Image showing tiles saying the word risk

How to Conduct a Psychosocial Risk Assessment (Step-by-Step)

Published: 28th March 2026  ·  Reading time: 8 minutes  ·  Category: WHS Compliance

Under Australian WHS legislation, identifying psychosocial hazards is only the first step. Once you know what hazards exist in your workplace, you are legally required to assess the risk they create — and put controls in place to manage them.

A psychosocial risk assessment is the structured process for doing exactly that. This guide walks you through each step, explains what to document, and shows you how to use a risk assessment to build a defensible, WHS-compliant system for your business.

What Is a Psychosocial Risk Assessment?

A psychosocial risk assessment is a structured evaluation of the risks created by psychosocial hazards in your workplace. It analyses each identified hazard and determines:

  • How likely is it that the hazard will cause harm?
  • How severe would that harm be if it occurred?
  • What controls are currently in place — and are they adequate?
  • What additional controls are needed?

The output is a completed assessment document for each hazard — which then feeds into your Risk Register and informs your control measures, training, and review schedule.

If you have not yet completed the hazard identification step, start there first. Our guide to identifying psychosocial hazards walks you through the process.

Before You Start: What You Need

Before conducting your assessment, gather the following:

  • A list of psychosocial hazards identified in your hazard identification process
  • Input from workers and supervisors who are familiar with the relevant work areas
  • Any existing incident reports, near misses, or complaints that relate to the hazards
  • A copy of your psychosocial risk assessment template — structured to capture all required information

Consultation requirement: The risk assessment process should involve workers — not just managers. WHS law requires genuine consultation, and workers are often the best source of information about what is actually happening on the ground.

Step-by-Step: How to Complete a Psychosocial Risk Assessment

Step 1: Describe the hazard and work context

For each hazard identified, clearly describe what the hazard is and the specific work context in which it occurs. Be specific — not just 'high workload' but 'high workload in the customer service team during peak periods, with inadequate staffing levels and no clear escalation process.' This specificity matters because it determines what controls will actually be effective. Vague hazard descriptions lead to vague controls.

Step 2: Determine your initial risk rating

Rate the risk using a likelihood-by-consequence matrix. Most WHS frameworks use a matrix with two dimensions:

  • Likelihood — how probable is it that the hazard will cause harm? (Rare / Unlikely / Possible / Likely / Almost Certain)
  • Consequence — if harm occurs, how severe would it be? (Insignificant / Minor / Moderate / Major / Catastrophic)

The intersection of these two ratings gives you a risk level: Low, Medium, High, or Critical. Critical and High risks require immediate action; Medium risks require a scheduled response; Low risks require monitoring.

Step 3: Identify existing controls

Document what controls you already have in place for this hazard. Controls might include policies, procedures, training, and structural arrangements such as regular team check-ins or workload review processes. Be honest in this step — a policy that exists but is unknown to staff does not constitute an effective control.

Step 4: Assess whether controls are adequate

Evaluate whether your existing controls are actually working to reduce the risk to an acceptable level. Ask yourself: are workers aware of this control? Is it consistently applied? Has the risk remained the same or worsened despite the control? Under WHS law, controls must be 'reasonably practicable' — the most effective control proportionate to the risk.

Step 5: Identify additional controls

If existing controls are not adequate, identify what additional controls you will implement. Use the hierarchy of controls as a guide:

  1. Eliminate — redesign the work so the hazard no longer exists
  2. Substitute — replace a hazardous work arrangement with a less hazardous one
  3. Redesign — change the work environment or systems
  4. Administrative controls — policies, procedures, and training that reduce exposure

Administrative controls alone are generally insufficient for high or critical risks.

Step 6: Assign responsibility and a due date

For each additional control identified, assign a responsible person and a realistic implementation date. Without clear ownership and deadlines, controls that look good on paper simply do not get implemented. This information transfers directly into your Risk Register — the centralised document inspectors typically ask to see first.

What Is a Residual Risk Rating?

After identifying your additional controls, re-rate the risk assuming those controls are in place. This is called the residual risk — the level of risk that remains after all controls have been implemented.

The goal is to reduce residual risk to a level that is as low as reasonably practicable. For most SMEs this means reaching a Low or Medium residual risk rating with appropriate controls in place.

If your residual risk remains High or Critical even with all planned controls in place, this is a signal that more significant work design or structural changes may be required.

How to Document Your Risk Assessment

Your completed risk assessments should be:

  • Stored in a consistent format — ideally a standardised template that captures all required fields
  • Dated and signed by the person who completed the assessment
  • Accessible to workers and supervisors who need them
  • Reviewed and updated after incidents, complaints, or significant organisational changes

Key point: A completed, dated risk assessment is your evidence of compliance. WHS inspectors want to see that you have systematically assessed your hazards — not just identified them. A risk assessment without an assessment is just a list.

Common Mistakes to Avoid

  • Assessing risks without consulting workers — this is both bad practice and non-compliant with WHS consultation requirements
  • Rating all hazards as 'Low' without genuine analysis — this provides no actual protection and is not defensible if challenged
  • Listing controls that exist on paper but are not actually implemented — only controls genuinely in place should be counted
  • Completing the assessment once and never reviewing it — psychosocial risk assessments should be reviewed at least annually and after any significant event
  • Treating the assessment as a tick-box exercise — the value is in the process, not just the paperwork
Download our Psychosocial Risk Assessment Template — fully editable, WHS-aligned, with built-in guidance. Part of the complete Psychosocial Risk Management Kit. →

Frequently Asked Questions

How often should a psychosocial risk assessment be reviewed?

At minimum, annually. You should also review after any psychosocial incident or complaint, following significant organisational change (restructures, redundancies, new management), and whenever a control appears to be ineffective. Your Audit & Review Checklist should prompt this process.

Who should conduct a psychosocial risk assessment?

In most SMEs, the risk assessment is conducted by the business owner, HR manager, or WHS officer — ideally in consultation with supervisors and workers in the relevant work area. You do not need to be a WHS specialist, but you do need a structured template, a clear process, and genuine input from the people doing the work.

What is the difference between a psychosocial risk assessment and a general WHS risk assessment?

A general WHS risk assessment covers physical hazards — slips, trips, equipment, chemicals. A psychosocial risk assessment focuses specifically on work-related psychological hazards: workload, conflict, aggression, job control, and so on. The methodology (likelihood x consequence, hierarchy of controls) is the same; the subject matter is different. Many businesses need both.

Do I need a consultant to conduct a psychosocial risk assessment?

No. While a WHS consultant can be helpful for complex situations or high-risk workplaces, most Australian SMEs can conduct a psychosocial risk assessment in-house using a structured template and this guide. The key is to use a standardised, WHS-aligned template, consult genuinely with your workers, and document your process clearly.

What happens if I don't complete a psychosocial risk assessment?

Failure to assess psychosocial risks is a breach of your WHS obligations. If a psychological injury occurs in your workplace and you cannot demonstrate that you identified and assessed the relevant hazards, you are exposed to improvement notices, fines, and in serious cases, prosecution. The risk assessment is also your best tool for actually preventing harm — which is the whole point.

Related articles

Disclaimer: This article is for general informational purposes only and does not constitute legal or professional WHS advice. Review all information against applicable legislation in your state or territory and seek expert guidance where required.

Back to blog