Directors and executives face personal criminal liability for psychosocial hazards in their workplaces. The penalties include fines exceeding $2 million and imprisonment up to 20 years. These penalties cannot be insured against. Regulators are actively prosecuting, and courts are convicting. This is not theoretical risk.

The enforcement landscape shifted decisively in late 2025 when the Department of Defence became the first Commonwealth employer convicted for failing to manage psychosocial risks, following the suicide of a Royal Australian Air Force technician. The court found that Defence knew the worker was not coping, had existing policies that should have addressed the risk, but failed to train supervisors to implement those policies. The fine was $188,000 against a maximum of $500,000. An adverse publicity order was also imposed.

This was not an isolated action. Court Services Victoria was convicted and fined $379,157 over a toxic workplace culture at the Coroners Court that contributed to an employee's suicide. WorkSafe WA commenced Category 1 prosecution against the Department of Justice for psychosocial failures at Bunbury Regional Prison, with a maximum penalty of $3.5 million. The pattern is clear: regulators treat psychological harm with the same seriousness as physical injury, and they are willing to prosecute at the highest offence categories.

For officers, the question is not whether these obligations exist. They do. The question is whether you can demonstrate, with documented evidence, that you took reasonable steps to ensure compliance. If you cannot, your personal assets and liberty are at stake.

The Legal Framework: Why Officers Are Personally Liable

Under Section 27 of the Work Health and Safety Act, officers have a positive, personal duty to exercise due diligence to ensure their organisation complies with WHS obligations. This duty applies in all jurisdictions that have adopted the model WHS laws (all states and territories except Victoria, which has similar provisions under the Occupational Health and Safety Act 2004).

The definition of "officer" is drawn from Section 9 of the Corporations Act 2001 and captures anyone who makes decisions, or participates in making decisions, that affect the whole or a substantial part of a business. This includes:

• Directors (executive and non-executive)

• Company secretaries

• Chief Executive Officers

• Chief Financial Officers

• Chief Operating Officers

• General Managers

• Senior executives whose roles influence organisational direction

Corporate Counsel, CFOs, and other senior advisors may also be officers if they do more than simply provide advice and actively participate in decision-making. The test is functional, not based on job title.

Three characteristics of the officer duty create particular exposure:

The duty is personal. It attaches to the individual, not to the role. An officer cannot satisfy the duty by pointing to organisational systems alone. The officer must personally take reasonable steps.

The duty is non-delegable. While officers can delegate tasks, they cannot delegate accountability. An officer who relies entirely on management reporting without independent verification has not discharged their due diligence obligation. As noted in Comcare's guidance for officers, you must still verify that WHS systems are working.

The duty is proactive. Due diligence requires taking steps before harm occurs. An officer who only engages with WHS matters after an incident has failed at the threshold requirement. The Australian Institute of Company Directors' guidance emphasises that directors must take reasonable steps to understand psychosocial risks and confirm that appropriate resources and processes are in place to manage them.

Critically, this duty extends to psychological health with the same force as physical safety. The WHS Act has always encompassed both physical and psychological health, and regulators have made explicit that psychosocial hazards must be managed through the same systematic risk management processes applied to any other workplace hazard.

The Six Statutory Requirements for Due Diligence

Section 27 of the model WHS Act specifies what due diligence requires. Officers must take reasonable steps to:

1. Acquire and Keep Up-to-Date Knowledge of WHS Matters

For psychosocial hazards, this means understanding what constitutes a psychosocial hazard, how these hazards manifest in your organisation's specific context, and what the current regulatory expectations are.

The Safe Work Australia Model Code of Practice identifies 17 common psychosocial hazards: job demands, low job control, poor support, lack of role clarity, poor organisational change management, inadequate reward and recognition, poor organisational justice, traumatic events or material, remote or isolated work, poor physical environment, violence and aggression, bullying, harassment including sexual harassment, conflict or poor workplace relationships, job insecurity, fatigue, and intrusive surveillance.

