Reading time: 15 minutes | Last updated: February 2026

Most organisations know they need to get moving on psychosocial risk. The legislation is in place. The regulators are active. The penalties are real. But when it actually comes time to start, the same question comes up: where do we begin?

The honest answer from most HR and WHS teams right now is that they are still figuring that out. Many are scrambling. Some have started running surveys without knowing what to do with the results. Others have jumped straight into incident reporting, only to find they have no documented process for responding when something comes in. A few have built out risk registers but have no controls linked to them and no consultation trail to back them up.

The problem is not a lack of effort. It is sequence. Getting psychosocial risk assessments right is less about doing everything at once and more about doing things in the right order.

This post walks through that order, phase by phase, and shows exactly how ReFresh supports organisations through each step. But first, it is worth stepping back and understanding what a psychosocial risk assessment actually is, because this is where most organisations get it wrong before they even start.

What Is a Psychosocial Risk Assessment?

A risk assessment is a structured process for working out what could go wrong, how likely it is to happen, and how serious the consequences would be if it did. In the context of psychosocial hazards, it means looking at the factors in your workplace that could cause psychological harm to your workers and determining the level of risk each one presents.

The Model Code of Practice: Managing Psychosocial Hazards at Work requires PCBUs to detect psychosocial hazards, assess the risks associated with them, implement controls to manage those risks, and review whether those controls are working. This is the same detect, assess, control, review cycle that applies to physical hazards under WHS law. The difference is that most organisations have been doing physical risk assessments for decades, while psychosocial risk assessment is still new territory for many.

A psychosocial risk assessment asks two core questions for each hazard. How likely is it that this hazard will cause harm in our workplace? And if it does cause harm, how severe could the consequences be? Likelihood and consequence together give you a risk rating. That risk rating tells you how urgently the hazard needs to be addressed and what level of control is appropriate.

But here is where things get more nuanced. There are two kinds of risk rating that matter.

Inherent risk is the level of risk that exists before any controls are in place. It reflects the raw exposure. If your organisation has shift workers in remote locations, the inherent risk of fatigue-related harm is high, regardless of what you have done about it. If you employ people in client-facing roles where verbal abuse is common, the inherent risk of workplace violence is elevated. Inherent risk is about the nature of the work itself.

Residual risk is the level of risk that remains after you have put controls in place. You have acknowledged the hazard, assessed how serious it is, implemented controls to reduce the likelihood or the severity, and now the residual risk reflects what is left over. In a well-managed system, residual risk should be significantly lower than inherent risk. If it is not, your controls are not working.

Understanding the difference between these two is critical because it determines how you prioritise, how you allocate resources, and how you demonstrate to a regulator that you are actually managing risk rather than just listing it. A risk register full of hazards with no movement from inherent to residual risk is not a risk management system. It is a document that proves you knew about the problems and did nothing effective about them.

Why Risk Scenarios Matter

Most organisations that attempt psychosocial risk assessment start with a list of hazards. Bullying. Harassment. High job demands. Low job control. That list is a starting point, but it is not a risk assessment.

A risk scenario takes a hazard and turns it into something your organisation can actually work with. It describes a realistic situation where the hazard could cause harm in your specific workplace, the workers who are most likely to be affected, the controls that should be in place to prevent or reduce the harm, and the policies that apply when something goes wrong.

Take workplace bullying as an example. The hazard is "bullying." The risk scenario might describe a situation where a team leader in a high-pressure operational environment engages in repeated unreasonable behaviour toward a direct report, including public criticism, exclusion from meetings, and unrealistic deadlines. The scenario maps out the likelihood based on your workforce structure and culture, the potential consequences including psychological injury, workers compensation claims, and regulator scrutiny, and the controls that should already be in place to prevent this from escalating.

This is fundamentally different from just writing "bullying" on a risk register. A risk scenario gives you something actionable. It connects the hazard to your workplace reality, links it to specific controls and policies, and creates the documented narrative that a regulator expects to see if something goes wrong.

Without risk scenarios, you are guessing. When an incident comes in, you have no pre-mapped response. You do not know what controls should have been in place. You cannot demonstrate that you thought about this hazard in advance and took reasonable steps to manage it. You are starting from zero at the exact moment you need to be operating from a position of preparation.

