A guide to building a psychosocial risk register for Australian workplace WHS compliance

Building a Psychosocial Risk Register: What to Include and Why

Published: 19th April 2026  |  Reading time: approx. 8 minutes

Building a Psychosocial Risk Register: What to Include and Why

A psychosocial risk register is the central document in your WHS compliance system - and the first thing a regulator will ask to see. This guide explains exactly what goes in one, how to structure it, and how to keep it current.

In this article

  1. What is a psychosocial risk register?
  2. Why you need one
  3. What to include in your risk register
  4. How to rate your risks
  5. Recording controls and who is responsible
  6. Keeping your register current
  7. Common mistakes to avoid

What Is a Psychosocial Risk Register?

A psychosocial risk register is a structured document that records all identified psychosocial hazards in your workplace, the assessed level of risk associated with each, the controls you have put in place to manage them, and who is responsible for those controls.

Think of it as the master record of your psychosocial hazard management system. Where individual risk assessments go into depth on a single hazard, the risk register gives you - and any auditor or inspector - a complete picture of your organisation's psychosocial risk profile in one place.

Important distinction: A risk register is not the same as a risk assessment. A risk assessment is the process of analysing a specific hazard in depth. The risk register is where the outcomes of all your assessments are consolidated and tracked over time.

Why You Need One

Under the Model WHS Regulations, PCBUs are required to identify psychosocial hazards, assess the associated risks, implement controls, and review those controls. A risk register is the practical tool that demonstrates you have done all four steps.

Without a risk register, you have no systematic way to:

  • Track which hazards have been assessed and which have not
  • Demonstrate to a regulator that your risk management is ongoing and not a one-time exercise
  • Ensure controls are actually implemented and assigned to a responsible person
  • Identify patterns - for example, whether the same hazard keeps reappearing after incidents
  • Show due diligence if a worker makes a compensation claim or a complaint is lodged
Note: If a WHS inspector visits your workplace or a worker lodges a formal complaint, a current, well-maintained risk register is your first and strongest line of defence. Its absence is treated as evidence that systematic risk management is not occurring.

What to Include in Your Risk Register

A well-structured psychosocial risk register should capture the following fields for each identified hazard:

1. Hazard ID and name

Assign each hazard a unique reference number (for example, PSY-001, PSY-002) and give it a clear name drawn from Safe Work Australia's recognised list of psychosocial hazards. This makes it easy to cross-reference with individual risk assessments and incident reports.

2. Description of the hazard

A brief description of how the hazard presents in your specific workplace - not just the generic category. For example, rather than "high job demands," write "customer service team regularly unable to complete workload within standard hours due to staffing levels." Specific descriptions make the register genuinely useful rather than just compliant.

3. Who is affected

Identify which workers, roles, or teams are exposed to the hazard. This may be the whole workforce or a specific group. Being specific here helps you target your controls appropriately and ensures no group is overlooked.

4. Likelihood rating

Rate how likely it is that the hazard will cause harm, using a consistent scale. A simple three or five point scale works well: for example, Rare / Unlikely / Possible / Likely / Almost Certain. The rating should reflect current conditions — not a best-case scenario.

5. Consequence rating

Rate the potential severity of harm if it occurs. For example, Insignificant / Minor / Moderate / Major / Severe. Consider both the individual impact (psychological injury, time off work) and the organisational impact (compensation claim, regulatory action).

6. Overall risk rating

Combine likelihood and consequence using a risk matrix to produce an overall rating: Low, Medium, High, or Critical. This rating determines the urgency and priority of your control measures.

7. Existing controls

List the control measures already in place for this hazard. Be honest, only record controls that are genuinely implemented and functioning, not those that exist only on paper.

8. Additional controls required

Where existing controls are not sufficient to reduce the risk to an acceptable level, document what further action is needed. Include specific actions, not vague commitments like "improve communication."

9. Responsible person and due date

Assign each additional control to a named person with a specific completion date. Without clear ownership, action items simply do not get done. This is one of the most commonly missing elements in risk registers that look complete on the surface.

10. Residual risk rating

After all planned controls are in place, re-rate the risk. This is the residual risk - what remains after everything has been done. The goal is to reduce this to Low or Medium. If residual risk remains High or Critical, more significant structural changes may be required.

11. Review date

Record when this hazard is next due for review. At minimum this should be annual, but it should also be triggered by incidents, complaints, or significant organisational changes.