Officers cannot claim ignorance of hazards that are well-documented in regulatory guidance. The Commonwealth Code of Practice 2024 and Victorian Occupational Health and Safety (Psychological Health) Regulations 2025 provide additional specificity that officers should be aware of if their organisation operates in those jurisdictions.

2. Understand the Nature of Operations and Associated Hazards and Risks

This requires more than reading board reports. Officers need genuine insight into how work is organised, where pressure points exist, what complaints and incidents have occurred, and how different parts of the organisation experience their work environment.

The AICD guidance identifies warning signs that should prompt closer inquiry:

• Pattern of complaints and poor engagement scores surrounding one department or specific individuals

• Complaints managed by the legal department without input from the CEO or human resources

• Lack of or limited understanding at senior management level of the psychosocial hazards present

• Lack of worker consultation processes or inadequate consultation during hazard identification

If these patterns exist and an officer has not inquired into them, that failure may be raised in any subsequent prosecution.

3. Ensure the Organisation Has, and Uses, Appropriate Resources and Processes

Having policies is insufficient. The organisation must have functioning systems for identifying psychosocial hazards, assessing risks, implementing controls, and reviewing their effectiveness. These systems must be adequately resourced to operate effectively, not just documented for compliance purposes.

In the Department of Defence prosecution, Comcare specifically alleged that Defence's policies could only mitigate risks if they were applied and followed in practice, and if they were supported by training for those responsible for implementing them. Defence had policies. It did not have effective implementation. The conviction followed.

4. Ensure the Organisation Has Processes for Receiving, Considering and Responding to WHS Information

This includes processes for receiving and acting on incident reports, complaints, survey data, and other intelligence about psychosocial risks. The processes must enable timely response. Information that sits unactioned creates liability.

The Court Services Victoria case demonstrated the consequences of failing to respond to known information. The court heard that from 2015 to 2018, workers made numerous complaints including allegations of bullying, favouritism, verbal abuse, intimidation, and threats. A 2015 staff survey revealed the toxic nature of the workplace. Despite this knowledge, CSV admitted to failing to identify or assess the psychological risks. A worker died by suicide after being diagnosed with a work-related major depressive disorder.

5. Ensure the Organisation Has, and Implements, Processes for Complying with WHS Duties

This encompasses training, consultation, reporting, record-keeping, and all other compliance requirements. For psychosocial hazards, this includes consultation with workers about hazard identification and control measures, training for managers on recognising and responding to psychosocial risks, and documentation of risk assessments and control decisions.

The Victorian Regulations 2025 create specific triggers for review: when the employer becomes aware of any report, complaint, or incident in which a psychosocial hazard may be a factor; when the employer becomes aware of any changed circumstances that may give rise to a new or different risk; when a new psychosocial hazard is identified; or when the results of consultation indicate a review is necessary. An officer who cannot demonstrate that review processes exist and are operating has failed this element.

6. Verify That the Resources and Processes Are in Place and Effective

This is the element that distinguishes due diligence from passive oversight. Officers must actively verify that systems are working, not simply assume they are because they have been documented.

Verification might involve reviewing incident data, examining response times, checking that training has actually occurred, seeking independent assurance about system effectiveness, or conducting site visits. The Comcare guidance asks: Do your managers and workers believe that they can approach you and discuss issues and concerns in relation to work health and safety in the workplace, and do they believe you will take action on matters raised?

The Penalties: What Officers Face

The penalties for WHS breaches are substantial and escalating. Safe Work Australia publishes current penalty amounts, which are indexed annually.

Category 1 Offences: Gross Negligence or Reckless Conduct

A Category 1 offence occurs when a duty holder, without reasonable excuse, engages in conduct that exposes an individual to a risk of death or serious injury or illness, and does so with gross negligence or recklessness as to the risk.