How the Hierarchy of Controls Applies to Psychosocial Risk

The hierarchy of controls is a well-established framework in WHS for selecting the most effective control measures. It applies to psychosocial hazards in the same way it applies to physical hazards, but many organisations do not treat it that way. They jump straight to administrative controls like policies and training, which sit near the bottom of the hierarchy, without first considering whether higher-order controls could reduce the risk more effectively.

The hierarchy, in order of effectiveness, is: elimination, substitution, isolation, engineering controls, administrative controls, and personal protective equipment. For psychosocial hazards, this translates into practical decisions about how you design work, structure roles, and manage the environment.

Elimination means removing the hazard entirely. Can you redesign a role to remove the source of excessive job demands? Can you change a shift pattern to eliminate chronic fatigue risk? Substitution means replacing a high-risk process with a lower-risk one. Can you replace a manual, high-pressure reporting process with an automated one that reduces time pressure on workers? Isolation and engineering controls might mean redesigning the physical workspace to reduce exposure to aggressive customers, installing barriers, or changing workflow systems. Administrative controls include policies, procedures, and training. PPE in the psychosocial context might include employee assistance programs or individual support mechanisms.

The point is not that administrative controls are useless. Policies and training are essential. But they should not be the first or only thing you reach for. A policy telling workers how to report bullying does not prevent the conditions that make bullying likely in the first place. Training managers to recognise psychosocial hazards does not change the organisational design that created them.

When you map your controls against the hierarchy for each risk scenario, you get a much clearer picture of whether your control strategy is actually effective or whether you are relying too heavily on lower-order measures. A regulator looking at your risk register will notice the difference. An organisation that can show it considered elimination and substitution before falling back on administrative controls demonstrates a far more mature and defensible approach to psychosocial risk management.

Why Preparation Beats Reaction

This is the core argument of this entire post, and it applies directly to how you approach risk assessments. An organisation that has mapped its risk scenarios, assessed the inherent risk of each psychosocial hazard, applied controls using the hierarchy, and documented the residual risk is in a fundamentally different position when an incident occurs compared to an organisation that has done none of this.

Consider two organisations. Both receive a bullying complaint on the same day.

Organisation A has a risk scenario for workplace bullying already mapped. It assessed the inherent risk as high based on its workforce structure. It implemented controls at multiple levels of the hierarchy: it redesigned reporting lines to reduce power imbalances (engineering), updated its bullying and harassment policy (administrative), trained managers on early intervention (administrative), and ensured workers had access to confidential support (individual). The residual risk was assessed as moderate. When the complaint comes in, Organisation A can immediately link it to the existing risk scenario, review whether the controls failed, conduct the investigation using a documented process, and update the risk rating based on the outcome.

Organisation B has a general bullying policy somewhere on the intranet. No risk scenario. No inherent risk assessment. No documented controls. When the complaint comes in, Organisation B scrambles. What is our process? Who handles this? What policies apply? What are we supposed to do? Everything is built from scratch while the situation is live.

If a regulator examines both organisations after the same type of complaint, Organisation A can demonstrate a systematic, proactive approach. It thought about this hazard in advance. It assessed the risk. It implemented controls at multiple levels. It documented everything. The incident does not prove the system failed. It proves the system exists and is being used.

Organisation B cannot demonstrate any of this. The regulator sees a reactive, ad hoc response. The absence of pre-incident documentation is itself a finding. It suggests the organisation did not take its positive duty seriously.

This is why the sequence matters. The risk assessment work, the risk scenarios, the hierarchy of control mapping, the documentation of inherent and residual risk, all of this needs to happen before incidents start arriving. Not because it prevents all incidents. It will not. But because it puts you in a position where every incident is managed within a system that was designed for exactly this purpose.

Why Sequence Matters More Than Speed

There is real pressure to move fast. The Model Code of Practice: Managing Psychosocial Hazards at Work requires PCBUs to detect, assess, control, and review psychosocial risks. The WHS Regulations impose a positive duty on businesses to manage these hazards proactively. The Commonwealth Code of Practice (2024) expanded the list of recognised hazards to include fatigue, job insecurity, and intrusive surveillance. Victoria introduced its own OHS Psychological Health Regulations. The clock is well and truly ticking.

