Business owners and managers I speak with understand that psychological safety matters. What many don’t yet realise is that managing it is no longer a matter of good culture — it is a legal obligation, with enforceable duties, regulatory scrutiny, and real consequences for non-compliance.
That shift has been building since 2022. It is now settled law across every Australian jurisdiction, including Western Australia.
This post explains what the law actually requires, which everyday management decisions are now in scope, and what a compliance-ready approach looks like in practice, particularly for businesses without dedicated HR support.
The regulatory shift: from guidance to enforcement
For years, managing psychological wellbeing at work was treated as a culture initiative. Employers ran training programmes, updated wellbeing policies, and measured engagement scores. These things have value. But they were largely voluntary, largely unverified, and rarely subject to the same rigour as physical safety obligations.
That is no longer the position.
Under the Work Health and Safety (General) Regulations 2022 (WA) — specifically regulations 55A to 55D — Western Australian employers are legally required to identify, assess, and control psychosocial hazards using the same risk management framework that applies to physical hazards. A psychosocial hazard is broadly defined as anything arising from the design or management of work, the work environment, workplace interactions or behaviours, or other relevant factors that may cause psychological harm.
This places obligations on employers that go well beyond offering an Employee Assistance Programme or posting a mental health policy on the intranet.
As of December 2025, every Australian jurisdiction has now adopted this framework. Regulators have moved decisively from education into enforcement. According to nbn’s executive manager of safety and wellbeing, Stephen Smith, agencies such as Comcare are no longer waiting for formal complaints before initiating investigations. They are acting on early signals, workplace trends, and even media reports — and they expect employers to produce documented risk assessments, evidence of consultation, and records of controls implemented and reviewed.
The message from regulators is consistent: psychological health sits in the same compliance category as physical safety. Policies alone are not enough. What matters is whether those policies are applied, monitored, and embedded into the way work actually happens.
What the law actually covers — and it may surprise you
The hazards listed under Safe Work Australia’s national framework are broader than most employers expect. They include:
- Job demands — excessive workloads, unrealistic deadlines, not enough time to do the work to the required standard
- Low role clarity — unclear expectations, conflicting instructions, uncertainty about decision-making authority
- Poor change management — restructures, system changes, or new requirements introduced without adequate consultation or support
- Inadequate support — managers who are unavailable, dismissive of concerns, or who fail to check in with employees under pressure
- Workplace conflict and interpersonal behaviour — bullying, harassment, disrespectful conduct, or a culture where speaking up feels unsafe
- Intrusive or punitive management practices — performance management processes that are poorly designed, applied without support, or that themselves create psychological harm
That last point is critical, and it is where many employers are caught off guard.
Performance management, when conducted without adequate training, support, or oversight, can itself constitute a psychosocial hazard. This is not a theoretical risk. In December 2025, the Department of Defence was convicted and fined $188,000 — becoming the first Commonwealth employer penalised under federal WHS laws for failing to manage psychosocial risks — after a RAAF technician was placed on four separate work plans over six months with no referral for support at any stage. The court found the risks were obvious. The policies existed. They simply were not applied.
As Comcare CEO Colin Radford stated publicly: policies can only ever mitigate risk if they are applied and followed in practice, and if they are supported by training those responsible for implementing them.
That principle applies equally to private employers. The maximum penalty for a Category 3 WHS offence, failing to comply with a health and safety duty, is $500,000.
The four management situations most likely to create legal exposure
Based on what I see across client organisations, psychosocial risk most commonly surfaces in four situations. Each involves ordinary management decisions that, when handled without a safety lens, can create significant legal exposure.
1. Workload that has become unsustainable
Job demands are the first hazard listed in Safe Work Australia’s psychosocial risk guidelines. Long hours, competing priorities, and constant pressure are part of many roles, but when workload becomes sustained, unmanageable, and unaddressed, it crosses the line from demanding to hazardous.
The FWC is increasingly testing this. A recent case saw an employee argue she had been compelled to resign due to excessive job demands — a constructive dismissal argument. While the employer was able to demonstrate it had made efforts to address the workload, the FWC’s analysis confirmed that high job demands are being scrutinised through a legal lens, not just a management one.
