A psychosocial risk register gives you one place to manage psychosocial hazards the same way you manage any other WHS risk. You capture the hazard, the evidence, the risk rating, the controls, the actions, and the review cycle. Many organisations start with a general spreadsheet risk register because it feels quick and familiar. It often falls over when ownership changes, reviews slip, and evidence ends up scattered across folders.

ReFresh keeps the register alive as a system. ReFresh can act as your incident reporting software, your confidential intake channel, your survey system, your risk register, your control and evidence tracker, and your governance reporting layer. You get one connected workflow instead of six disconnected tools.

Regulatory and duty context across locations (keep it consistent, then map locally)

Across Australia, the UK, Canada, and other mature WHS environments, the expectation stays consistent: identify hazards, assess risk, implement controls, consult workers, and keep records that show you did the work. The wording differs by regulator, but the operating model stays the same.

In Australia, Safe Work Australia states that a PCBU must eliminate psychosocial risks, or if that is not reasonably practicable, minimise them so far as is reasonably practicable. 

In the Commonwealth jurisdiction, Comcare describes psychosocial hazards as aspects of work with the potential to cause psychological or physical harm, and points to the Managing Psychosocial Hazards at Work Code of Practice 2024, which identifies 17 psychosocial hazards and provides guidance on how to eliminate or minimise them. 

In the UK, HSE states employers have a legal duty to protect workers from stress at work by doing a risk assessment and acting on it, and that employers with five or more workers must write the risk assessment down.

ISO 45003 provides a global management-system style approach for managing psychosocial risk within an OH&S management system based on ISO 45001. 

How Refresh supports global use: Refresh lets you run one consistent process (detect → assess → control → manage → govern) and then align it to local requirements depending on where you operate. You don’t need a different workflow for every jurisdiction, you need one strong workflow with local mapping.

What counts as a psychosocial hazard (plain language, usable list)

A psychosocial hazard is anything about work that could cause psychological harm. Safe Work Australia lists common hazards including job demands, low job control, poor support, lack of role clarity, poor organisational change management, poor organisational justice, traumatic events or material, remote or isolated work, poor physical environment, violence and aggression, bullying, harassment (including sexual and gender-based harassment), and conflict or poor workplace relationships and interactions. 

Safe Work Australia also explains that hazards can combine. Workload risk increases when people can’t take breaks or can’t access help. Build that reality into your ratings and controls.

How Refresh helps: Refresh standardises hazards with a tagged library so teams stop logging the same risk under different labels. That makes reporting meaningful across sites, business units, and countries.

What a psychosocial risk register includes (a structure that works in any spreadsheet or system)

If you want a register that stays practical, use a structure that forces evidence, controls, owners, and review. A widely used structure looks like this:

• Date issue raised

• Hazard or situation

• Information sources

• Harm consequences

• Harm likelihood

• Level of risk

• Controls in place

• Adequacy of controls

• Further controls required

• Actioned by and comments

• Date completed and comments

• Monitoring and review method

• Review date

This structure appears in official examples from regulators and works well whether you run it in a general spreadsheet risk register or in a dedicated system. 

How Refresh helps: Refresh gives you the same structure, then adds workflow statuses, role-based access, evidence expiry, reminders, dashboards, and an audit trail.

Step-by-step: build the register (and how Refresh runs each step)

Step 1: Set scope, access, and confidentiality

Choose the level that matches operations: enterprise, site, function, or team. Keep personal case details out of the register. Use the register to track hazards and system controls.

How Refresh helps: Refresh supports anonymous reporting and privacy-protected records for sensitive matters, while still letting you track risk themes, controls, and actions.

Step 2: Standardise hazard categories and write hazards in workplace language

Start with consistent categories, then write each entry in operational terms:

• “Job demands” becomes “queue time targets plus overtime above 10 hours weekly”

• “Poor support” becomes “no supervisor coverage on late shift, escalations go unanswered”

• “Role clarity” becomes “two managers assign conflicting priorities, rework spikes”

How Refresh helps: Refresh supports hazard tagging and scenario libraries so teams can create consistent entries quickly and compare risk across locations.