But rushing the rollout creates its own risks. Here is the scenario that plays out more often than most organisations would like to admit.

You launch an incident reporting channel. Within the first month, a bullying complaint comes in. It is serious. Multiple people are involved. HR needs to investigate. Legal wants to be across it. The insurer needs to be notified. The board wants a briefing.

And then the questions start. What is our investigation process? Where do we document the consultation? What policies apply here? Who has access to this information? What is our risk scenario for bullying, and what controls were supposed to be in place?

If you have not done the pre-incident work, you are building the plane while flying it. And that is exactly the kind of reactive, poorly documented response that regulators and insurers scrutinise most heavily.

The right approach has three phases, done in order: pre-incident controls first, detection and incident reporting second, and post-incident management built into ongoing operations.

Phase 1: Pre-Incident Controls (Do This First)

Before you open any reporting channels or run any surveys, you need your foundation in place. This is the work that ensures you are prepared to respond properly when something happens, and that you can demonstrate to a regulator you took a proactive, systematic approach.

ReFresh is built around this exact principle. The platform is structured so that organisations complete their pre-incident setup before activating incident reporting. This is deliberate. It means that when your first complaint arrives, you are not starting from zero.

Map your risk scenarios and assess the risk

Start by detecting the psychosocial hazards most relevant to your organisation. SafeWork Australia's Model Code of Practice recognises 17 common psychosocial hazards, including high job demands, low job control, bullying, harassment, poor organisational change management, and workplace violence.

Not every hazard carries the same level of risk in your workplace. A manufacturing operation with shift workers has a different risk profile to a corporate office. A healthcare organisation faces different psychosocial pressures than a logistics company. The goal is to build out risk scenarios for the hazards that are most relevant to your workforce and assess the inherent risk of each one based on the likelihood of harm and the severity of consequences in your specific context.

For each risk scenario, you should document the hazard, the realistic situation in which it could cause harm, the workers most likely to be affected, and the inherent risk rating before any controls are applied. This becomes the baseline against which you measure everything else. Once controls are in place, you assess the residual risk to see how much the controls have reduced the exposure. If the residual risk is still too high, you need stronger or additional controls.

How ReFresh helps: ReFresh provides pre-built, templated risk scenarios for each of the recognised psychosocial hazards. Instead of your team starting from a blank page, ReFresh gives you a structured risk scenario for workplace bullying, sexual harassment, high job demands, and every other hazard, complete with recommended controls and linked policies. You review these templates, tailor them to your workplace, and your risk register is built on a solid foundation from day one. Each risk scenario in ReFresh captures the inherent risk rating and, once controls are applied, the residual risk rating, so you can clearly see the gap between uncontrolled exposure and your current risk position. No more static spreadsheets. Every risk scenario connects dynamically to the controls, policies, incidents, and consultations that relate to it. When a control is updated or an incident occurs, the connected risk scenario reflects the change.

Map your controls against the hierarchy

Once your risk scenarios are in place, the next step is to determine what controls will address each one. This is where the hierarchy of controls becomes essential. For each risk scenario, work through the hierarchy from the top down. Can you eliminate the hazard? If not, can you substitute, isolate, or engineer the risk down? Only after those options are exhausted should you rely on administrative controls like policies and training, or individual-level measures like employee assistance programs.

Most organisations default to administrative controls because they are the easiest to implement. Write a policy. Run a training session. Put a poster on the wall. These measures are necessary, but they sit near the bottom of the hierarchy for a reason. They depend on individual behaviour and compliance. Higher-order controls change the system itself, which is more effective and more defensible.

For example, if your risk scenario for high job demands identifies that workers in a particular team are consistently overloaded because of understaffing, the most effective control is not a resilience training program. It is addressing the staffing issue. If your risk scenario for workplace violence identifies that workers are exposed to aggressive customers because of the physical layout of a service counter, the most effective control is redesigning the counter, not just training workers on de-escalation.