Model WHS Act penalties (as at 1 July 2025):

• Officers: $818,000 and/or 5 years imprisonment

• Bodies corporate: $4,091,000

NSW penalties (since 1 July 2024):

• Officers: approximately $2.17 million and/or 10 years imprisonment

• Bodies corporate: approximately $10.8 million

NSW has more than doubled the maximum penalties and extended maximum imprisonment from 5 to 10 years. Penalty unit indexation means these figures increase annually.

Category 2 Offences: Failure Exposing to Risk

A Category 2 offence occurs when a duty holder fails to comply with a health and safety duty and that failure exposes an individual to a risk of death, serious injury, or illness.

Model WHS Act penalties:

• Officers: $409,000

• Bodies corporate: $2,046,000

Category 3 Offences: Failure to Comply with Duty

A Category 3 offence occurs when a duty holder fails to comply with a health and safety duty without the additional element of exposure to risk.

Model WHS Act penalties:

• Officers: $163,000

• Bodies corporate: $818,000

Industrial Manslaughter

Industrial manslaughter provisions now exist in Queensland, Western Australia, Victoria, Northern Territory, ACT, Tasmania, and the Commonwealth. The offence applies where the negligent conduct of a PCBU or senior officer causes the death of a worker.

Maximum penalties:

• Individuals (including officers): Up to 20 years imprisonment

• Bodies corporate: Up to $20.4 million (model WHS Act)

These are criminal penalties. A WHS prosecution is a criminal proceeding, and a conviction creates a criminal record with associated consequences for employment, travel, professional licensing, directorships, and reputation.

The Insurance Gap: This Risk Cannot Be Transferred

Many officers assume their Directors and Officers insurance will protect them from WHS penalties. This assumption is wrong.

NSW, Victoria, Western Australia, Queensland, and the ACT have enacted legislation prohibiting insurance coverage for WHS penalties. It is now an offence to:

• Enter into a contract of insurance or other arrangement under which a person is covered for liability for a monetary penalty under WHS laws

• Provide insurance or a grant of indemnity for such liability

• Take the benefit of such insurance or indemnity

In NSW, the Work Health and Safety Amendment Act 2023 made this prohibition complete by prescribing that any such contracts are void. It is not just an offence to have the insurance; you cannot rely on it even if you have it.

The rationale, as explained in the 2018 Marie Boland Review that recommended these changes, is straightforward: the deterrent effect of WHS penalties is significantly undermined if organisations and officers can recover penalty costs through insurance. Personal liability exists precisely to ensure that officers take active steps to comply with safety obligations. Allowing insurance would remove the incentive for proactive compliance.

D&O insurance can still cover legal defence costs in WHS prosecutions. But it will not indemnify officers for penalties resulting from conviction. If prosecuted and found guilty, officers pay fines from personal funds.

Courts have also demonstrated willingness to make non-indemnification orders even where legislation does not explicitly prohibit insurance. In ACCC v BlueScope Steel Limited (No 6) [2023] FCA 1029, the Federal Court ordered that a senior manager pay a $575,000 penalty personally and could not claim indemnity under D&O insurance, reasoning that if indemnified, the penalty would be entirely devoid of sting or burden. The court imposed the non-indemnification order to ensure the penalty served as a genuine deterrent.

The remaining jurisdictions (South Australia, Tasmania, Northern Territory) are expected to follow with similar prohibitions, as the model WHS laws were amended in June 2022 to include the prohibition.

Recent Prosecutions: What Regulators Are Actually Doing

Department of Defence (December 2025)

Comcare prosecuted the Department of Defence following the death of a 34-year-old Royal Australian Air Force technician who took his own life while on duty at RAAF Base Williamtown in July 2020.

The facts: In the six months prior to his death, the worker had been placed on four separate Work Plans as part of a performance management process. Comcare's investigation found that at no point during this process did the worker's supervisors refer him for support, place him on leave, or take any other steps to relieve the stress and pressure he clearly felt. The investigation found Defence knew the worker was not coping and was also experiencing personal issues.

