This is the third article in a three-part series on psychosocial hazard regulation in Australia. Article 1 sets out the current legal framework. Article 2 examines the enforcement cases that define the stakes.
The regulatory architecture for psychosocial hazard management is now settled across all Australian jurisdictions. What is not settled is employer practice. The gap between what the law requires and what most organisations are actually doing is precisely what regulators are beginning to target, and the enforcement actions of 2025 have made that gap visible.
This article sets out where the common failures are and what good practice looks like in response.
The gaps
Over-reliance on EAPs. The most pervasive problem is the continued use of Employee Assistance Programmes as the primary, or sometimes sole, psychosocial control. An EAP may be a supportive or downstream measure, but it is not, on its own, an adequate control for the underlying psychosocial hazard. During organisational change, it is often presented as the primary safeguard for employee wellbeing. From a WHS perspective, that is not prevention. Over-reliance on EAP subtly shifts responsibility away from the organisation and onto the individual. Employer wellbeing strategies have to date relied heavily on individual employee-level supports, which are inadequate for fulfilling positive duty obligations in the absence of appropriate systemic, organisational-level controls. The Defence conviction makes this concrete: the failure was in a system, not in the individual's failure to call a helpline.
Misunderstanding the hierarchy of controls. In jurisdictions where the hierarchy applies, a default approach based on policies, EAP services, mental health first aid training, and awareness campaigns is legally insufficient if higher-order controls were reasonably practicable. A regulator investigating a psychosocial claim in New South Wales, Queensland, or South Australia will ask whether the PCBU considered eliminating or redesigning the work before reaching for lower-order responses. Responsive measures such as EAP or workplace dispute procedures will not suffice to meet an employer's duty unless the duty holder has properly considered higher-order controls such as job design and determined that those controls are not reasonably practicable.
Superficial risk assessments. The most common failure in risk assessment is asking a single question in a survey and treating the result as the whole assessment. That is too narrow. Organisations need enough information to see patterns across teams, shifts, sites, or supervisors. A risk assessment that cannot isolate whether a problem is concentrated in a particular manager, team, or work system cannot generate the targeted controls that regulators expect.
Treating consultation as a formality. Consultation is a legal requirement at every stage of the psychosocial risk management process, not a box to tick before implementing a pre-determined decision. PCBUs must consult with workers and Health and Safety Representatives throughout the process, from hazard identification through to control selection and review, maintaining documentation that demonstrates an active, ongoing system, not just a policy on paper. The Macquarie University improvement notices are a direct consequence of failing to consult adequately during a restructuring process.
Failing to assess HR systems. The Defence case surfaces a gap that most employers will not have addressed. Performance management processes, disciplinary procedures, and internal investigations can all create or amplify psychosocial risk if poorly designed, administered, or supervised. Despite the RAAF worker displaying signs of escalating distress, Defence took no steps to mitigate the risk embedded in the performance management process itself. Employers who have not assessed their HR systems as potential psychosocial hazards are operating with an unexamined risk. The Administrative Review Tribunal's finding in the family and domestic violence case goes further still: the duty extends to how investigations are initiated and structured, not just how they conclude. Accounting for the specific vulnerabilities of the person being investigated is now part of the legal obligation.
Failing to assess AI and digital systems. A related and emerging gap is the failure to apply psychosocial risk assessment to the technology used to manage, monitor, and allocate work. Monitoring should be necessary, proportionate, and purpose-limited. Employers should be able to clearly justify why surveillance is used, what risk it addresses, and why less intrusive measures are insufficient. Many organisations have introduced AI-driven scheduling, keystroke monitoring, performance dashboards, and algorithmic task allocation without any psychosocial risk assessment. Under existing law, that is already a gap. Under the NSW Digital Work Systems Act, once it commences, it will be an explicit breach.
Fragmented ownership. Cross-functional capability is essential. Change projects require coordinated input from WHS specialists, HR, industrial relations, legal, operational leaders, and senior executives. Fragmented ownership leads to gaps in risk management and increases the likelihood of enforcement action. In many organisations, psychosocial risk sits in the gap between HR and WHS, with neither function owning it comprehensively. Technology procurement decisions compound this: AI tools are typically selected by IT or operations without WHS input.