The hierarchy does not mean you should only use high-order controls. A well-designed control strategy uses multiple levels. But it does mean you should be able to justify your choices and demonstrate that you considered the full range of options rather than defaulting to the easiest ones.

How ReFresh helps: ReFresh structures your controls so they link directly to the risk scenarios they address. Each control is documented with its rationale, implementation details, and the level of the hierarchy it sits at. This means you can see at a glance whether your control strategy for a given hazard is weighted toward the top of the hierarchy or whether you are relying too heavily on administrative measures. When you add a control, ReFresh connects it to the risk scenario, the policies that support it, and the evidence of its implementation. This creates the documented, auditable trail that shows a regulator you did not just pick the easiest controls available. You worked through the hierarchy and made deliberate, informed decisions about how to manage the risk.

Get your policies finalised

Every risk scenario should connect to a relevant policy. Bullying and harassment policies, sexual harassment policies, complaint handling procedures, investigation protocols, consultation processes, return-to-work guidelines for psychological injury. These documents need to exist, be current, and be accessible before you start receiving reports.

Certain documents need to be reviewed quarterly. Others annually. Some require board approval. Getting this governance structure in place now avoids significant problems later.

How ReFresh helps: ReFresh provides a full document management system built specifically for psychosocial and wellbeing compliance. You can store, manage, and track every policy with version control, renewal dates, and expiry alerts. The platform tells you when a document is due for review based on legislative requirements, so nothing lapses without someone knowing about it. Every policy links directly to the risk scenarios and controls it supports, so there is a clear, auditable connection between what you said you would do and the documentation that backs it up.

Establish your consultation framework

Consultation is one of the most underestimated requirements in psychosocial compliance. The Model Code of Practice requires PCBUs to consult with workers and their representatives when detecting hazards, assessing risks, and making decisions about control measures. This is not a one-off exercise. It is an ongoing obligation.

Before any incidents come through, you should have a clear framework for how consultations will work. Who leads them? Who takes notes? How are outcomes recorded? How are agreed actions tracked and followed up?

How ReFresh helps: ReFresh gives you a structured consultation workflow, not just a place to log meeting notes. Each consultation records the participants (who can choose to remain anonymous or be named), the summary of what was discussed, the key outcomes, the feedback raised, the actions agreed, and the follow-up steps. Every consultation links directly to the specific incident, risk scenario, or control it relates to. This creates the documented trail that regulators expect to see: proof that you consulted with the right people, at the right time, about the right issues, and that you followed through on what was agreed.

Set up your access controls

Psychosocial cases involve sensitive information and multiple stakeholders with different needs. Before any incidents are reported, you need to determine who will have access to what. The affected worker should not see the respondent's statement. The insurer should not have access to the full investigation file until it is ready. Legal counsel needs to see everything, but a line manager might only need to know that an investigation is underway.

How ReFresh helps: ReFresh provides over 45 configurable access roles. Employees, managers, HR, legal counsel, insurers, external auditors, SafeWork inspectors, and board members can all operate within the same platform with different levels of visibility. You decide who sees what at every stage of a case. ReFresh also uses a complex authentication system that allows you to invite external parties, like lawyers, insurers, or auditors, into a controlled environment where they can see only the specific documentation relevant to their role. This means an external SafeWork inspector can be given access to the evidence for a specific incident without seeing everything else in the platform.

Train your managers

Your managers will be the first people to hear about psychosocial issues in most cases. They need to know what to do and, just as importantly, what not to do. That means understanding the reporting process, knowing how to respond to a disclosure without making promises they cannot keep, and being clear on their obligation to escalate rather than try to resolve things informally when the situation requires a formal process.

How ReFresh helps: ReFresh provides training template materials that organisations can use to run manager and leadership training on psychosocial risk and the reporting process. ReFresh is a software platform, so it does not deliver the training itself, but it gives you the structure and content to ensure your training covers the right topics and aligns to your policies and workflows within the platform. This means the training your managers receive directly reflects the system they will actually use day to day.

