Managing Psychosocial Hazards at Work: A Code of Practice Walkthrough
Managing psychosocial hazards at work means identifying, assessing and controlling the aspects of work that can cause psychological harm — and it is now a legal requirement for every Australian employer, not a nice-to-have.
The good news? You don’t have to invent your own method. The code of practice gives you a step-by-step process for managing psychosocial risks in the workplace. This walkthrough explains what the code requires, in plain English, and how to make it practical.
What is the Managing Psychosocial Hazards at Work Code of Practice?
The code of practice is an approved, practical guide that explains how employers (PCBUs) must identify, assess, control and review psychosocial hazards under Australian WHS law. The national version is Safe Work Australia’s Model Code of Practice: Managing psychosocial hazards at work (2022), and most states and territories have approved their own version — with the same core process but local differences in legal status. It applies to virtually every Australian organisation, regardless of size or industry.
The code covers hazards including:
High or low job demands
Low job control
Poor support from supervisors or colleagues
Lack of role clarity
Poor workplace relationships, including bullying and harassment
Poorly managed organisational change
Remote or isolated work
Exposure to traumatic events or violence
Here’s the key point most organisations miss: these are not vague “stress” issues or individual wellbeing problems. They are structural, systemic risks arising from how work is designed, organised and managed. The code treats them exactly the way WHS law treats physical hazards — because legally, they now carry the same weight.
A walkthrough of the four risk-management steps
The code follows the same risk-management cycle you already use for physical safety. Four steps. No mystery. The discipline is in actually doing them — and being able to prove you did.
Step 1 — Identify the hazards
You can’t manage what you haven’t measured. Identification means gathering real information, not guessing from the executive floor: worker surveys, genuine consultation, incident and complaint data, absenteeism and turnover patterns, exit interviews, and walking the floor to observe how work actually gets done. Consultation isn’t optional under the code — workers must be involved. A hazard you haven’t looked for is still a hazard; it’s just one you can’t defend.
Step 2 — Assess the risks
Once identified, assess each hazard for likelihood, severity, duration and frequency of exposure. Critically, consider how hazards combine. High job demands alone are a risk; high demands plus low support plus poor role clarity is how psychological injury claims are made. This is where managing psychosocial risks in the workplace differs from a tick-box audit — the interactions matter as well as the individual hazards.
Step 3 — Control the risks
The law requires you to eliminate risks where reasonably practicable, and otherwise minimise them — starting at the source. That means redesigning the work itself: workloads, rosters, role clarity, reporting lines, change processes. Resilience training and support programs have genuine value, but they are supporting controls, not substitutes. A wellbeing webinar does not fix an impossible workload, and regulators know it. The hierarchy of controls now explicitly applies to psychosocial hazards, so work design comes first, and skills-building reinforces it.
Step 4 — Review and monitor
Controls are hypotheses until you test them. Review whether they’re actually working — through follow-up data, consultation and incident trends — and revisit your assessment whenever work changes: restructures, new systems, new leadership, growth. An assessment gathering dust in last year’s HR folder is evidence of a process that stopped, and regulators read it exactly that way.
A note on state requirements
Every Australian jurisdiction now has formal requirements for psychosocial risk. Two recent changes deserve your attention. In Victoria, dedicated Psychological Health Regulations took effect in December 2025. And in NSW, from 1 July 2026, section 26A of the WHS Act makes approved codes of practice enforceable compliance benchmarks: you either follow the Managing Psychosocial Hazards at Work Code of Practice, or you must demonstrate your approach achieves an equivalent or higher standard. A regulator no longer needs to prove harm occurred — falling short of the code can itself be a breach. If you operate in NSW, the walkthrough above is no longer best practice. It’s the benchmark you’re measured against, right now.
How proactive programs make compliance easier
Meeting the code isn’t only about registers and policies. The organisations that find compliance easiest are the ones that reduce risk at the source — and build the psychological skills that stop everyday pressures becoming psychological injuries.
That’s where evidence-based, preventive programs earn their keep:
Leader capability. Leaders who understand psychosocial hazards — and have the skills to hold early, effective conversations — are your single most powerful control.
Psychological skills training. Delivered by psychologists, grounded in evidence, it directly supports the “control” step of the code rather than sitting beside it.
Measurement. Structured assessment gives you the documented evidence trail the “review” step demands — and that an inspector will ask for.
This is the approach we take at Healthy Minds: managing psychosocial hazards at work through prevention, not paperwork. You can read about our full psychosocial hazards program here, or start with our free Psychosocial Hazard Audit Readiness Checklist to see where you stand before a regulator asks.
Frequently asked questions
Is the psychosocial hazards code of practice mandatory for employers?
The underlying duty to manage psychosocial risks is mandatory everywhere in Australia. The code’s legal status varies by state: in NSW (since 1 July 2026) and Queensland, following an approved code — or proving an equal or better approach — is itself a legal duty. Elsewhere, codes are used as evidence of what you reasonably should have done.
What’s the difference between a psychosocial hazard and a psychosocial risk?
A hazard is the source of potential harm — for example, chronically high job demands. The risk is the likelihood and severity of harm actually occurring from that hazard. You identify hazards; you assess and control risks. The distinction matters because the law requires you to manage both systematically.
How often should we review our psychosocial risk controls?
Review controls whenever anything material changes — restructures, new technology, new roles, rapid growth — and at planned intervals in between. Annual reviews are a minimum, not a target. Continuous monitoring through data and consultation is what regulators increasingly expect, and what actually catches emerging risks early.
Who is responsible for managing psychosocial hazards at work?
The organisation holds the primary duty, and officers — directors and executives — carry personal due diligence obligations. Responsibility cannot be delegated to HR and forgotten. Workers have duties too, but the design of work sits with leadership, which is why leaders are central to any credible approach.
Can wellbeing training count toward managing psychosocial risks in the workplace?
Yes — as one layer of a broader system, not as the system. Training is an administrative control, which sits below work redesign in the hierarchy of controls. Evidence-based psychological skills training strengthens your controls and demonstrates action, but it cannot substitute for fixing the way work itself is designed.
Where to from here?
If you’re not certain your organisation would pass the four-step test above, find out before someone else does. Take the free Psychosocial Hazard Audit Readiness Checklist, or explore how our workplace programs support compliance while genuinely building the psychological skills of your people. Get in touch — we’re happy to help.