Treating restructuring as outside psychosocial obligations. SafeWork agencies are now conducting investigations and issuing enforcement notices in relation to organisational change processes that expose workers to psychosocial hazards. The UTS prohibition notice makes this unambiguous. Restructuring is a psychosocial risk event requiring active risk management, not just communications planning and an EAP reminder.
Inconsistency across jurisdictions. For organisations operating across multiple jurisdictions, a single national policy may establish the baseline, but it must be supplemented by jurisdiction-specific risk assessments, control measures, and documentation. The hierarchy of controls is mandated differently in different states. A single national approach cannot bridge that gap without deliberate jurisdiction-specific design.
What good practice looks like
Design out the hazard. Workload should be addressed through headcount and deadline redesign. Role ambiguity should be resolved through structural clarity. If the main problem is excessive workload, an EAP does not fix excessive workload. If the issue is poor role clarity, another general awareness session does not solve the ambiguity. Higher-order controls address the source of the hazard. Lower-order controls address the worker's response to it. The former is what the law requires.
Consult properly. Multiple methods of consultation are needed for psychosocial hazards, and the form and methods of consultation must themselves be decided in consultation with workers. Regular consultation is better than consulting only as issues arise, because it allows potential problems to be identified and addressed early. In practice this means combining surveys with focus groups, team-level conversations, and accessible reporting channels. Surveys allow trends to emerge, showing whether certain tasks carry more hazards, or whether workers in particular locations or roles are disproportionately exposed. HSRs play a valuable specific role: they can provide workers some anonymity, which may encourage more candid engagement. Consultation at each stage is mandatory under sections 47-49 of the WHS Act.
Train for the actual risk, not for awareness. Training is not a psychosocial control on its own, but inadequate training of people administering high-risk processes is itself a breach. The codes of practice require that persons involved in managing psychosocial hazards have appropriate knowledge, skills, and experience. This means training for managers and supervisors on recognising and responding to psychosocial risks; training for HSRs on consultation and hazard identification; and training for all workers on recognising and reporting psychosocial hazards. For managers and supervisors, training should cover recognising hazards, having difficult conversations, conducting fair performance management, and intervening early. For all staff, it should cover what psychosocial hazards are, expected workplace behaviours, how to report concerns, and what supports are available. Training must be tailored to the specific hazards present in the work, including HR processes and digital systems. Controls must be based on the actual risk profile of the work, not generic statements.
Audit HR systems, including how investigations are conducted. Review whether performance management, disciplinary, and investigation processes have been assessed for the psychosocial risks they may create or amplify, and whether the supervisors administering those processes have been trained accordingly. The Defence conviction established that untrained supervisors administering a standard performance management tool is a criminal liability. The Administrative Review Tribunal's finding in the family and domestic violence case established that failing to account for a worker's personal circumstances when initiating an investigation is a liability in its own right. The Wright v Findex decision established that an ad hoc, procedurally deficient investigation process will defeat a reasonable management action defence. Each of these cases addresses a different failure mode within the same category of risk. Employers need to assess not just whether they have investigation and disciplinary procedures, but whether those procedures are psychosocially sound, consistently followed, and administered by people who have been trained to recognise the risks they create. Risks of non-compliance extend beyond potential penalties to include adverse publicity orders, reputational damage, and increased regulatory scrutiny.
Audit AI and digital systems. Inventory every system used to allocate, monitor, or manage work and assess each for the psychosocial risks it creates. This requires identifying hazards created by monitoring, such as stress, work intensification, and loss of autonomy, and addressing them through WHS risk assessments, controls, and consultation processes. If an algorithm creates impossible workloads, the employer remains legally responsible regardless of whether they designed the software themselves or purchased it from a vendor. NSW employers should prepare for the Digital Work Systems Act now, ahead of its proclamation, as Safe Work Australia may extend equivalent duties nationally.