Get your employees across the policies

New and existing employees need to be aware of the psychosocial and wellbeing policies that apply to them. Under Australian privacy requirements, employees should have the opportunity to read and accept workplace policies. This is not just good practice. It is a governance requirement.

How ReFresh helps: Every new employee who is onboarded onto ReFresh receives an email with all relevant psychosocial and wellbeing policies. They can access their personal employee dashboard, read each policy, and formally accept it. ReFresh tracks who accepted, when they accepted, and which version of the policy they accepted. If an incident occurs and a worker claims they were never told about the reporting process or the relevant policy, you have a documented acceptance record. Most employees will not read every word, and that is fine. The point is they had the opportunity, they accepted the policies, and you have the evidence.

Know where you stand

One of the biggest challenges in Phase 1 is knowing how far through the setup you actually are. It is easy to feel like you are making progress but have no clear picture of what is done and what is still outstanding.

How ReFresh helps: The ReFresh dashboard shows your completion status for pre-incident controls, broken down by compliance framework. If you are operating under the New South Wales framework, for example, you can see exactly what percentage of your pre-incident tasks are complete, what is still outstanding, and what needs attention. This gives you and your leadership team a clear, real-time view of your compliance readiness, rather than relying on someone's best guess.

Phase 2: Detection and Incident Reporting (Roll This Out Second)

Once your pre-incident controls are in place, you are ready to start actively detecting psychosocial hazards and receiving reports.

Run psychosocial risk surveys

Surveys are one of the primary tools for detecting psychosocial hazards across your workforce. But the surveys you run matter enormously.

General wellbeing or engagement surveys, the kind built into most HRIS platforms, measure sentiment. They tell you how people feel. They do not assess the specific psychosocial hazards recognised in the SafeWork Australia Code of Practice and ISO 45003. Running an engagement survey and calling it psychosocial hazard detection is one of the most common mistakes organisations make, and it leaves you exposed because you measured the wrong things.

Survey results should feed directly into your risk assessment. If a survey detects elevated job demands across a particular team, that data should update the inherent risk rating for the relevant risk scenario and trigger a review of whether existing controls are adequate. This is the connection between detection and assessment that most organisations miss. They run surveys, generate reports, and then nothing happens because the data is not linked to the risk register.

How ReFresh helps: ReFresh includes psychosocial risk surveys designed and aligned to the SafeWork Australia Code of Practice and ISO 45003. These surveys detect the specific legislatively recognised hazards that matter for compliance, not just general sentiment. ReFresh also blends wellbeing survey questions into the same survey experience, so your employees complete one survey that covers both psychosocial risk detection and broader wellbeing measurement. This gives you a proper combination of WHS and HR data in one place, rather than running separate tools that never talk to each other. The data from these surveys feeds directly into your risk register, so detected hazards are immediately connected to the risk scenarios and controls you set up in Phase 1.

Activate incident reporting

With your risk scenarios mapped, controls documented, policies finalised, consultation frameworks established, access architecture set up, and managers trained, you can now open incident reporting with confidence.

When the first bullying complaint, harassment report, or psychosocial hazard concern comes through, you are not starting from scratch. You have the risk scenario already mapped. You know the inherent risk. You know what controls were supposed to be in place. The relevant policies are finalised and accessible. The consultation framework is ready to go. The investigation process is documented. The access controls ensure the right people see the right information.

This is the difference that preparation makes. Every piece of pre-incident work you completed in Phase 1 now becomes the framework within which the incident is managed. Without it, you are improvising. With it, you are executing a system.

How ReFresh helps: ReFresh provides a full incident reporting system specifically for psychosocial hazards. Employees can report incidents anonymously or with their name attached. Each incident report captures the details of what happened, supporting documents, and the severity of the situation. From the moment an incident is submitted, ReFresh links it to the relevant risk scenario, the controls you had in place, and the policies that apply. Managers and HR receive notifications based on severity and assignment. The incident immediately enters a structured workflow with a clear status, due dates, assigned owners, and a full history of every action taken. Nothing sits in someone's inbox waiting to be dealt with.

Link everything together

This is where the value of doing things in the right order really shows. When an incident comes in, it should immediately connect to the pre-incident work you already completed.

