What Workplace Lawyers Are Warning About Psychosocial Risk — And What HSEQ Managers Should Do Now

Workplace lawyers across Australia have been issuing the same warning for the better part of two years: psychosocial risk is now the fastest-rising area of WHS legal exposure, and most organisations are not operationally ready for it. The commentary is dense, the case law is moving fast, and the gap between what regulators expect and what HSEQ teams are equipped to deliver is widening. This article synthesises what the workplace bar is actually saying and translates it into priorities HSEQ managers can act on this quarter.

What the workplace bar is saying

Three themes recur across legal commentary from firms including ABLA, Herbert Smith Freehills, MinterEllison, Clayton Utz, and others over the past 18 months.

Theme 1 — The duty has expanded faster than the operating model

The 2022 amendments to the WHS Regulations and the 2024 Model Code of Practice did not invent a new duty. They explicitly extended the existing primary duty under section 19 of the WHS Act to cover psychosocial risks. The legal duty is the same one organisations have managed for physical safety for decades. What has changed is that the operational machinery — the registers, controls, consultation processes, evidence chains — has to now apply to a hazard category most organisations were managing through HR, ER, and wellness programs that were never designed to satisfy a WHS duty.

The legal commentary keeps returning to the same observation: the gap is not in the rules. The gap is in operational readiness. Most boards now understand they have a psychosocial duty. Most operating teams do not yet have the systems to discharge it.

Theme 2 — The evidence threshold has risen sharply

Several lines of authority have hardened in recent years. Kozarov v Victoria (HCA, 2022) confirmed that employers can be liable for failing to take reasonable steps to address foreseeable psychological injury, even where the worker did not specifically complain. Court Services Victoria (WorkSafe Vic prosecutions, 2023–24) established that organisational-level failures to manage psychosocial conditions can result in successful prosecution. Elisha v Vision Australia (HCA, 2024) extended damages exposure where psychiatric injury flows from unreasonable disciplinary process. Western Sydney LHD and the Department of Defence convictions added to the body of decisions where the question was not whether harm occurred but whether the organisation had taken reasonably practicable steps to prevent it.

The combined effect is that "we had a policy" is no longer a defence. The defensible position now requires evidence of identification, consultation, controls, and review — the full WHS risk management cycle, applied to psychosocial hazards, with records that can survive scrutiny.

Theme 3 — "Reasonable management action" is narrowing

Section 32 of the WHS Regulations preserves the principle that reasonable management action carried out in a reasonable manner is not bullying. But the bar for what counts as reasonable has moved. Performance management without role clarity, restructure without consultation, disciplinary process without proportionality — each of these is now more difficult to defend than it was three years ago. The Elisha decision in particular makes clear that the conduct of the management process is itself subject to scrutiny, not just the outcome.

For HSEQ managers, the practical implication is that the audit trail around performance and disciplinary processes is now WHS-relevant, not just HR-relevant. The records that demonstrate role clarity, support, and proportionate process are the same records that defend the organisation against a psychiatric injury claim downstream.

What this means operationally

The legal commentary is consistent on what good looks like operationally. Five capabilities recur.

1. Identification surface across multiple data layers

The organisation can demonstrate it is actively looking for psychosocial hazards across incident data, workforce signals, worker voice data, and operational data. Identification is not a survey. It is a triangulated, refreshed view across multiple sources. The lawyers' point is direct: if you cannot show what you were looking at, you cannot show what was reasonably foreseeable.

2. Genuine, documented consultation

Consultation evidence is the single most legally protective artefact in a psychosocial program. Not because consultation in itself prevents harm — it does not — but because it demonstrates that the organisation took workers' views seriously before making decisions. The Code is explicit about what genuine consultation requires; the case law is increasingly explicit about what its absence costs.

3. Controls hierarchy, not training-and-policy

A controls register dominated by training, policy, and EAP is the most common pattern lawyers cite as legally fragile. The hierarchy of controls applies to psychosocial hazards the same way it applies to physical ones. Higher-order controls (work design, leader selection, organisational structure) carry weight; lower-order controls alone do not.

4. Implementation evidence, not just design evidence

The most damaging pattern in litigation is when the organisation can show it designed controls but cannot show the controls were operating. This is worse than no controls at all, because it documents foreseeability without action. Every control needs an owner, a date, a measurement plan, and a review record — and these need to be tracked.

5. Integrity-protected records

Records that can be retrospectively edited carry less evidentiary weight than records that cannot. Time-stamped, hashed records of identification, consultation, controls, and review establish what was known and when. This is technical infrastructure, not a paperwork exercise; the legal commentary increasingly references it.

What HSEQ managers should do this quarter

The legal commentary translates into a tight set of operational priorities. Four steps, in order.

1. Run a defensibility audit. For each of the 14 SWA hazard categories, can you produce, in under 15 minutes, evidence of identification, consultation, controls, and review? Most organisations cannot. The audit surfaces where the legal exposure is highest.
2. Close the consultation gap. Identify the work groups where consultation evidence is weakest — typically shift workers, remote workers, and small site operations — and build the consultation cadence to cover them. This is the single highest-leverage move in most programs.
3. Re-tier your controls register. Map your existing controls against the hierarchy. If 80% of your controls sit at training, policy, and EAP, your register is legally fragile regardless of how well-written it is. Identify three higher-order controls (work design, role clarity, leader capability) you can implement in the next quarter.
4. Lock down the evidence chain. Identification records, consultation outputs, control logs, and review evidence should be timestamped and integrity-protected at the point of capture. If the evidentiary trail can be edited after the fact, its legal value is materially weaker.

The bridge between legal and operational

The most important point in the legal commentary is the one most often missed by operations teams. The lawyers are not asking for more paperwork. They are asking for evidence that the work is actually being done. Sam Cahill at ABLA has made the point repeatedly: reasonable management action must be evidenced through genuine work, not through audit-generated documents produced after the fact. The legal protection runs out fast when the documents are decoupled from the work.

The implication for HSEQ managers is that the answer to rising legal exposure is not a bigger policy library or a more comprehensive audit binder. It is operational infrastructure that produces defensible records as a by-product of consultation, reasoning, and control work that was going to happen anyway. The records are an output. The work is the input. Organisations that get this ordering right end up with both lower legal exposure and better operational outcomes. Organisations that get it inverted end up with thick binders and thin defences.

For practitioners building or maturing this infrastructure, working through the full risk management framework and a worked example is the fastest way to see where the gaps in your current operating model are.