Document the process. If a regulator or lawyer reads the file later, the documentation should make the decision-making process obvious. Documentation should cover hazard identification processes, risk assessments and control measures, consultation with workers, monitoring and review activities, and training provided to workers and managers. Good documentation is not bureaucratic overhead. It is the difference between a defensible position and an indefensible one when regulators arrive.
Monitor leading indicators. Track absenteeism, workload data, and grievances, and integrate psychosocial metrics into safety and risk governance dashboards. Make psychosocial risk a standing agenda item for leadership and safety committees. Regular reporting demonstrates governance and drives cultural change.
Treat organisational change as a safety event. Involve WHS professionals alongside HR and legal before restructures are announced. Extend consultation timelines. Regulators have demonstrated they will intervene in real time if they consider a live process to be creating imminent psychosocial harm.
Australia now has a comprehensive national regulatory architecture for psychosocial hazard management, but important jurisdictional differences remain and employer practice has not caught up with either. The Defence conviction, the UTS prohibition notice, the Administrative Review Tribunal's finding on investigation process, and the prospect of the Digital Work Systems Act extending nationally describe a regulatory environment that is tightening, not stabilising. The employers best placed to respond are those who treat psychosocial risk as a technical safety discipline, not a cultural aspiration: identify the hazards, assess the risks, apply controls that address the source, consult workers at every stage, document the process, and review it when things change.
This is the third article in a three-part series. Article 1 sets out the current legal framework across all Australian jurisdictions. Article 2 examines the enforcement cases that define what non-compliance now costs.
Sources
- AREEA, Defence fined in landmark psychosocial risk prosecution (January 2026)
- Astrid Legal, UTS Restructure Halted: Psychosocial Safety & HR Processes Under the Microscope (September 2025)
- BlueSafe Online, Psychosocial Hazards at Work – New Employer Obligations in Australia (2025-26) (March 2026)
- CHD Partners, Managing Psychosocial Hazards at Work: 5 Effective Ways to Protect Your Team (October 2025)
- CQHHSS, Organisational Change and Psychosocial Hazards: Why "Just Use the EAP" Is No Longer Good Enough (January 2026)
- FairWork Mate, NSW Psychosocial Hazards at Work: New WHS Rules Employers Must Follow (2026)
- FairWork Mate, Psychosocial Hazards at Work: New Employer Obligations in Australia (2025-26) (March 2026)
- Guardian Injury Law, Breach of employment contract resulting in psychiatric injury delivers $1.44m compensation (January 2025)
- Herbert Smith Freehills Kramer, Contractual damages for psychiatric injury: another risk in employee dismissals (November 2025)
- HR Daily, Workplace misconduct investigation ignored risks to FDV survivor (2025)
- HSE Direct, Psychosocial Hazards and the Hierarchy of Controls: Which Australian States Actually Require It? (March 2026)
- Ius Laboris (Kingston Reid), How psychosocial safety now sits at the heart of workforce change (February 2026)
- Lane Neave, The psychosocial risks hidden in performance management plans (January 2026)
- Maddocks, Psychosocial Safety: What employers need to know (April 2024)
- Mapien, Workplace Surveillance in 2026: What Employers Must Know (March 2026)
- Mibo, Psychosocial Hazards Code of Practice: A Complete Guide (February 2026)
- Mondaq / LegalVision (James True), NSW WHS Laws: Managing AI and Psychosocial Hazards in the Workplace (April 2026)
- Risk Collective, NSW Health District Charged for Psychosocial Hazards (May 2025)
- Safe Work Australia, Model Code of Practice: Managing Psychosocial Hazards at Work (July 2022)
- SafeWork SA, Managing Psychosocial Hazards at Work Code of Practice (February 2026)
- Safetysure, Psychosocial risk management guide (May 2026)
- Vitality Works, Managing Psychosocial Hazards in the Workplace
- WorkSafe Hub, Victoria's New Psychosocial Health Regulations (Dec 2025): A Practical Compliance Guide for Employers (March 2026)
