The comfortable assumption that annual engagement surveys and Employee Assistance Programs satisfy legal obligations for managing psychosocial hazards is dangerously wrong. Regulators are prosecuting, courts are convicting, and the financial stakes have never been higher.

Consider this scenario: An organisation's psychosocial "compliance documentation" consists of a staff satisfaction survey summary and a brochure for their EAP provider. When asked about the risk register, hazard identification process, and control hierarchy documentation, leadership draws a blank.

This situation is not unusual. Across Australia and increasingly worldwide, businesses are conflating employee wellbeing initiatives with psychosocial risk management. The gap between what organisations are doing and what the law actually requires could expose them to serious liability, including personal liability for directors and officers.

The Enforcement Reality Has Changed

Regulators are no longer treating psychosocial hazards as a secondary concern. In October 2024, WorkSafe WA charged the Western Australian Department of Justice with failing to manage psychosocial hazards at Bunbury Regional Prison. The charges relate to psychological harm suffered by a female prison officer from alleged bullying, harassment (including sexual harassment), and victimisation. The maximum penalty: $3.5 million. This was the first psychosocial prosecution under WA's current legislation.

In Victoria, Court Services Victoria was convicted and fined $379,157 over a toxic workplace culture at the Coroners Court that contributed to the suicide of one worker and numerous others taking stress leave. The court found that from 2015 to 2018, workers faced exposure to traumatic materials, role conflict, high workloads, poor workplace relationships, and inappropriate workplace behaviours. Court Services Victoria admitted it failed to conduct any adequate process to identify risks, and any adequate risk assessment of the risks to psychological health. The organisation had survey data showing the problem. It had email complaints documenting the issues. What it lacked was a system to act on that information.

These cases signal a fundamental shift. Regulators are treating failures to manage psychosocial hazards with the same seriousness as failures to manage physical hazards. Under WA's WHS Act, the only offence higher than the Category 1 charge laid against the Department of Justice is industrial manslaughter.

The Financial Case for Systems

The cost trajectory of psychosocial injury claims makes inaction increasingly untenable.

Mental injury compensation claims crossed the $1 billion annual threshold in 2024-25, five years ahead of projections. In 2021, the Committee for Economic Development of Australia warned that mental health claims would double by 2030. That milestone arrived early, and growth continues at approximately 14.7% annually.

The numbers tell a stark story:

Claim costs: The median compensation for mental health conditions has reached $65,400 per serious claim, compared to approximately $16,000 for all injuries and diseases. In NSW, the average cost of a psychological injury claim has escalated from $146,000 in 2019-20 to $288,542 in 2024-25.

Time lost: Workers with mental health claims take a median of 37 weeks off work, compared to 7 weeks for other injuries. That represents more than four times the productivity loss.

Claim volume: Mental health conditions now account for over 10% of all serious workers' compensation claims, representing a 37% increase since 2017-18.

Total economic impact: Safe Work Australia research indicates that eliminating workplace injuries and illnesses would grow Australia's economy by $28.6 billion annually.

For CFOs focused on bottom lines: a comprehensive psychosocial risk management program costs approximately $50-150 per employee annually. A single mental health claim costs $65,400 in direct compensation alone, with total costs including productivity loss, recruitment, and retraining estimated at $150,000-$250,000 per claim. The mathematics favour prevention.

The Legal Framework Most Organisations Are Getting Wrong

The Work Health and Safety Act does not ask whether employees feel supported. It requires that organisations systematically identify, assess, control, and monitor psychosocial hazards in the same way they manage physical risks like falls from heights or hazardous chemicals.

Safe Work Australia's Model Code of Practice: Managing psychosocial hazards at work is explicit: a Person Conducting a Business or Undertaking must eliminate psychosocial risks, or if that is not reasonably practicable, minimise them so far as is reasonably practicable. The Commonwealth Code of Practice, which took effect in late 2024, identifies 17 specific psychosocial hazards. These include job demands, low job control, poor support, lack of role clarity, poor change management, inadequate reward and recognition, poor organisational justice, traumatic events and material, remote or isolated work, poor physical environment, violence and aggression, bullying, harassment, conflict, job insecurity, fatigue, and intrusive surveillance.

In Victoria, the Occupational Health and Safety (Psychological Health) Regulations 2025 now require employers to identify psychosocial hazards, implement control measures, and review those controls when circumstances change. This includes when an employee reports a psychological injury or hazard. WorkSafe Victoria has stated it expects employers to demonstrate safety management systems aligned with these requirements from commencement.

ISO 45003, the first global standard for psychological health and safety at work, establishes the same principle: psychosocial risk management must be integrated into occupational health and safety management systems, not treated as an optional add-on or feel-good initiative.

