Canberra London Circuit Dusk
← WHS & AI
Practical GuideWHS

AI-Assisted Psychosocial Risk Assessment: A WHS Governance Workflow That Keeps the Sign-Off Human

A practical WHS governance workflow for Australian financial-services teams: use AI to synthesise de-identified survey data and draft the written psychosocial risk assessment, while a competent person always sets the rating, chooses the controls, and signs off.

·Last reviewed: 20 June 2026

Practitioner content. Written for WHS and safety professionals under the model WHS laws (with Victoria, WA, and the Comcare scheme noted where they differ). General information only. Not legal or WHS advice. A competent person makes every risk and notification decision.

A psychosocial risk assessment is one of those documents that takes a week of careful work and reads like it took an afternoon. You consult workers, you read free-text survey responses, you sort the noise into themes, you map those themes to recognised hazard categories, and only then do you sit down to write the assessment, rate each risk, and decide what controls are reasonably practicable. The reading and the drafting are slow. The judgement is the part that actually matters.

This is exactly the shape of work where a large language model earns its place, and exactly the shape where it must be fenced off from the decision. AI can cluster hundreds of de-identified survey comments into themes in seconds. It can line those themes up against the hazard categories in the model Code of Practice. It can produce a clean first draft of the written assessment. What it must never do is assign a risk rating or sign the document. Under Australian work health and safety law, that determination belongs to a competent person, and the law does not care that a model produced a tidy table.

This guide sets out a defensible workflow for an Australian financial-services WHS function. It is built around a worked example most readers will recognise: managing psychosocial hazards in a national insurer's claims contact centre. The same pattern applies to a bank's collections team, a super fund's member-services line, or any regulated environment where people absorb pressure on behalf of the organisation.

Abstract concept diagram showing de-identified survey and consultation data flowing into an AI synthesis layer, then into a drafted assessment, with a clearly separated human decision gate where the risk rating and controls are set
The boundary is the whole point: AI synthesises and drafts, a competent person rates and signs.

The legal frame, in plain terms

Australian WHS law is built on a set of model laws developed by Safe Work Australia and then adopted, with variations, by each jurisdiction. This matters before you automate anything, because the exact obligation you are meeting depends on where your workers sit.

The Safe Work Australia Model Code of Practice: Managing psychosocial hazards at work, published in July 2022, is the practical anchor for this work. It explains how to identify psychosocial hazards, assess and control the risks, review the controls, and record the process. Sitting above it, the model WHS Regulations introduced specific psychosocial provisions, commonly cited as regulations 55A to 55D: they define a psychosocial hazard, define psychosocial risk, impose a duty to manage psychosocial risks so far as is reasonably practicable, and set out the control measures a person conducting a business or undertaking must consider. Safe Work Australia's own announcement of the new regulations and Code frames these as clarifying existing duties rather than creating new ones. The primary duty of care, including psychological health, already lived in section 19 of the model WHS Act.

The model laws are adopted differently across the country. New South Wales moved early: its Code of Practice: Managing psychosocial hazards at work took effect on 28 May 2021, ahead of the national model. Victoria and Western Australia operate their own arrangements and differ in detail, so do not assume the model Code's exact wording is law in those states. For Commonwealth and federally regulated employers, the relevant scheme is the Work Health and Safety Act 2011 (Cth), regulated by Comcare. Comcare's regulatory guide on managing psychosocial hazards sits over Commonwealth WHS Regulations whose psychosocial amendments commenced on 1 April 2023. Internationally, ISO 45003:2021 gives guidance on managing psychosocial risk inside an ISO 45001 management system, and is worth a read as a structuring reference, though it is a voluntary standard rather than Australian law.

The practical takeaway: confirm which jurisdiction governs your workers, treat the model Code as your method, and verify the specific regulation against the adopting jurisdiction before you cite a number in a document that may be read in evidence.

The human-in-the-loop boundary

Set this boundary in writing before anyone opens a chat window. It is the single most important governance control in the whole workflow.

AI may assist with three things, and only three:

  1. Identifying candidate psychosocial hazards by reading the model Code of Practice and proposing which of its hazard categories may be present.
  2. Synthesising de-identified survey and consultation data into themes, so a human is reading twelve clusters instead of three hundred raw comments.
  3. Drafting the written risk assessment, with the rating fields deliberately left blank.

A competent person always does the rest. A competent person determines the risk rating. A competent person selects the controls and tests whether they are reasonably practicable. A competent person signs off. The model never assigns a risk rating, and the model never signs. If your drafting tool ever returns a populated risk-level column, you treat that as a defect in the prompt, delete it, and put the rating back in human hands.

There is a second, non-negotiable rule that sits alongside this one, and it deserves its own heading.

A standing note on de-identification

Never paste real personal, claim, health, or incident data into a model that is not an approved enterprise instance. Psychosocial survey data is some of the most sensitive material an organisation holds. Free-text comments routinely name a manager, describe a specific incident, or disclose a worker's mental health. None of that should travel to a general consumer chatbot.

Before any data reaches the model, strip it to placeholder tokens: [EMPLOYEENAME], [CLAIMNUMBER], [INCIDENTID], [TEAM], [ROLE], [SITE], [DATE]. Aggregate where you can, so the input is themes and counts rather than individual stories. Every prompt in this article assumes the data has already been de-identified at the source. The de-identification is not a step the model does for you. It is a control you apply before the model sees anything.

