RAE IQ
All resources
Explainer

ISO 45003 in plain English: psychosocial risk for Australian SMEs

You don't need an industrial-organisational psychologist on staff to run a defensible psychosocial programme. Here's how ISO 45003 actually works, and what the minimum viable version looks like.

Aaron, RAE IQ8 min read

Australian SMEs now have a legal duty to manage psychosocial risk, and the regulator can fine you if you don't. ISO 45003 is the international standard that tells you what “managing” looks like. This is a plain-English walkthrough for organisations that don't have a full-time WHS team.

Where the duty comes from

Psychosocial risk has been an implied duty under the WHS Act since 2011 (it's a hazard, you have to manage hazards). The 2022–2023 wave of psychosocial regulations and Codes of Practice across QLD, NSW, VIC and SA made it explicit. From 2026 in NSW, the psychosocial Code is enforceable in its own right under section 26A.

The duty is to identify, assess and control psychosocial hazards. ISO 45003:2021 is the international standard that tells you how. You don't have to formally certify against ISO 45003 to satisfy the regulator, but using it as your framework is the cleanest way to demonstrate due diligence.

The 12 psychosocial hazard categories

ISO 45003 groups psychosocial hazards into three buckets:

1. How the work is organised

  • Workload and work pace
  • Job control and autonomy
  • Role clarity and conflict
  • Job security and uncertainty

2. Social factors at work

  • Interpersonal relationships
  • Leadership and supervision
  • Bullying, harassment and aggression
  • Recognition and reward

3. Work environment, equipment and hazardous tasks

  • Equipment, environment and conditions
  • Exposure to traumatic events
  • Remote and isolated work
  • Violence (including third-party)

For most Australian SMEs, four or five of these are the dominant risks. Workload, role clarity, leadership behaviour and bullying are the big four for most office-based workplaces. Add traumatic events for healthcare and emergency services. Add isolation and violence for retail and transport.

What “managing” actually looks like

Three things, in order:

  1. A register of identified hazards. One row per hazard, with the affected workers, the source, current controls, and a residual risk rating.
  2. A control plan for each hazard.Following the hierarchy of controls (eliminate, substitute, isolate, engineer, administer, PPE), just like physical hazards. For psychosocial hazards, “administrative” controls dominate (policies, training, supervision practices, escalation procedures), but elimination is sometimes possible (e.g. removing a high-conflict customer interaction from a particular role).
  3. Periodic review.Controls don't stay effective forever. Review on a defined cadence (annually at minimum, quarterly for high-residual-risk hazards), capture effectiveness, adjust.

The minimum viable psychosocial programme

For a small business with no dedicated psychologist on staff, this is the smallest defensible version:

  • Hazard identification:a survey to all workers (anonymous), reviewed annually, supplemented by exit interviews and incident reports. ISO 45003 doesn't mandate a specific tool. Pick one and use it consistently.
  • Register: the identified hazards, their frequency and severity, the affected groups, current controls and the residual risk rating after controls. Updated whenever a new hazard is identified.
  • Control plan:for each registered hazard, what you're doing about it: the policy, the training, the supervisor practice, the escalation procedure. With an owner and a review date.
  • Annual control review:are the controls working? What's the evidence (incident counts, survey trends, attendance, exit reasons)? What needs to change?
  • Board reporting: for organisations with a board or executive committee, a one-page psychosocial summary at least quarterly. The board has its own due-diligence duty.

What RAE IQ does about it

The psychosocial register ships an ISO 45003-aligned hazard taxonomy out of the box. Pre-built survey templates run anonymously and feed results into the register. The control review workflow gives you the “is it working?” evidence on a defined cadence. Board reporting is a one-click export on the Business plan.

Psychosocial signal detection sits across your incident data and flags incidents that are physically logged but psychosocial in nature (e.g. a verbal abuse incident logged as “verbal incident” in the standard register). Basic detection is included on Professional; full ISO 45003 workflow is on Business.

The bit nobody tells you

Psychosocial risk isn't solved by software. The platform gives you the structure, the register, the control plan and the evidence trail. The actual reduction in risk comes from the conversations, the supervisor coaching, the policy enforcement, the escalation procedures, all the work that has to happen between people. The software exists so the work doesn't get lost, doesn't go undocumented, and stands up at audit.

If you want a starting point, start free and run the psychosocial survey on your team. Even the free tier will tell you which two or three hazards to focus on first.

Want to see this in your own workspace?

Start free with 3 documents. No credit card required.

More from RAE IQ

Guide

How to write a SWMS in Australia: a practical 2026 guide

Everything an Australian business needs to write a compliant Safe Work Method Statement: legal requirements, the 10 sections every SWMS needs, and the mistakes that cost principal contractors work.

Guide

SWMS vs JSA: what's the difference and which do you need?

One is legally required for specific high-risk work. The other is best practice for almost any task. Here's how to tell them apart and pick the right document for the job.

Stop writing safety documents from scratch.

Join Australian businesses running their compliance on RAE IQ. 3 free documents, no credit card. The free tier covers a typical week for a sole trader.