Why Employee Surveys Fall Short of Compliance

Organisations often point to annual engagement surveys or dedicated psychosocial surveys as evidence of managing psychological risks. While surveys can play a supporting role in a risk management system, relying on them as a primary compliance mechanism creates several critical gaps.

Surveys measure outcomes, not hazards. Asking employees how stressed they feel or whether they experience adequate support gathers data on symptoms. It does not identify the actual hazards in work design, management practices, or workplace conditions that cause those symptoms. A hazard identification process requires examining how work is organised, how tasks are allocated, what job demands exist, how much control workers have, and what environmental or relational factors might create risk. Surveys reveal that people are struggling. They do not reveal that the rostering system creates chronic fatigue or that performance management approaches generate role ambiguity.

Surveys are retrospective, not preventative. WHS law requires proactive identification and management of risks before harm occurs. By the time survey results reveal elevated stress in a particular team, workers may have already experienced harm. A compliant system anticipates hazards by analysing job design, observing work practices, reviewing incident data, and consulting with workers about emerging risks. Waiting for annual data collection to reveal problems that existed months earlier does not satisfy the duty.

Surveys do not identify root causes. Knowing that 40% of employees report high workload does not reveal whether the problem stems from understaffing, poor process design, inadequate technology, unrealistic deadlines set by clients, or managers who lack skills to prioritise and delegate effectively. Safe Work Australia data shows that harassment and workplace bullying account for 33.2% of mental health claims, work pressure accounts for 24.2%, and exposure to violence and harassment represents 15.7%. Without understanding which specific hazards drive harm in a particular workplace, organisations cannot select appropriate controls.

Participation bias distorts the picture. Workers experiencing the most severe psychosocial harm, those who feel disengaged, unsupported, or targeted, are often the least likely to complete surveys. Fear of identification, despite anonymity promises, suppresses honest responses about sensitive issues like bullying or harassment. High participation rates do not guarantee representative data, and low response rates from high-risk groups create dangerous blind spots.

Surveys do not generate control measures. Even a perfectly designed and administered survey produces data, not solutions. The WHS Regulations require PCBUs to implement control measures, not simply gather information. Without a documented process for translating survey insights into specific interventions, and tracking whether those interventions work, the duty has not been discharged.

The Court Services Victoria case illustrates this precisely. The organisation had a 2015 staff survey revealing the toxic nature of the workplace. It had internal emails documenting the problems. What it lacked was a system to convert that information into hazard identification, risk assessment, and control implementation. The survey data became evidence of knowledge, not evidence of compliance.

Why Wellbeing Programs and EAPs Miss the Mark

The second common mistake involves treating wellbeing programs, including meditation apps, resilience training, Employee Assistance Programs, and mental health awareness campaigns, as psychosocial risk management.

These initiatives share a fundamental flaw: they place the burden of managing risk on the worker rather than the employer.

The hierarchy of controls, a cornerstone principle in occupational health and safety, establishes that the most effective interventions eliminate or substitute hazards at their source, followed by engineering and administrative controls, with personal protective equipment as a last resort. When translated to psychosocial hazards, this means changing the work, not the worker.

EAPs and counselling services sit at the bottom of the hierarchy. They are the psychological equivalent of personal protective equipment. They help individuals cope with hazards rather than removing or controlling those hazards at the source. An EAP is valuable for supporting workers who experience harm, but it does not prevent harm from occurring. If excessive workload is injuring workers, offering them counselling does not make the workload less harmful. It helps them survive it.

Resilience training puts responsibility on workers. Teaching employees stress management techniques can help individuals better tolerate difficult conditions, but it does not satisfy the duty to eliminate or minimise risks so far as is reasonably practicable. If it is reasonably practicable to redesign work, improve role clarity, or address bullying behaviour, resilience training cannot substitute for those higher-order controls.

Wellbeing programs are voluntary; compliance is not. Workers choose whether to use EAP services, attend mindfulness sessions, or engage with wellness initiatives. EAP utilisation rates typically hover around 6-12% of the workforce. A compliant psychosocial risk management system does not depend on worker uptake. It systematically identifies hazards, implements controls that protect workers regardless of their individual choices, and monitors whether those controls remain effective.

These programs address symptoms, not sources. A worker suffering anxiety because of unclear expectations and constant role conflict might benefit from counselling. But the duty holder's obligation is to ensure role clarity exists in the first place through documented position descriptions, clear reporting lines, appropriate training, and supervisory support. Treating the anxiety without fixing the role ambiguity parallels offering painkillers to a worker with a repetitive strain injury while keeping them on the same production line.

