Psychosocial Risk Assessment: A Worked Example for Australian Workplaces

Most psychosocial risk assessments in Australia today are not really assessments. They are surveys with a heatmap glued on the back. This article walks through what a defensible psychosocial risk assessment actually looks like — from the moment a workplace decides to do one, through to the controls being implemented and the record being signed off. The example is composite, drawn from patterns we see repeatedly in healthcare, logistics, and frontline service operations across Australia.

Why a worked example matters

The WHS Act 2011 (and its state equivalents) requires Persons Conducting a Business or Undertaking (PCBUs) to eliminate or minimise psychosocial risks so far as is reasonably practicable. Safe Work Australia's Model Code of Practice: Managing Psychosocial Hazards at Work (2024) describes the process, but the Code is necessarily high-level. What it does not show is how the steps connect — how scoping decisions shape consultation, how consultation shapes hazard identification, and how hazard identification flows into controls that can actually be defended in a regulator review or coronial proceeding.

This piece is structured around an eight-phase methodology we use in practice: Engagement, Scoping, Data Collection, Consultation, Hazard Assessment, Verification, Controls, and Findings. The phases are not bureaucratic — each one exists because skipping it creates a defect downstream.

The scenario

A mid-sized public hospital — roughly 1,800 staff across clinical, allied health, support, and administration. The trigger for the assessment is a cluster of formal complaints from two nursing units over six months, combined with a WorkSafe inspector visit prompted by an anonymous report. Leadership wants a defensible response. The HSEQ Manager has been asked to lead the process.

Phase 1 — Engagement

Before any data is collected, the HSEQ Manager establishes the assessment's scope and authority. This includes a written mandate from the Chief Operating Officer specifying which work groups are in scope, the time window for the assessment, who the consultative partners are (the HSR network, the union delegates, the clinical leadership group), and what the deliverable is.

This phase is often skipped, and skipping it is the single most common reason assessments collapse mid-process. Without a mandate, the HSEQ Manager cannot compel time from clinical leaders, cannot access incident data held by Risk, and cannot guarantee confidentiality to participants.

Phase 2 — Scoping

Scoping is where the assessment is bounded. Not every hazard, not every team, not every shift. The hospital decides to focus on the two nursing units flagged in the complaints, plus a comparator unit with similar acuity but no recent complaint history. This comparator design matters — it allows the assessment to distinguish hazards inherent to the work (high job demands, exposure to traumatic events) from hazards specific to the units in question (role conflict, low support).

The scoping document specifies which of the 14 SWA-recognised psychosocial hazard categories will be examined. In this case: job demands, low job control, poor support, role ambiguity, poor workplace relationships, and exposure to traumatic events. Bullying and harassment are noted as in-scope but will be assessed through the workplace relationships lens rather than as a standalone category — a deliberate choice we discuss in our separate article on bullying through the psychosocial lens.

Phase 3 — Data Collection

Existing data is collected before any new data is generated. This is a discipline most organisations skip. Sources include:

• Incident reports filed in the last 24 months, tagged by unit and type
• Workers' compensation claims, including psychological injury claims
• Turnover and absenteeism data, broken down by unit and shift
• Existing engagement survey results, if available
• Exit interview themes
• Rosters and overtime patterns
• Previous risk assessment outputs and control logs

The point of this phase is to enter consultation with a hypothesis, not a blank slate. Going to staff with "tell us what's wrong" wastes their time and yours. Going to staff with "the data suggests workload spikes during shift handover are correlated with the complaints we've received — does that match your experience?" produces information ten times more useful.

Phase 4 — Consultation

Consultation is the heart of the assessment, and the part most regulators will scrutinise. The Code is explicit: consultation must be genuine, it must reach the workers affected, and it must be documented.