The failure: Defence admitted it breached its primary health and safety duty by failing to provide training for supervisors on:

• Understanding how a Work Plan may be a psychosocial hazard

• Identifying psychosocial risks associated with workers subject to performance management

• Eliminating or minimising psychosocial risks arising from Work Plans, including when to refer a worker for medical assessment and when to suspend the process

The outcome: Defence pleaded guilty to a single Category 3 offence (reduced from the original three charges including a Category 2 offence). The court fined Defence $188,000 against a maximum of $500,000 and imposed an adverse publicity order.

The lesson: Policies exist on paper but fail in practice when supervisors are not trained to implement them. The risks were obvious and known through existing policies and guidelines. Comcare CEO Colin Radford stated: "These policies can only ever mitigate risk if they are applied and followed in practice, and if they are supported by training those responsible for implementing them."

Court Services Victoria (October 2023)

WorkSafe Victoria prosecuted Court Services Victoria over a toxic workplace culture at the Coroners Court of Victoria that contributed to the suicide of a worker and numerous others taking stress leave.

The facts: From at least December 2015 to September 2018, workers at the Coroners Court were exposed to traumatic materials, role conflict, high workloads and work demands, poor workplace relationships, and inappropriate workplace behaviours. Workers made numerous complaints including allegations of bullying, favouritism, cronyism, verbal abuse, derogatory comments, intimidation, invasions of privacy, and perceived threats to future progression.

In September 2018, the Coroners Court principal in-house lawyer died by suicide after being diagnosed with a work-related major depressive disorder. She had been required to perform three roles, worked long hours daily, and expressed concern about the impact taking leave could have on her professional reputation. While it was evident to many that she was deeply distressed and physically unwell, at least two managers wrongly attributed her symptoms to personal issues. No changes had been introduced to address her excessive workload.

The failure: CSV admitted it failed to conduct any adequate process to identify risks, and any adequate risk assessment of the risks to psychological health of employees at the Coroners Court.

The outcome: CSV was convicted and fined $379,157 with $13,863 in costs.

The lesson: Known risks that are not assessed and addressed create liability. A 2015 staff survey revealed the toxic culture. Internal emails documented the problems. Despite this knowledge, nothing adequate was done. WorkSafe Executive Director Narelle Beer stated: "It is an employer's legal duty to do everything they possibly can to support their workers to thrive in their roles and ensure they leave work each day no worse than how they arrived."

WA Department of Justice (2024)

WorkSafe WA commenced prosecution against the Department of Justice over psychological injury to a former prison officer at Bunbury Regional Prison.

The charges: The department was charged with breaching Section 19 (Primary duty of care) and Section 31 (Failure to comply with health and safety duty - Category 1) of the WHS Act 2020 (WA). This is the first time WorkSafe WA commenced prosecution under the current legislation over psychosocial issues.

The allegations: WorkSafe alleged the department failed to provide and maintain a safe work environment, resulting in serious psychological harm to a female prison officer. The alleged inappropriate behaviours included bullying, harassment (including sexual harassment), and victimisation. The department did not have proper procedures in place to deal with these behaviours.

Prior warning: WorkSafe had issued the department with an improvement notice in March 2023 requiring it to implement procedures to manage psychological safety, after finding that staff were repeatedly exposed to inappropriate comments and advances, bullying, intimidation, and threats.

Maximum penalty: $3.5 million. Under WA's WHS Act, the only offence higher than a Category 1 offence is industrial manslaughter.

The outcome: WorkSafe subsequently discontinued the prosecution based on fresh evidence obtained during proceedings. However, the case demonstrated regulatory willingness to pursue the most serious charges for psychosocial failures.