The Victorian Compliance Code makes this explicit: information, instruction, or training cannot be the exclusive or predominant risk control unless other measures are not reasonably practicable. Organisations must demonstrate why higher-order controls were not implemented before relying on individual-level interventions.

What Systems-Based Compliance Actually Requires

A compliant psychosocial risk management system mirrors what organisations do for physical hazards. The process has defined stages, each with documentation requirements and decision points.

Systematic Hazard Identification

This means actively seeking out psychosocial hazards rather than waiting for them to cause harm. Methods include:

Reviewing job design and work organisation for inherent risk factors. Consulting with workers and health and safety representatives using multiple methods. Analysing organisational data such as absenteeism patterns, turnover rates, and overtime trends. Examining incident reports, complaints, and workers' compensation claims. Observing work practices and conducting task analysis for high-risk roles.

The goal is to identify specific hazards, not vague concepts like "stress" but concrete factors like high cognitive demands, time pressure, lack of autonomy, inadequate support, exposure to aggressive behaviour, or role conflict. The Model Code of Practice provides detailed guidance on identifying each of the common psychosocial hazard categories.

Risk Assessment

For each identified hazard, organisations must assess the likelihood and potential severity of harm. This involves considering:

How many workers are exposed. The frequency and duration of exposure. How hazards interact or combine (multiple hazards create compounding risk). What controls, if any, currently exist and their effectiveness.

Risk assessment informs prioritisation, directing resources toward hazards creating the greatest risk. Documentation of this assessment becomes critical evidence of the organisation's systematic approach.

Control Measures Using the Hierarchy

The law requires elimination of risks where reasonably practicable, and otherwise minimisation as far as reasonably practicable. For psychosocial hazards, the hierarchy operates as follows:

Elimination removes the hazard entirely. Examples include discontinuing a service line that exposes workers to traumatic content, or automating a high-cognitive-load task that creates chronic overload.

Substitution and redesign fundamentally change how work is done. This includes restructuring roles to reduce role conflict, replacing aggressive client interactions with contractual behaviour requirements, or redistributing workload to eliminate chronic overload.

Engineering and isolation controls create structural protections. Examples include implementing shift scheduling systems that prevent fatigue, providing quiet spaces for workers needing breaks from high-stimulation environments, or establishing physical separation between workers and aggressive members of the public.

Administrative controls change procedures and practices. This means developing clear policies, providing training, implementing supervision structures, establishing escalation procedures, and creating reporting mechanisms.

Individual support measures assist workers to cope with residual risk. EAPs, counselling services, peer support programs, and resilience resources all sit here.

A compliant system does not jump straight to the bottom of the hierarchy. It documents why higher-order controls are not reasonably practicable before relying on administrative measures or individual support. This documentation becomes essential evidence in any regulatory investigation or prosecution.

Consultation with Workers

The WHS Act requires consultation on matters affecting health and safety, including when identifying hazards, assessing risks, and making decisions about control measures. For psychosocial hazards, meaningful consultation often requires multiple methods. Not everyone will speak up in a team meeting about bullying behaviour, and not everyone reads email communications.

If workers are represented by health and safety representatives, those representatives must be included. The Victorian Regulations have strengthened this requirement, with specific consultation obligations when developing and reviewing control measures.

Documentation and Record-Keeping

A compliant system maintains records of:

Hazard identification activities and findings. Risk assessments and their conclusions. Control measure decisions and the rationale for selecting particular controls. Consultation processes and outcomes. Review activities and any changes made.

When a regulator investigates or an injured worker makes a claim, documentation demonstrates what the organisation knew, when it knew it, and what it did about it. WorkSafe Victoria's guidance explicitly encourages use of prevention plans as a tool to address risks and prevent harm. Even where not mandatory, documented plans provide clear evidence of compliance.

Monitoring and Review

Control measures must remain effective as circumstances change. Victorian regulations require review:

When work processes or systems change in ways that may alter risk profiles. When new information about hazards becomes available. When a worker reports a psychosocial hazard or psychological injury. After any notifiable incident involving a psychosocial hazard. When an HSR requests a review.

A set-and-forget approach fails this requirement. Organisations need systems that trigger review activities automatically when these circumstances arise.

Personal Liability for Directors and Officers

Officers of a PCBU (typically directors and senior executives) have a personal duty to exercise due diligence in ensuring the organisation complies with its WHS obligations. This duty cannot be delegated, and it applies specifically to psychosocial hazards in the same way it applies to physical risks.