In this scenario, the HSEQ Manager runs three streams of consultation in parallel:

1. A validated survey instrument — in this case, an adapted form of the COPSOQ III short version, configured for the unit context. Anonymous, sent to the three in-scope units, with a target response rate of 60% or higher.
2. Focus groups — three sessions per unit, stratified by shift, run by an external facilitator to reduce hierarchy effects. Each session is structured around the hypothesis surfaced in Phase 3.
3. An anonymous intake channel — open for the duration of the assessment, allowing workers who do not want to participate in focus groups to submit signals. Each submission receives an acknowledgement and a closing-the-loop response, even if no individual action is taken.

Consultation outputs are recorded with cryptographic timestamping. This is not theatre — it is what makes the consultation defensible months or years later, when the question becomes "what did the organisation know, and when did it know it?"

Phase 5 — Hazard Assessment

With data and consultation outputs in hand, hazards are assessed against the SWA hazard categories. The assessment is not a tick-box exercise — each identified hazard receives a written rationale describing the evidence base, the affected worker groups, the likelihood and consequence reasoning, and any interactions with other hazards.

For this hospital, the assessment surfaces five primary hazards in the two flagged units: sustained high job demands during shift handover windows, low role clarity for senior nurses absorbing scope-creep from medical staff, poor support from middle management during high-acuity periods, exposure to aggression from patient families, and an emerging pattern of incivility between shifts (handover conflict). Notably, the comparator unit shows the same job demand profile but does not show the support, role clarity, or incivility issues — confirming that the demand level alone is not the driver.

Phase 6 — Verification

Before controls are designed, the hazard assessment is verified with the workers who participated. This is where many assessments fail — the findings are written up, reported to the board, and never tested against the people who provided the data. Verification does two things: it catches misinterpretation, and it builds the consent needed for the controls phase to succeed.

Verification in this case is a 90-minute session per unit, presenting the findings and asking three questions: does this match your experience, what have we missed, and what would change if these hazards were addressed?

Phase 7 — Controls

Controls are designed following the hierarchy of controls, adapted for psychosocial hazards. Elimination is rare for psychosocial risks (you cannot eliminate exposure to distressed patients in a hospital), so most controls sit in the substitution, engineering, administrative, and PPE-equivalent tiers.

For this hospital, the controls package includes:

• Engineering / system redesign: a 20-minute structured handover window with no new admissions accepted during it
• Administrative: a revised scope-of-practice document clarifying the senior nurse role, signed off by the medical director
• Administrative: a middle-manager support protocol with documented escalation points
• Administrative: a family-aggression response protocol with security and clinical decision triggers
• Behavioural: a peer-led handover-civility commitment, developed by the units themselves

Each control has a named owner, an implementation date, a measurement plan, and a review date. Controls without all four are not controls — they are intentions.

Phase 8 — Findings and Record

The findings document is the artefact that makes the entire assessment defensible. It records the scope, the methodology, the data sources, the consultation process, the hazards identified, the controls designed, and the residual risk. It is signed off by the COO and made available to the HSR network. Cryptographic hashing and RFC 3161 timestamping at this stage produce an evidentiary record that cannot be retrospectively edited — which matters enormously if the assessment is later scrutinised in a regulator action or civil proceeding.

What this example shows

Three things are worth pulling out. First, the consultation phase is not a step in the process — it is the connective tissue running through every phase. Scoping is consulted on. Data interpretation is consulted on. Hazards are verified. Controls are co-designed. An assessment without this connective tissue is not defensible, regardless of how polished the final document looks.

Second, the evidence trail matters as much as the outcome. The question a regulator or court will ask is not "did you have a good plan" but "can you show what you knew, when you knew it, and what you did about it." Time-stamped, integrity-protected records are the only honest answer to that question.

Third, the work is genuine. Sam Cahill of ABLA has been making the point persistently: reasonable management action must be evidenced through the actual conduct of work, not through audit-generated documents produced after the fact. A psychosocial risk assessment that exists only as a deliverable is the legal equivalent of an empty fire extinguisher cabinet.

Where to go from here

If your organisation is preparing for its first formal psychosocial risk assessment, the most common failure mode is starting with a survey. Start with engagement and scoping. The survey, if you choose to use one, comes in Phase 4. Building the wider psychosocial risk management framework around the assessment process is what turns a one-off exercise into ongoing compliance capability.