What Courts Consider "Reasonable Steps"

The defence to an officer due diligence charge is demonstrating that reasonable steps were taken. Recent case law provides guidance.

In SafeWork NSW v Miller Logistics Pty Ltd; SafeWork NSW v Mitchell Doble [2024] NSWDC 58, a director successfully defended charges despite a serious workplace injury. The court identified factors that demonstrated due diligence:

Appropriate expertise: The director hired a dedicated compliance manager responsible for WHS matters across the company's operations. The court held that the director "cannot know everything that is going on at any given moment. To run a corporation there must be a level of delegation." The director was entitled to rely on data from the compliance manager who was the primary resource for managing safety.

Regular engagement: The director attended weekly management meetings where WHS was a standing agenda item, new safety measures were discussed, and matters were minuted and followed up at subsequent meetings.

Active oversight: The director visited operational sites from time to time and instructed the compliance manager to promptly rectify any WHS issues identified.

Follow-through: Health and safety matters were minuted at management meetings and followed up. The director was not "hands-off" but took an active interest in WHS matters.

The court found the director not guilty because he could demonstrate proactive engagement with WHS, not merely passive receipt of assurances.

By contrast, in the Defence prosecution, the failure was that policies existed but supervisors were not trained to implement them. Simply having policies and procedures is insufficient. The court accepted that policies can only mitigate risk if applied and followed in practice.

Board Questions: What Directors Should Be Asking

The AICD guidance provides questions directors should ask to discharge their due diligence:

On hazard identification:

• What psychosocial hazards have been identified in our workplace?

• How were they identified? What data sources were used?

• When was the last assessment conducted?

• Are all 17 hazard categories in the Code of Practice being considered?

On risk assessment:

• How are identified hazards assessed for severity and likelihood?

• Is there a formal psychosocial risk register?

• How are hazard interactions considered?

• What are the highest-rated risks and what is being done about them?

On control implementation:

• What controls are in place for identified hazards?

• Are controls aligned with the hierarchy (elimination before administrative measures)?

• How is control effectiveness measured?

• Who is responsible for implementation and what are the timeframes?

On review and monitoring:

• What triggers a review of controls?

• How is the organisation responding to incidents and complaints?

• What does our workers' compensation claims data show about psychological injuries?

• Are review outcomes being actioned?

On consultation:

• Is the organisation consulting with workers on psychosocial hazards as required?

• Is consultation genuine and timely?

• What are workers telling us about their experience?

On training:

• Have managers been trained to identify and respond to psychosocial hazards?

• Is training being delivered as documented?

• Do supervisors understand that performance management processes can be psychosocial hazards?

On culture:

• What does complaint data suggest about organisational culture?

• Are there patterns of concern in particular areas or with particular individuals?

• Are workers comfortable reporting issues?

If you cannot answer these questions with documented evidence, you cannot demonstrate due diligence.

Common Failures: What Gets Officers Into Trouble

Analysis of prosecutions and regulatory guidance reveals consistent patterns:

Confusing surveys with risk management. Annual engagement surveys are not psychosocial risk assessments. Surveys measure worker perception and exposure; risk assessment requires identifying hazards, assessing severity and likelihood, and implementing controls. Many organisations believe they are managing psychosocial risk because they run pulse surveys when they have no systematic risk management process.

Policies without implementation. Having a bullying and harassment policy is not the same as having effective systems to prevent bullying and harassment. Policies must be supported by training, monitoring, response procedures, and verification that they are being followed. The Defence case specifically identified that policies can only mitigate risk if applied in practice.

Reactive approaches. WHS law requires elimination or minimisation of risks so far as reasonably practicable. This is a proactive obligation. Waiting until harm occurs and then responding is not compliance. Organisations must identify hazards and implement controls before harm occurs.