The due diligence obligation requires officers to:

Acquire and keep up-to-date knowledge of psychosocial hazards and risk management approaches. Understand the nature of the organisation's operations and the psychosocial hazards and risks associated with them. Ensure appropriate resources and processes are available to eliminate or minimise psychosocial risks. Ensure the organisation has appropriate processes for receiving and responding to information about incidents, hazards, and risks. Ensure compliance processes exist and are implemented. Verify the provision and use of resources and processes.

Penalties for failing officer duties include fines up to $706,560 for individuals in NSW (varying by jurisdiction), and imprisonment up to five years for Category 1 offences involving reckless conduct. Directors have been sentenced to 12 months imprisonment for WHS failures in Queensland.

Critically, insurance policies cannot cover WHS penalties. D&O policies explicitly exclude criminal fines and penalties related to WHS breaches. If an officer is prosecuted and found guilty, they will need to pay any fines from personal funds.

The courts have clarified that officers need not be experts in health and safety, but they must ensure systems exist and operate effectively. In Doble v Miller Logistics, the court found that an officer's duty involves arranging and overseeing the corporation's structures and systems to ensure compliance. The officer in that case was acquitted because he had established appropriate systems, resourced them adequately, and maintained personal engagement with safety matters.

The inverse lesson: officers who cannot demonstrate that systems exist for psychosocial risk management face personal exposure that cannot be insured against.

Building the System: Practical Implementation

For organisations currently relying primarily on surveys and wellbeing programs, building toward compliance requires systematic development of risk management infrastructure.

Phase 1: Governance and Accountability

Establish board-level visibility of psychosocial risk. Brief officers on their due diligence obligations. Assign executive accountability for psychosocial risk management. Create reporting mechanisms that escalate psychosocial risks to appropriate decision-makers. Document the governance framework.

Phase 2: Hazard Identification Infrastructure

Develop hazard identification processes using the 17 hazard categories in the Model Code of Practice as a framework. Train managers to recognise and report psychosocial hazards. Establish multiple channels for workers to report concerns. Create systems to analyse organisational data for hazard indicators. Document the hazard identification methodology.

Phase 3: Risk Assessment and Control Selection

Develop risk assessment templates specific to psychosocial hazards. Train relevant personnel in risk assessment methodology. Create decision frameworks for control selection that document hierarchy of controls reasoning. Establish processes for implementing and resourcing controls. Document risk assessments and control decisions.

Phase 4: Consultation and Communication

Establish consultation processes that satisfy legislative requirements. Train managers in conducting effective consultation. Create mechanisms for HSR involvement. Develop communication strategies for different worker groups. Document consultation activities and outcomes.

Phase 5: Monitoring, Review, and Continuous Improvement

Build review triggers into operational systems. Develop monitoring indicators for control effectiveness. Create scheduled review processes. Establish incident investigation procedures for psychosocial incidents. Document review activities and changes made.

The Competitive Advantage of Systems

Beyond compliance, organisations with mature psychosocial risk management systems gain measurable competitive advantages.

McKinsey research indicates that psychological safety is the strongest predictor of team effectiveness. Teams with high psychological safety demonstrate better decision-making, more innovation, and greater willingness to report problems early. Only about a quarter of leaders currently create psychological safety for their teams, representing significant opportunity for differentiation.

Worker retention improves when psychosocial hazards are controlled. The cost of replacing a professional employee typically runs between 50% and 200% of annual salary. Reducing turnover driven by poor psychological working conditions delivers direct financial returns.

Productivity increases when workers are not managing the effects of uncontrolled psychosocial hazards. Presenteeism, where workers attend but perform below capacity due to psychological distress, often exceeds the cost of absenteeism. Control measures that address root causes improve both metrics.

Insurance costs respond to claims experience. Organisations with lower psychological injury claims will increasingly benefit from better workers' compensation premiums as insurers refine their risk assessment models.

Conclusion

Employee surveys and wellbeing programs have a place in supporting worker psychological health. But they sit at the bottom of the hierarchy of controls, and they do not discharge the legal obligation to systematically identify, assess, control, and review psychosocial hazards.

The organisations that will navigate this regulatory environment successfully are those building genuine risk management systems: documented, systematic processes that identify hazards proactively, implement controls following the hierarchy, and verify that those controls remain effective.

Survey results and EAP utilisation rates will not protect an organisation in a WorkSafe investigation or a compensation claim. A documented, systematic risk management process will.

The alternative, relying on wellbeing initiatives while leaving hazards uncontrolled, represents an increasingly expensive gamble with worker health, organisational finances, and personal liability for officers.

This article provides general information about workplace health and safety requirements and should not be relied upon as legal advice. Requirements vary by jurisdiction and may have changed since publication. Consult relevant codes of practice, regulatory guidance, and qualified advisors for specific circumstances.