1. Home
  2. Compliance code: Psychological health

Part 3 – Step 4: Review risk controls

Part 3 of the Psychological health compliance code has 4 steps. Step 4 of the risk management process explains when and how to review and revise risk controls.

This is page 7 in a series of 11 that comprise the Psychological health compliance code. You must read the whole Code so that you understand how to meet your deemed compliance obligations.

Previous page

This is page 7 in a series of 11 that comprise the Psychological health compliance code. You must read the whole Code so that you understand how to meet your deemed compliance obligations.

Next page

Step 4: Review risk controls

  1. Reviewing risk controls involves examining whether the control measures are effectively controlling risks, so far as is reasonably practicable.
  2. Where a review finds that the control measures in place are not adequately controlling the risk, they must be revised so that they are controlling the risk, so far as is reasonably practicable. <OHS (Psychological Health) Regulations r16>

When risk controls must be reviewed

  1. Employers have a duty to review and, if necessary, revise the control measures in place when certain circumstances occur. <OHS (Psychological Health) Regulations r16> Table 2 lists when an employer must review their risk controls.

Table 2: When to review and revise risk controls

ReviewRevise
  1. before any alteration is made to any thing, process or system of work that is likely to result in changes to risks associated with psychosocial hazards
If the review finds that the controls are not adequately controlling the risk so far as is reasonably practicable, risk controls must be revised.
  1. if there is new or additional information about a psychosocial hazard available to the employer
  1. if an employee, or a person on their behalf, reports a psychological injury or psychosocial hazard to the employer
  1. after any incident occurs to which Part 5 of the OHS Act applies that involves a psychosocial hazard or hazards (notifiable incident)
  1. if, for any other reason, the risk control measures do not adequately control the risks associated with a psychosocial hazard
  1. after receiving a request from an HSR.

Notifiable incidents

Part 5 of the OHS Act provides that an employer or self-employed person must not, without reasonable excuse, fail to notify WorkSafe immediately after becoming aware that certain specified incidents have occurred at a workplace under their management and control.

This duty does not apply if the employer or self-employed person is the only person harmed, injured or exposed to the risk. <OHS Act s38(1) and s38(2)>

Notifiable incidents are those that result in:

  • the death of a person
  • a person requiring medical treatment within 48 hours of exposure to a substance
  • a person requiring immediate treatment as an in-patient in a hospital
  • a person requiring immediate medical treatment for certain serious injuries
  • a person being exposed to a serious risk to their health or safety emanating from the immediate or imminent exposure to specified circumstances and events. <OHS Act s37>

More information about an employer’s duties in relation to notifiable incidents

  1. An HSR may request that an employer review and, if necessary, revise risk control measures if they believe on reasonable grounds that:
    • any of the circumstances listed in Table 2 exist, or
    • the employer has failed to properly review the risk control measures, or
    • the employer has failed to take account of any of the circumstances listed in Table 2 in reviewing or revising the risk control measures. <OHS (Psychological Health) Regulations r16(2)>

How to review risk controls

  1. The people reviewing risk control measures need to:
    • have the authority and resources to conduct the review thoroughly
    • be empowered to recommend changes where necessary.
  2. When reviewing the effectiveness of risk control measures, employers should determine if they are reducing the risk of harm, so far as is reasonably practicable. Consider things like:
    • Are employees reporting that risk control measures are not controlling the risk?
    • Has the risk changed or is it different to what was previously assessed?
    • Have employees reported or shown signs of any negative psychological responses?
    • Have all psychosocial hazards been identified?
    • Are employees and any HSRs actively involved in the risk management process?
    • Are employees raising health and safety concerns and reporting problems promptly?
    • Are employees encouraged to report hazards and risks?
    • Has information, instruction or training been provided to all relevant employees?
    • Are there any upcoming changes that are likely to result in an employee being exposed to a psychosocial hazard?
    • Are new risk control measures available that might better control the risk?
    • Has the risk been eliminated or reduced so far as is reasonably practicable?
    • Are risk controls in place to the full extent that is reasonably practicable?
  3. Employers should also assess if risk controls have unintentionally introduced new risks or increased other risks. For example, surveillance technology used to monitor customer behaviour and reduce the risk of aggression or violence may also be used to monitor employee productivity, without proper communication or consultation. This increases the risk of harm from exposure to low job control and poor organisational justice.
  4. Employers must, so far as is reasonably practicable, consult employees and any HSRs when reviewing any risk controls. <OHS Act s35> To help establish whether risk controls are working, consider using:
    • team meetings and one-on-one discussions with employees
    • project evaluations
    • employee feedback or surveys.
  5. How a review is conducted will vary depending on the situation. For example, in some cases a brief analysis may be sufficient. At other times, a documented, in-depth review may be required.
  6. In some organisations, psychosocial hazards may be reported frequently, due to the nature of the work. The employer should put processes in place to consider all reports and assess if risk controls are working effectively. This may include reviewing similar hazards together. This may:
    • reduce the administrative load for an organisation
    • help employers to assess if there is new information about risks in the working environment
    • highlight if risk controls need to be revised.
  7. Frequent reports of psychosocial hazards indicate that employees may be exposed to harm. The employer should regularly review their risk controls to ensure they are controlling the risk, so far as is reasonably practicable.