Individual focus rather than systemic. Psychosocial hazards are workplace factors, not individual vulnerabilities. An organisation that responds to psychological injury claims by offering EAP counselling without examining whether work design, management practices, or organisational culture created the risk has not addressed the hazard. The Victorian Regulations 2025 specifically prohibit using information, instruction, or training as the exclusive or predominant control measure unless other measures are not reasonably practicable.

Failure to act on known risks. Both the Defence and Court Services Victoria cases involved organisations that knew risks existed but failed to adequately address them. Warning signs were visible in surveys, complaints, and observable distress. Inaction in the face of known risk is the clearest path to prosecution.

Assuming compliance equals safety. Having documented systems does not mean those systems are working. Verification is a statutory requirement for officer due diligence. Officers must actively confirm that what is documented is actually happening.

How ReFresh Supports Officer Due Diligence

Meeting officer due diligence obligations for psychosocial hazards requires systems that detect hazards, assess risks systematically, implement controls with clear accountability, document decisions, and enable verification that controls are working. ReFresh provides the infrastructure for this systematic approach.

Demonstrable hazard identification. ReFresh enables structured psychosocial risk surveys and confidential incident reporting that create documented evidence of ongoing hazard identification across all 17 recognised hazard categories. Rather than relying on annual engagement surveys that do not meet regulatory requirements, organisations can demonstrate continuous monitoring with documented outcomes.

Systematic risk assessment. The platform maintains a formal psychosocial risk register using standardised risk matrices that consider duration, frequency, severity, and hazard interactions as required by the Model Code of Practice. Risk assessment decisions are documented with reasoning, creating the evidence trail that demonstrates systematic consideration of risks.

Control implementation with accountability. ReFresh provides compliance-mapped control libraries linked to regulatory requirements. Controls can be assigned to owners with clear deadlines, and implementation progress is tracked with evidence. Officers can verify that controls have actually been implemented, not just documented.

Review triggers and effectiveness verification. The platform prompts reviews when Victorian Regulations require them (following reports, incidents, or changed circumstances) and supports structured effectiveness reviews to verify controls are working. This addresses the verification element of due diligence that prosecutions have identified as a critical failure point.

Board-ready reporting. ReFresh provides governance reports demonstrating compliance status across ISO 45003, Safe Work Australia Code of Practice, and jurisdictional requirements. Officers can demonstrate to courts, if necessary, that they received meaningful information about psychosocial risks and acted on it.

Complete audit trails. Every action in the system is versioned and time-stamped. Consultation records, risk assessment decisions, control implementation progress, and review outcomes are linked in a single system. This documentation supports the defence that reasonable steps were taken.

The gap between what organisations document and what they actually do is where liability crystallises. ReFresh bridges that gap by embedding psychosocial risk management into operational workflow rather than treating it as a compliance exercise separate from how work is actually managed.

Taking Action

The enforcement landscape has shifted from theoretical to actual. Regulators are prosecuting. Courts are convicting. Penalties are substantial. Insurance will not cover them.

Officers cannot delegate this accountability. They cannot transfer this risk. The only protection is demonstrable due diligence: systems that work, not just systems that exist.

The question for every director and executive is whether they can demonstrate, with documented evidence, that they:

• Acquired and maintained current knowledge of psychosocial hazards

• Understood the specific hazards present in their organisation

• Ensured appropriate resources and processes were in place

• Ensured those processes were actually implemented

• Verified that systems were working effectively

If the answer is uncertain, the time to act is now. The cost of non-compliance is measured in personal fines exceeding $2 million, criminal convictions, imprisonment up to 20 years, and reputational consequences that cannot be undone.

This article provides general information about workplace health and safety requirements and should not be relied upon as legal advice. Requirements vary by jurisdiction and may have changed since publication. Consult relevant codes of practice, regulatory guidance, and qualified advisors for specific circumstances.

ReFresh helps organisations detect, assess, control, and govern psychosocial risk with defensible evidence and systematic WHS compliance. To understand how ReFresh can support your due diligence obligations, visit refresh.tech.