Critically, the obligation does not wait for an employee to raise a formal complaint. Employers are required to proactively scan the work environment for signs of unsustainable workload, including peaks in demand, resourcing gaps, unclear priorities, and roles that have grown beyond their original design.
If an employee does raise a workload concern, the first step is assessment, not reassurance. Is this a role design issue, a resourcing gap, or a capability issue? Each requires a different response, and conflating them creates risk in all directions.
2. Performance management conducted without a safety lens
The Defence case is the clearest illustration of what happens when performance management is applied without psychosocial risk controls. The employer had policies. Those policies were not followed in practice. Supervisors were not trained to recognise when the process itself was creating harm.
The obligation for employers is twofold: ensure that performance management processes are designed with psychosocial risk in mind, and ensure that those administering the process are equipped to recognise when intervention is needed, including when to pause the process and refer an employee for support.
This is not about making performance management soft or avoiding accountability. It is about ensuring the process is conducted safely and with appropriate oversight. A well-run performance conversation, with clear expectations, documented observations, and genuine support, is both legally defensible and more effective. A process that subjects someone to repeated pressure without support is neither.
3. Anonymous or informal complaints that go unaddressed
Employers are not legally required to investigate every anonymous tip. But any indication of serious misconduct or risk to employee wellbeing engages WHS obligations regardless of whether the complainant is identified.
Doing nothing is the riskiest response of all. Unaddressed complaints create conditions for harm to continue, signal to the workforce that concerns are not taken seriously, and compound exposure if a formal complaint or regulator investigation follows.
The appropriate first step with any complaint, identified or anonymous, is to assess its credibility and seriousness. That assessment may not lead to a formal investigation. It might involve a sensitive check-in with affected employees, a review of relevant records, or a targeted culture survey. The point is that a considered response is documented. Silence is not.
There is also a procedural fairness obligation to bear in mind. A person subject to a complaint, even an anonymous one, generally needs to know enough about the substance of the allegation to have a fair opportunity to respond. They do not need to know the identity of the complainant. But they do need the substance. This distinction matters significantly if a disciplinary outcome is later challenged.
4. Management practices that normalise risk
Some of the most significant psychosocial risk doesn’t arrive as a single incident. It accumulates — through a culture of long hours that is never questioned, through leadership styles that dismiss concerns, through change processes that are implemented without adequate consultation, or through a team environment where speaking up has gradually come to feel unsafe.
By the time someone raises a formal complaint, the risk has often been embedded for months. The investigation that follows will almost always surface an earlier pattern, of warning signs that were not acted on, of concerns that were not escalated, of supervisors who were not equipped or supported to respond.
The regulatory obligation is to manage psychosocial risk proactively. That means building systems to identify early signals, through regular check-ins, workload monitoring, exit interview analysis, and structured team feedback, and acting on what they reveal before harm occurs.
What a compliance-ready approach actually looks like
Meeting WA’s psychosocial risk obligations does not require a large HR team or complex infrastructure. For most mid-sized businesses, it requires three things done consistently.
1. A structured approach to identifying risk
Psychosocial hazard identification should not wait for a complaint or an incident. Regular team check-ins, workload reviews, and periodic surveys, even simple, informal ones, create visibility over conditions that might otherwise go unnoticed. The People at Work survey tool, endorsed by Safe Work Australia, is a practical option for businesses that want a structured baseline assessment.
2. Documented processes that are actually followed
The Defence case made one thing unmistakably clear: having a policy is not the same as having a control. Employers need to be able to demonstrate that their policies for managing workload, handling complaints, and conducting performance management are applied in practice, and that the people responsible for applying them are trained to do so.
Documentation does not need to be elaborate. Clear records of conversations, assessments, decisions, and referrals are what make a process defensible. The absence of documentation is what makes it vulnerable.
3. Supervisors who are equipped to recognise and respond to risk
Most psychosocial risk is managed, or missed, at the supervisor level. Managers who know how to have a fair performance conversation, who recognise the signs of a workload that has become unsustainable, and who understand when to refer rather than push through are the most effective risk control an organisation has.