Step 3: Identify hazards using evidence streams (Refresh can be the evidence source)

Use at least three sources per entry:

• consultation outcomes

• incident and complaint patterns

• surveys and free-text themes

• workload data (overtime, backlog, wait times)

• HR trends (turnover, absence)

How Refresh helps: Refresh can run the inputs

• Incident reporting: Refresh can serve as your psychosocial incident reporting tool, including anonymous reporting, severity rating, immediate risk flags, affected worker and witness tracking, status workflow, and regulator notification tracking.

• Confidential intake: Refresh can capture sensitive risk disclosures with secure notes and protected records.

• Surveys: Refresh can run psychosocial surveys with branching logic, hazard tagging, automated scoring, and thresholds that flag emerging risk.

Step 4: Rate consequence and likelihood consistently

Use your existing risk matrix. Align consequence language to psychosocial harm so different leaders rate the same scenario similarly.

A practical approach ties likelihood to evidence. Through using qualitative ratings and ties likelihood to real indicators, such as recent psychological injury claims in the team. 

HSE tells employers to assess stress risk like other work-related health and safety risks and to act on it. 

How Refresh helps: Refresh supports inherent and residual ratings, rating notes, and versioned assessments. Teams can see how risk changed after controls, not just what the rating was at setup.

Step 5: Choose controls that reduce exposure and prove they work

Avoid the “training only” trap. Start with work design and system controls, then add training and support.

Safe Work Australia frames the duty as eliminating risk where reasonably practicable, otherwise minimising it so far as reasonably practicable. 

How Refresh helps: Refresh links controls to hazards, tracks evidence requirements (documents, policies, tests), tracks expiry and renewals, and supports control effectiveness reviews. Your register stops being “we have a policy” and becomes “here is the policy, here is the evidence, here is whether it works.”

Step 6: Turn controls into actions and close them out

A register only works when actions land. Owners need due dates and proof.

How Refresh helps: Refresh runs task tracking with owners, due dates, reminders, escalation, and completion history. It keeps comments and documents tied to the exact risk entry, so you don’t lose context.

Step 7: Review, learn, and improve (ongoing management)

Set a review cycle and also review when work changes: restructure, peak season, new systems, incident clusters, survey spikes.

Safe Work Australia notes that hazards can interact and combine, which means risk levels can shift quickly. 

How Refresh helps: Refresh schedules reviews, triggers reassessments from incidents and survey thresholds, and supports effectiveness reviews so your register reflects current work conditions.

Templates you can copy today

Template A: Psychosocial risk register headings (spreadsheet-ready)

Template B: Control adequacy scale

Template C: Workshop prompts (60 minutes)

• Where does workload spike, and what triggers it?

• Where do people lose control over how they do the work?

• Which roles face aggression, trauma exposure, or conflict?

• What change landed recently, and where did communication break?

• Where does role clarity fall apart and rework starts?

How Refresh helps: Refresh lets you capture workshop outputs as consultation evidence and link them directly to risks, controls, and actions.

Common mistakes to avoid (and how Refresh reduces them)

• Teams log “culture” instead of hazards.
  Refresh pushes consistent hazard categories and clearer descriptions.

• Teams rely on training as

  the fix.
  Refresh forces control evidence and effectiveness reviews, so “training done” doesn’t end the conversation.

• Teams skip consultation.
  Refresh links consultation records to risk assessments, so the evidence stays attached.

• Teams lose the trail across tools.
  Refresh keeps incidents, surveys, risk assessments, controls, evidence, actions, and reviews connected.

How Refresh makes the whole thing work at scale, globally

If you operate across Australia, the UK, Canada, and other regions, you don’t want separate tools and separate registers for each location. You want one consistent operating model and clear reporting by region.

Refresh supports that by running the end-to-end system:

• Detect: incident reporting, confidential intake, surveys, trend signals

• Assess: structured psychosocial risk register, versioned risk assessments

• Control: control library, evidence requirements, renewals, effectiveness reviews

• Manage: task tracking, due dates, reminders, overdue escalation

• Govern: dashboards, audit support, management review workflows, board-ready reporting

You can still start with a general spreadsheet risk register. When you want a connected system that holds up across sites and jurisdictions, Refresh can run it.