The Psychosocial Risk Management Framework: A Practitioner's Guide

The Safe Work Australia Model Code of Practice for managing psychosocial hazards describes a five-step cycle: identify hazards, consult, design controls, implement, and review. The cycle is straightforward to state and surprisingly difficult to run. This guide walks through each step, the most common failure modes, and what separates a framework that produces defensible compliance from one that produces a folder of unread documents.

Why a framework at all

The WHS Act 2011 and its state mirrors place a primary duty on PCBUs to manage risks to worker health - including psychological health - so far as is reasonably practicable. The 2022 psychosocial regulations made this explicit, and the 2024 Model Code of Practice operationalised it. The Code does not invent a new model. It applies the established WHS risk management cycle to a hazard category (psychosocial) that has historically been managed through other channels - HR, ER, EAP, wellness - that do not satisfy a WHS duty.

A psychosocial risk management framework is the organisational machinery that runs this cycle continuously. Not annually. Not in response to an incident. Continuously.

Step 1 - Identify the hazards

The Code lists 14 psychosocial hazard categories. The list is non-exhaustive but practical: job demands, low job control, poor support, lack of role clarity, poor organisational change management, inadequate reward and recognition, poor organisational justice, traumatic events, remote or isolated work, poor physical environment, violence and aggression, bullying, harassment including sexual harassment, and poor workplace relationships.

Identification means actively looking for these hazards across the organisation, not waiting for them to surface as complaints. In practice, this is a triangulation exercise across four data layers:

• Existing incident and complaint data - what has already been reported, broken down by team and hazard type
• Workforce signals - turnover, absenteeism, workers' compensation claims, exit interview themes
• Worker voice data - engagement surveys, pulse surveys, anonymous intake channels, focus group outputs
• Operational data - rosters, overtime patterns, span-of-control, change events, customer complaints in service settings

The common failure mode at this step is treating identification as a survey exercise. A single survey, however well-designed, captures one moment in time and one self-report layer. Defensible identification requires multiple layers, refreshed at different cadences, with the discipline to act on weak signals before they become incidents.

Step 2 - Consult with workers

Consultation is the obligation that distinguishes psychosocial risk management from most other compliance regimes. Section 47 of the WHS Act requires consultation with workers on matters that may directly affect their health and safety. The Code makes clear this applies through the entire psychosocial risk management cycle - not just at the end.

Genuine consultation has four characteristics. Workers must have the information they need to participate. They must have a reasonable opportunity to express their views. Their views must be considered before decisions are made. And they must be advised of the outcome in a reasonable time.

Amy Salmon of WorkSafe Victoria has framed consultation as "the connective tissue" of the cycle - the mechanism that runs through every step rather than sitting as one step. In our experience this framing is correct. Consultation in scoping. Consultation in interpreting data. Consultation in designing controls. Consultation in reviewing whether controls worked. An organisation that consults only at one point in the cycle has not satisfied the obligation.

What consultation is not

Consultation is not an EAP. It is not an engagement survey on its own. It is not a town hall. It is not a complaint mechanism. Each of these may be useful inputs, but none of them on their own constitutes consultation in the WHS sense. The test is whether workers had a real opportunity to influence the decisions that affect them - and whether you can show it.

Step 3 - Design controls

Controls are designed following the hierarchy of controls, the same model used for physical hazards but applied to psychosocial conditions. The hierarchy, from most to least effective:

1. Elimination - remove the hazard entirely (rare for psychosocial risks but possible, e.g., eliminating a redundant approval step that creates role conflict)
2. Substitution - replace the hazard with something less harmful (e.g., redesigning a customer-facing role to reduce exposure to aggression)
3. Engineering / system controls - change the work itself (workload redistribution, span-of-control changes, handover protocols, staffing models)
4. Administrative controls - change the rules (policies, protocols, escalation paths, manager guidance)
5. Behavioural / PPE-equivalent - change the people (training, coaching, support services)

The single most common failure at this step is collapsing the hierarchy into administrative and behavioural controls only - running a training program, updating a policy, adding an EAP poster. These are legitimate controls. They are not sufficient on their own, and a regulator can see that pattern in a controls register in about 90 seconds.

The reasonably practicable test

"Reasonably practicable" is the operative legal phrase. Section 18 of the WHS Act defines it: what could reasonably be done in the circumstances, having regard to the likelihood and degree of harm, what was known about the hazard, what is available and suitable to eliminate or minimise it, and - only after the other factors - the cost. Cost can never be the only or primary reason to reject a control. The reasoning matters as much as the conclusion; the question is not whether the decision was right but whether it can be defended.

Step 4 - Implement

Implementation is where most frameworks die. Controls are designed in workshops, documented in a register, and then absorbed into the operational backlog where they compete with everything else. The discipline at this step is straightforward but rarely sustained: every control has a named owner, an implementation date, a measurement plan, and a review date - and these are tracked, not just recorded.

The point about tracking matters. The most legally damaging pattern we see is organisations that have well-documented controls on paper and no evidence the controls were actually operating. This is worse than no controls at all, because it demonstrates that the organisation knew about the risk and chose not to manage it.

Step 5 - Review

Review closes the cycle. The Code is explicit that controls must be reviewed - when there is reason to believe they are not working, after an incident, after a change to the work, and at regular intervals.

Review is not the same as compliance audit. An audit asks "is the control in place." A review asks "is the control working." The difference is the difference between a tickbox and a measurement. For each control, what is the measurable signal that tells you it is reducing the risk it was designed to reduce? Define this at the design step, not at review.

The output of review is either confidence that the control is working (recorded and timestamped) or evidence that it is not (triggering redesign). Both outputs are legally protective. The absence of review evidence is not.

What makes the framework defensible

Three patterns separate frameworks that survive scrutiny from those that do not.

First, the work is genuine. The artefacts produced - risk registers, consultation records, control logs, review outputs - are the by-product of actual risk management activity. They are not produced for the binder. This is the point Sam Cahill at ABLA has been making relentlessly: reasonable management action must be evidenced through the conduct of work, not through audit-generated documents. The legal protection runs out fast when the documents are the only thing that exists.

Second, the evidence is integrity-protected. Records are timestamped, hashed, and stored so that the question "what did you know and when did you know it" has a clear and unrewritable answer. RFC 3161 timestamping and cryptographic hashing of records at the point of capture is the technical baseline. Without it, the records exist; their evidentiary weight does not.

Third, the framework is additive, not replacement. A psychosocial risk management framework does not replace your existing WHS platform, your incident system, your engagement survey, or your HR investigation processes. It sits as the intelligence layer that integrates signals from all of them and produces the consultation and controls work the others were never designed to do.

Where to start

If you are establishing a framework from scratch, the highest-leverage first step is not buying a tool or running a survey. It is documenting your current data layers and consultation channels and being honest about what is missing. Most organisations have more identification data than they realise - what they lack is the consultation infrastructure to turn that data into defensible controls. Walking through a full worked example of the cycle is the fastest way to surface where the gaps are.