How ReFresh helps: This is what sets ReFresh apart from any combination of general-purpose tools. Every incident links to a risk scenario. Every risk scenario links to its controls and policies. Every investigation links to its source incident. Every consultation links to its participants, outcomes, and follow-up actions. Every control links to the risk it addresses and the evidence that supports it. When a regulator, insurer, or board member asks "show me your process," you open ReFresh and the entire documented narrative is there: what happened, what you did, why you did it, and the evidence that you followed the legislative requirements at every step. You do not need to reconstruct this from five different systems. It is all in one place, connected by design.

Phase 3: Post-Incident Management (Build This Into Ongoing Operations)

Once an incident has been reported and responded to, the work continues. Post-incident management is where organisations demonstrate that they learn from what happens and continuously improve their controls.

Conduct and document investigations

Every psychosocial incident that warrants an investigation needs to be managed through a structured process. This includes documenting the scope, the people involved, statements collected, findings, the root cause analysis, contributing or systemic factors, and any policy breaches detected.

How ReFresh helps: ReFresh provides a full investigation management workflow. You can manage the different people involved in the investigation, whether you need to collect statements from them, record interview notes, and track the progress of each step. The investigation links back to the original incident report, the risk scenario it falls under, and every consultation conducted during the process. Findings are documented with root cause analysis, contributing factors, systemic issues, and any policy breaches. This creates the end-to-end documentation trail that regulators and insurers expect.

Review your controls against the hierarchy

After an incident, you should review whether the controls you had in place were adequate. Did the risk scenario you planned for match what actually happened? Did the controls work as intended, or did the incident expose a gap?

This is where the hierarchy of controls becomes critical again. If your controls for a particular hazard were primarily administrative, like policies and training, and an incident still occurred, the review should ask whether higher-order controls could have been more effective. Could you have eliminated or substituted the source of the hazard? Could you have engineered the risk down through system or process changes? The incident itself is evidence that your existing control strategy may not be sufficient, and the hierarchy gives you a structured way to evaluate what needs to change.

The WHS Regulations require PCBUs to review control measures on an ongoing basis and whenever there is an indication a control is no longer effective. An incident is a clear trigger for that review.

How ReFresh helps: ReFresh tracks control effectiveness through structured reviews. After an incident, you can review the linked controls, assess whether they worked, and determine whether your control strategy needs to move higher up the hierarchy. Every change is documented with a full history, so you can demonstrate a continuous improvement approach. If a control needs to be replaced or strengthened, ReFresh links the updated control back to the risk scenario and the incident that triggered the review. This shows a regulator that you are not just ticking boxes but actively managing risk in response to what happens in your workplace, and that you are applying the hierarchy of controls rather than defaulting to the same administrative measures that already proved insufficient.

Update your risk register

Your risk register should be a living system. After an incident, update the relevant risk scenario with what occurred, how you responded, and any changes to controls or policies. The residual risk rating may need to change. If the incident revealed that your controls were less effective than you thought, the residual risk is higher than your previous assessment indicated. If you strengthened your controls in response, the new residual risk may be lower. Either way, the risk register should reflect reality, not a one-time assessment that never gets updated.

If the incident revealed a new hazard or a combination of hazards you had not previously considered, add a new risk scenario. Your risk register grows and becomes more accurate over time as real-world data feeds back into it.

How ReFresh helps: Because everything in ReFresh is linked, updating your risk register after an incident is not a manual rebuild. The incident, investigation, consultations, and control reviews are already connected to the risk scenario. You update the risk rating, add any new treatment plans, and the risk register reflects the current state of that hazard across your organisation. Over time, your risk register becomes a comprehensive, living record of how your organisation detects, assesses, and controls psychosocial risk, with a clear trail showing how inherent risk, controls, and residual risk have evolved in response to what actually happens in your workplace.

Report to the board and executive team

Your leadership team and board need visibility into psychosocial and wellbeing risk across the organisation. Under officer due diligence obligations, directors and officers have personal liability for ensuring the organisation meets its WHS duties.

