workplace violence, sexual harassment, or traumatic material can cause severe harm from even single incidents. These require strong controls regardless of frequency.

Step 3: Control Risks

PCBUs must eliminate psychosocial risks so far as is reasonably practicable. Where elimination is not reasonably practicable, you must minimise risks using the hierarchy of controls.

The hierarchy prioritises higher-order controls over lower-order controls:

Elimination: Remove the hazard entirely. Redesign the job so the hazard no longer exists.

Substitution: Replace the hazard with something less harmful. Change processes, systems, or work arrangements to reduce exposure.

Isolation: Separate workers from the hazard. Create physical or temporal buffers.

Engineering controls: Modify equipment, systems, or processes to reduce risk.

Administrative controls: Implement policies, procedures, training, and supervision to manage exposure.

Personal protective measures: Provide individual support such as counselling, coaching, or flexible work arrangements.

The hierarchy matters. Regulators expect PCBUs to implement higher-order controls before relying on training, policies, or individual support. A wellness program does not substitute for fixing excessive workloads. Mental health first aid training does not excuse tolerating bullying.

For each identified hazard, determine what controls you will implement and document your reasoning. Your control plan must be specific, actionable, and proportionate to the risk.

Step 4: Review and Improve

Risk management is continuous, not episodic. Regulations require PCBUs to review control measures to ensure they remain effective.

Review triggers include:

• A psychological injury occurs

• Consultation reveals controls are not working

• A significant change affects work design or conditions

• New information about hazards or controls becomes available

• Enough time has passed since the last review

Establish a review schedule and stick to it. Most organisations benefit from quarterly reviews of high-risk hazards and annual comprehensive reviews.

Track leading indicators like engagement scores, turnover rates, and consultation feedback alongside lagging indicators like injury claims. Leading indicators reveal problems before they cause harm.

Common Assessment Mistakes

Organisations regularly make the same mistakes when conducting psychosocial risk assessments.

Treating assessment as a one-time project. Psychosocial risks shift constantly as work changes, people join and leave, and external pressures evolve. A risk assessment completed in 2024 does not demonstrate compliance in 2026.

Relying solely on surveys. Surveys provide useful data but have limitations. They capture worker perceptions at a single point in time. They miss hazards workers do not recognise or feel comfortable reporting. They require high participation rates to generate reliable results. Use surveys as one input among many. Comcare provides a comparison of psychosocial risk assessment tools to help you evaluate your options.

Focusing on individuals rather than systems. Psychosocial risk management addresses how work is designed and managed, not how individual workers cope. Resilience training does not fix a broken system. Control measures must target the hazard, not the worker.

Applying generic controls. Every workplace is different. A control that works in one team may fail in another. Tailor controls to your specific context, consult workers on what will actually work, and monitor whether controls achieve their intended effect.

Neglecting documentation. Regulators expect evidence of your risk management process. Without documented hazard identification, risk assessment, control decisions, and review records, you cannot demonstrate compliance. Good documentation also enables continuous improvement by revealing patterns over time.

Fragmenting responsibility. Psychosocial risk management requires coordination across HR, WHS, operations, and executive leadership. Siloed approaches create gaps. Assign clear accountability and establish governance structures that ensure integration.

Building a Sustainable System

Effective psychosocial risk management requires infrastructure, not just intent. Organisations need systems that capture hazards, track controls, manage evidence, facilitate consultation, and produce reports for boards and regulators.

Spreadsheets and shared drives cannot handle this complexity at scale. Information fragments across locations, teams, and time periods. Version control fails. Consultation records disappear. Control measures get forgotten. Review cycles slip.

Purpose-built platforms solve these problems by connecting every element of the risk management process into a single, auditable system.

Why ReFresh Is Built for This Challenge

ReFresh provides the infrastructure Australian organisations need to manage psychosocial compliance properly.

Legislative comprehensiveness. ReFresh maps directly to all 17 psychosocial hazards in the Code of Practice. The platform ensures your risk assessment covers every required hazard so gaps do not slip through. When regulations change, the platform updates to reflect new requirements.

Smart system architecture. ReFresh understands the relationships between hazards, controls, evidence, and outcomes. When you identify a hazard, the platform guides you to appropriate controls. When you implement a control, the platform tracks its effectiveness over time. When a worker reports an incident, the system connects that report to your broader risk profile. Everything links together because psychosocial risk management requires integration, not isolation.

Vetted templates that save time. ReFresh includes professionally developed templates for risk registers, control plans, consultation records, incident reports, and governance documentation. Your team does not need to build these frameworks from scratch or wonder whether they meet regulatory expectations. Start with proven structures and customise them to your context.

Continuous monitoring. Unlike point-in-time surveys, ReFresh runs continuously in the background. The platform analyses communication and collaboration patterns to detect early signs of overload, disengagement, and cultural drift. You identify problems before they escalate into injuries or regulatory issues.

Audit-ready evidence. Every action in ReFresh is versioned and auditable. When a regulator requests documentation, you produce it immediately. When your board asks for assurance, you provide it with confidence. The system maintains the records you need without manual effort.

Connected response pathways. When risks require intervention, ReFresh connects you with trusted partners and support services. The platform does not just identify problems. It helps you resolve them through appropriate channels.

Organisations using ReFresh gain compliance visibility within 24 hours of implementation. They detect risks faster than survey-based approaches and reduce absenteeism through early intervention. The platform handles the administrative burden so your people can focus on actually managing risk.

Getting Started

Psychosocial risk management can feel overwhelming, especially for organisations building systems from scratch. The regulatory requirements are detailed, the hazards are numerous, and the stakes are high.

Start with these foundations:

1. Assign clear accountability. Someone in your organisation must own psychosocial risk management with authority to implement controls and access to leadership.

2. Establish consultation mechanisms. Build the channels through which workers can report hazards and contribute to control decisions. Consultation is not optional and must be genuine.

3. Conduct your initial risk assessment. Work through all 17 hazards systematically. Document what you find, assess the risks, and determine your initial controls.

4. Implement priority controls. Start with the highest-risk hazards and the controls that will have the greatest impact. You do not need to solve everything immediately, but you do need to demonstrate progress.

5. Build your ongoing system. Transition from project mode to operational mode. Establish review cycles, monitoring processes, and governance reporting.

A platform like ReFresh accelerates each of these steps by providing structure, templates, and automation. But the real value comes from embedding psychosocial risk management into how your organisation operates every day.

Australian law now requires PCBUs to manage psychosocial hazards with the same rigour as physical hazards. Organisations that build robust systems will protect their people, satisfy regulators, and perform better over time. Those that do not will face increasing scrutiny and consequences.

The regulatory framework is clear. The hazards are defined. The tools exist. The only remaining question is whether your organisation will act.

ReFresh is a psychosocial compliance and HR risk management platform that helps organisations detect, assess, control, manage, and govern psychosocial risk. Learn more about ReFresh.