This is not a one-off training investment. It requires ongoing coaching, clear frameworks, and a culture where supervisors feel supported in raising concerns up the chain rather than managing them alone.
What this means for WA businesses specifically
Western Australia’s WHS (General) Regulations 2022 have placed psychosocial hazard management on the same legal footing as physical safety since their commencement. The Code of Practice: Psychosocial Hazards in the Workplace (WA, 2022) sets out the obligations in practical detail.
WorkSafe WA is the relevant regulator for most private businesses in this state. While enforcement focus to date has been education-heavy, the national direction is clear — and WA is aligned with it. Businesses operating in regulated sectors like NDIS, SCHADS, and construction, face additional scrutiny given the nature of the work and the vulnerability of the people involved.
For businesses without dedicated HR support, the risk is not ignorance of the law. It is the gap between having policies on paper and having systems in practice. That gap is exactly what regulators are looking for, and exactly what our compliance work is designed to close.
The practical question to ask yourself now
The simplest way to assess your current exposure is to ask one question: if a regulator investigated your workplace today, could you demonstrate that your people practices — how you manage workload, handle complaints, conduct performance management — are designed and applied with psychosocial risk in mind?
If the honest answer is no, or not confidently, that is the starting point.
This is not about creating fear. It is about building the kind of HR foundation that protects your business and supports your people, before a complaint, an investigation, or a regulator inquiry makes the decision for you.
If you are unsure where your obligations begin or where your current practices fall short, an HR Compliance Audit is the clearest way to find out. We work through your policies, processes, and documentation against current WA requirements, and give you a practical roadmap for what needs to change.
Book an HR Compliance Audit | Speak with Strategic HR Australia
Related reading
- Unsafe vs Uncomfortable at Work: Know the Difference — how to assess whether a complaint constitutes a genuine safety concern or a management conversation
- Why Uncomfortable Conversations Must Be Part of Your Workplace DNA — And How to Make It Happen — how to build the leadership capability that psychosocial risk management requires
Frequently Asked Questions
Are WA employers legally required to manage psychosocial risks?
Yes. Under the Work Health and Safety (General) Regulations 2022 (WA), regulations 55A to 55D, all WA employers (PCBUs) must identify, assess, and control psychosocial hazards using the same risk management approach that applies to physical hazards. The obligation is to eliminate these risks where possible, or minimise them so far as is reasonably practicable.
Can ordinary management decisions — like giving feedback or conducting performance reviews — create psychosocial risk?
Yes, and this is one of the most commonly misunderstood aspects of the obligations. Performance management processes, when poorly designed or applied without appropriate support, can constitute a psychosocial hazard. The Department of Defence was convicted in December 2025 for exactly this reason — the performance management process itself created foreseeable risk, and supervisors were not trained to recognise or respond to it. Feedback and accountability remain legitimate and necessary. The obligation is to ensure the process is conducted safely and with appropriate oversight.
Does a business need to investigate every anonymous complaint?
Not necessarily — but any complaint indicating serious misconduct or risk to employee wellbeing engages your WHS obligations regardless of whether the complainant is identified. Doing nothing is the highest-risk response. The appropriate first step is to assess the credibility and seriousness of the concern and document your assessment and response, even if a formal investigation is not warranted.
How is this different from what employers were already expected to do?
Before these regulations, psychological wellbeing obligations were largely implied through general duty-of-care provisions and anti-bullying frameworks. The regulations make the obligation explicit, specific, and enforceable — with the same penalties and regulatory scrutiny as physical safety failures. The shift is from “we should do this” to “we are required to, and regulators are checking.”
What is the penalty for failing to comply with psychosocial risk obligations?
Under the WHS Act, a Category 3 offence — failing to comply with a health and safety duty — carries a maximum penalty of $500,000 for a body corporate. More serious failures that result in harm can attract Category 1 or Category 2 charges, with significantly higher penalties. Beyond financial penalties, the court can also impose adverse publicity orders, requiring the employer to publicise the offence and its consequences.