How to Rate Your Risks

Risk rating does not need to be a complex mathematical exercise. The standard approach used in WHS risk management is a simple matrix:

Step 1 - Rate likelihood
How often are workers exposed to this hazard, and how likely is it to cause harm? Consider frequency of exposure, duration, and the number of workers affected.
Step 2 - Rate consequence
If harm occurs, how serious would it be? Consider the range of possible outcomes from minor distress through to serious psychological injury requiring extended leave.
Step 3 - Combine to get overall rating
Use a risk matrix to combine the two ratings. A Likely likelihood combined with a Major consequence produces a High risk rating. A Rare likelihood combined with a Minor consequence produces a Low risk rating.
Step 4 - Prioritise your response
Critical and High risks require immediate action. Medium risks should be addressed within a defined timeframe. Low risks should be monitored and reviewed.
Important: Risk ratings must reflect reality, not aspiration. A common audit finding is that organisations have rated all their psychosocial risks as Low without genuine analysis. This provides no actual protection and is not defensible if challenged by a regulator or in a compensation proceeding.

Recording Controls and Who Is Responsible

The controls section of your risk register is where compliance systems most commonly break down. It is not enough to list a control — you need to record:

  • What the control is - specifically, not generally. "Conduct monthly workload review meetings with team leaders" is a control. "Improve workload management" is not.
  • Who is responsible - a named individual, not a job title or department
  • When it will be completed - a specific date, not "ongoing" or "as required"
  • Whether it has been completed - a status field (Not Started / In Progress / Complete) makes this visible at a glance

Controls should follow the hierarchy of controls where possible - eliminating or redesigning work to remove the hazard is always preferable to relying on individual workers to manage their own stress response.

Keeping Your Register Current

A risk register that was completed twelve months ago and has not been touched since is not a compliance system - it is a historical document. Your register needs to be a living document that is actively maintained.

Review your risk register:

  • At least annually - as a scheduled review of all hazards and controls
  • After any incident or near miss - to determine whether the register needs updating
  • When a worker raises a concern - new information about a hazard should be captured
  • During significant organisational change - restructures, new systems, leadership changes, and rapid growth all introduce new psychosocial risks
  • When a control is implemented - update the status and re-rate the residual risk
Practical tip: Set a recurring calendar reminder for your annual review - ideally at the same time each year so it becomes a standard part of your WHS cycle. Link it to your existing annual review processes if you have them.

Common Mistakes to Avoid

Listing hazards without assessing them

A list of hazards without risk ratings, controls, or responsible persons is not a risk register - it is a hazard inventory. The register must show that you have assessed each hazard and taken action.

Recording controls that are not actually in place

Only record controls that are genuinely implemented. Recording aspirational controls as existing ones creates a false picture of your compliance position and provides no actual protection for workers.

No named responsible person

Every additional control should have a named owner. "Management" or "HR" is not a responsible person. If no one is accountable, nothing gets done.

Never reviewing or updating the register

A static risk register signals to an inspector that risk management is treated as a one-time exercise. Date every review and record what was considered - even if the outcome was "no changes required."

Not consulting workers

Workers are required to be consulted in the risk management process under WHS law. A risk register built entirely by management without worker input is both legally incomplete and practically less accurate - workers are the most reliable source of information about the hazards they actually face.

Our Psychosocial Risk Management Kit includes a ready-to-use Risk Register template - pre-structured with all required fields, a built-in risk matrix, and guidance notes. Fully editable and aligned to Safe Work Australia's framework.

View the Compliance Kit →

Frequently Asked Questions

Does a risk register need to be a specific format?

No. WHS law does not prescribe a specific format for a risk register. What matters is that it captures the required information - identified hazards, risk ratings, controls, responsible persons, and review dates - in a consistent, accessible format. A well-structured spreadsheet or Word document is perfectly acceptable.

Can one register cover all WHS risks, including physical hazards?

Yes. Many organisations maintain a single WHS risk register that covers both physical and psychosocial hazards. If you already have a physical hazard register, adding a psychosocial section to it is a practical approach. Just ensure the psychosocial entries capture the additional fields relevant to psychological risks.

How long should I keep old versions of the register?

Best practice is to retain previous versions for at least five years, or longer if your jurisdiction requires it. Dated version history demonstrates that your risk management has been ongoing and that you have responded to changes over time. This can be important evidence in a compensation claim or regulatory investigation.

Who should have access to the risk register?

At minimum, the person responsible for WHS in your business and any managers with assigned controls. Workers should also be able to access it - transparency about identified hazards and planned controls is consistent with your WHS consultation obligations and builds trust in your system.

Related articles

Disclaimer: This article is for general informational purposes only and does not constitute legal or professional WHS advice. Review all information against applicable legislation in your state or territory and seek expert guidance where required.

Back to blog