Example of reviewing risk controls when psychosocial hazards are frequently reported

Employees working with members of the public are frequently exposed to aggression or violence. The hazard is well understood by the employer, who has implemented controls to reduce the risk so far as is reasonably practicable. The employer has operational procedures in place that require employees to record if they have been subject to physical or verbal aggression or violence from a member of the public.

The employer schedules regular meetings to review the frequency and severity of reports of aggression or violence. HSRs for the relevant employee groups are invited. Before the meeting, a summary report is prepared highlighting the total number of reports since the last meeting and any circumstances that are new, unusual or severe. In the meeting, the report is discussed to identify whether any additional information about a psychosocial hazard is available.

Risk controls are then reviewed and revised as necessary, taking into consideration any changes to the risk profile.

When to revise risk controls

  1. If the review finds that risk control measures are not reducing the risk, so far as is reasonably practicable, the risk controls must be revised. <OHS (Psychological Health) Regulations r16> Employers need to go back through the risk management process, review information and make further decisions about risk controls.
  2. Risk management for psychosocial hazards is not a one-off exercise – it needs to be ongoing. The dynamic, complex and changing nature of working environments can have significant, unexpected or unplanned negative effects on employees' psychological and physical health. Employers must control any new or potential associated risks so far as is reasonably practicable. <OHS (Psychological Health) Regulations r15>

Example of revising risk controls after a review, due to changed risk

An employee is injured due to violence from a member of the public. They receive medical treatment for their injuries. The employer reports the incident to WorkSafe under Part 5 of the OHS Act. The employer must now review the relevant risk control measures to see if they control the risk, so far as reasonably practicable.

The employer finds that aggression or violence towards employees is increasing due to frustration at long waiting times. These are the result of staff shortages caused by difficulties recruiting appropriately skilled staff. Existing employees are also being exposed to high job demands.

The employer reviews:

  • recruitment processes
  • internal processes for managing unplanned absences.

As a result, the employer:

  • Develops a new recruitment strategy to help fill existing vacancies.
  • Adjusts the process for managing unplanned absences to use existing employees with appropriate skillsets in the first instance. Where vacancies cannot be filled by existing staff, labour hire staff are used.
  • Refines the induction process for new and labour hire employees. This includes training on how systems of work are used to control the risks associated with exposure to aggression and violence.

Example of no change to risk controls after a review 

An employee reports bullying allegations through their employer’s grievance procedure. The employer must now review the relevant control measures to see if they control the risk, so far as reasonably practicable. The review shows:

  • A bullying policy and procedure is in place and has recently been reviewed and updated. The allegations of bullying were investigated in line with the policy and procedure.
  • Counselling support was offered to all parties involved.
  • A psychosocial hazard identification process was conducted with the relevant team.
  • It was identified that the team was exposed to high job demands. The associated risks had been adequately controlled at the time of investigation. A workload management process had recently been implemented and vacancies in the team filled.
  • All supervisors and managers completed training on expected leadership behaviours and proactive risk management.
  • All employees were aware of available confidential reporting, mediation and conflict resolution services.
  • All employees were provided with training on bullying and being an active bystander.
  • Ongoing feedback and consultation with employees is occurring.

Based on this review, the employer concludes that their risk control measures are reducing the risk, so far as is reasonably practicable. No further revision is needed.

Record-keeping

  1. Employers should keep records of the risk management processes and consultation for all psychosocial hazards. This will help with:

    • monitoring hazards, risks, trends and themes
    • assessing the effectiveness of risk controls
    • reviewing and revising risk controls.

    It will also help to demonstrate risk management processes if a WorkSafe inspector asks for evidence of them.

  2. Employers should choose a method of recording the risk management process and outcomes to suit their circumstances. For example, employers could:
    • use the prevention plan template
    • keep an organisational risk register
    • develop risk assessment and action plan templates for their organisation
    • use meeting minutes for OHS committee, leadership, governance group or team meetings.
  3. The risk management process and outcomes should be recorded in a way that is clear and accessible. This will enable the employer to easily provide information about the risk management process to employees and HSRs.
  4. Employers should consider employee privacy when recording this information. For example, not using employee names when recording details of how a hazard or risk was identified.

When recording the risk management process and outcomes, employers may consider recording information about the key elements of the process, such as:

  • Details of the identified psychosocial hazard
    • When was the hazard first identified?
    • How does it manifest in the working environment?
    • How was it identified? If the hazard was identified because of an incident or complaint, make sure individual employees are not identified.
  • An assessment of the risks that could occur
    • Who would be affected?
    • What are the possible consequences of the risk eventuating (severity)?
    • How likely is it that the harm will eventuate (likelihood)?
    • How often and for how long are employees exposed to the hazard (frequency and duration)?
  • The risk controls that have been put in place to eliminate or reduce the hazard
    • Which risk controls are most effective at controlling the hazard so far as is reasonably practicable?
    • Are there any additional risk controls that are or may be required?
    • Who will implement the identified risk controls and by when?
  • Review and revision of risk controls
    • When will the risk control measures be reviewed?
    • Who will manage the review?
    • What is the outcome of the review?
    • Who will implement any changes to risk controls and by when?
  • Details of consultation with employees and any HSRs
    • Who was consulted?
    • How and when were they consulted?

This is page 7 in a series of 11 that comprise the Psychological health compliance code. You must read the whole Code so that you understand how to meet your deemed compliance obligations.

Next page

This is page 7 in a series of 11 that comprise the Psychological health compliance code. You must read the whole Code so that you understand how to meet your deemed compliance obligations.

Previous page