Regular board reporting should cover the number and nature of incidents, the status of investigations, control effectiveness, survey results, compliance status across jurisdictions, and emerging trends. It should also include a clear view of how the organisation's risk profile is changing over time, showing the movement from inherent to residual risk across key psychosocial hazards and whether the overall risk posture is improving.

How ReFresh helps: ReFresh generates automated board reports that consolidate every data point in the platform: incidents, investigations, risk ratings, control effectiveness, survey results, and compliance status. The report generates automatically each month. No one on your team spends hours pulling data from four different systems and stitching it together in PowerPoint. Your board gets a clear, current view of psychosocial and wellbeing risk, and the report itself becomes part of your governance evidence.

Feed insights back into pre-incident controls

The final step closes the loop. Insights from incidents, investigations, surveys, and control reviews should feed back into your pre-incident controls. Update your risk scenarios. Refine your policies. Adjust your consultation frameworks. Improve your training. Re-evaluate whether your controls are sitting at the right level of the hierarchy.

This is the continuous improvement cycle that the Model Code of Practice expects. Detect, assess, control, review. Repeat. Each cycle makes your organisation better prepared for what comes next. Each cycle tightens the gap between inherent and residual risk. Each cycle makes your risk assessment more accurate because it is based on real-world evidence rather than assumptions.

How ReFresh helps: Because ReFresh connects every element of the psychosocial compliance lifecycle, insights from post-incident work flow naturally back into your pre-incident controls. A completed investigation might reveal that a risk scenario needs to be updated, a policy needs to be revised, or a control needs to move higher up the hierarchy. These updates happen within the same platform, connected to the evidence that prompted them. Your compliance posture improves with each cycle, and the documentation trail shows exactly how and why it improved.

What If You Are Already Mid-Crisis?

Some organisations reading this will already have complaints coming in without the foundation in place. That is a common reality and it does not mean you have to wait until everything is perfect before using a system like ReFresh.

ReFresh allows you to manage live incidents while simultaneously building out your pre-incident controls. You can set up and run investigations, record consultations, and manage access controls for active cases from day one. At the same time, you work through the pre-incident setup, building your risk scenarios, mapping controls against the hierarchy, finalising policies, and establishing your consultation frameworks.

The platform tracks your progress on both fronts. Your dashboard shows your pre-incident completion status alongside your active incident workload, so you have a clear picture of where you stand and what still needs attention. The goal is to get the foundation in place as quickly as possible so that each subsequent incident is handled with a stronger, more documented process than the last. Even partial preparation is better than none. Every risk scenario you map, every control you document, every policy you finalise makes your response to the next incident more defensible than the last.

The Takeaway

Psychosocial and wellbeing compliance is not something you can wing. The organisations that get this right do not necessarily move the fastest. They move in the right sequence. And they invest in understanding what a psychosocial risk assessment actually requires: structured risk scenarios, controls mapped against the hierarchy, inherent and residual risk ratings that reflect reality, and a documented system that connects all of it together.

Pre-incident controls come first. Detection and incident reporting come second. Post-incident management builds into ongoing operations. Each cycle feeds back into the next, creating a system that gets stronger over time.

The organisations still scrambling are the ones that skipped the first step. They went straight to surveys or incident reporting without the foundation in place, and now every new complaint exposes the gaps. They have no risk scenarios, no hierarchy of control mapping, no documented movement from inherent to residual risk, and no way to demonstrate to a regulator that they took a systematic approach.

ReFresh was built for this exact sequence. It guides organisations through pre-incident setup, provides templated risk scenarios so you are not starting from scratch, structures controls against the hierarchy so your approach is defensible, connects every incident to the controls and policies that apply, and generates the governance documentation that proves you did the right thing.

If you want to see how it works for your organisation, book a demo and we will walk you through it.

Disclaimer: This article provides general information about psychosocial risk assessments and WHS compliance and should not be relied upon as legal advice. Requirements vary by jurisdiction and may have changed since publication. Consult relevant legislation, regulatory guidance, and qualified advisors for specific circumstances.

For more information on how to detect, assess, and control psychosocial hazards in your workplace, visit refresh.tech. ReFresh helps organisations build defensible, systematic approaches to psychosocial risk management and WHS compliance.