Setting up the Psychosocial Risk Assistant project

Both ChatGPT Projects and Claude Projects let you create a persistent workspace with its own custom instructions and uploaded reference files. That is the right container for this work, because it keeps the model anchored to the model Code of Practice and the de-identification rule on every turn, rather than relying on you to restate them.

Create a project called "Psychosocial Risk Assistant" and paste the following block into the project's custom instructions or project description field.

Prompt
ROLE
You are a WHS drafting assistant for an Australian financial-services organisation.
You help a competent WHS person prepare a psychosocial risk assessment under the
Safe Work Australia Model Code of Practice: Managing psychosocial hazards at work
(July 2022) and the relevant adopting jurisdiction's WHS laws.

WHAT YOU DO
1. Identify candidate psychosocial hazards by reference to the uploaded model
   Code of Practice hazard categories.
2. Synthesise de-identified survey and consultation data into themes.
3. Draft the written risk assessment with ALL risk-rating fields left BLANK.

WHAT YOU NEVER DO
- You NEVER assign, suggest, or pre-fill a risk rating, likelihood, or
  consequence score. Leave every rating field blank and marked
  "[COMPETENT PERSON TO DETERMINE]".
- You NEVER select or recommend a single control as "the answer". You may list
  candidate controls drawn from the Code for a human to choose from.
- You NEVER sign off, approve, or state that the assessment is complete.

DATA RULES
- Treat all input as already de-identified. If you ever see what looks like a
  real name, claim number, or incident ID, stop and warn the user.
- Use only the placeholder tokens [EMPLOYEE_NAME], [CLAIM_NUMBER],
  [INCIDENT_ID], [TEAM], [ROLE], [SITE], [DATE].

STYLE
- Australian English. No em dashes. Clinical, evidence-first, no hype.
- When you map a theme to a hazard category, name the category exactly as it
  appears in the uploaded Code.
- End substantive outputs with: "Human review required before use."

Then upload the files-to-upload checklist below into the project so the model has them on hand:

  • The Safe Work Australia model Code of Practice (or your jurisdiction's adopted version) as a PDF.
  • A de-identified export of your psychosocial survey, with all free-text scrubbed to placeholder tokens and all individual identifiers removed.
  • De-identified consultation notes from worker forums, health and safety representative meetings, or focus groups, again scrubbed to placeholders.
  • Optionally, your organisation's existing risk matrix template, with the rating cells left empty.
Project setup screen for a Psychosocial Risk Assistant, showing a custom-instructions field populated with the role, the three permitted tasks, the never-do list including never assign a risk rating, the de-identification data rules, and a sidebar listing four uploaded reference files
Illustrative ChatGPT interface mockup of the Psychosocial Risk Assistant project, showing the custom instructions and the four uploaded reference files. Not a real screenshot.

The prompt library

Three prompts cover the assist phases. Each is scoped to one of the three permitted tasks, and the third deliberately produces a draft with blank ratings.

The standing reminder applies to every prompt: never paste real personal, claim, health, or incident data into a model that is not an approved enterprise instance. The prompts below assume your input is already de-identified.

Prompt 1: synthesise de-identified survey themes.

Prompt
Here is a de-identified export of free-text responses from our most recent
psychosocial survey for [TEAM] at [SITE]. All names, claim numbers, and
incident IDs have been replaced with placeholder tokens.

Cluster these responses into no more than 12 themes. For each theme give:
- a short theme label (5 words or fewer)
- an approximate count or proportion of responses that touch it
- 2 to 3 representative de-identified quotes

Do NOT assess severity or risk. Do NOT recommend controls yet. Just surface
the themes and how often they appear.

[PASTE DE-IDENTIFIED SURVEY EXPORT BELOW]

Prompt 2: map themes to the Code's hazard categories.

Prompt
Using the uploaded model Code of Practice, map each theme below to the
psychosocial hazard category or categories it relates to. Name each category
exactly as it appears in the Code (for example high job demands, low job
control, poor support, exposure to traumatic events, violence and aggression,
low role clarity, poor workplace relationships).

For each theme, give:
- the matching hazard category name(s) from the Code
- a one-line note on why the theme maps there
- a flag if a theme does not map cleanly to any Code category

Do NOT rate any hazard. Do NOT propose controls.

[PASTE THE THEMES FROM PROMPT 1 BELOW]

Prompt 3: draft the assessment with blank rating fields and candidate controls.

Prompt
Draft a written psychosocial risk assessment for [TEAM] at [SITE] using the
themes and hazard-category mappings below.

Structure each entry as a row with these columns:
- Hazard category (from the Code)
- Description of how it presents for this team (de-identified)
- Who is exposed
- Likelihood: leave as "[COMPETENT PERSON TO DETERMINE]"
- Consequence: leave as "[COMPETENT PERSON TO DETERMINE]"
- Risk rating: leave as "[COMPETENT PERSON TO DETERMINE]"
- Candidate controls: list 2 to 4 options drawn from the Code's control
  guidance for a human to choose from, in order of the hierarchy of control

Do NOT fill in any likelihood, consequence, or risk rating. Do NOT pick a
single control as the recommendation. End with "Human review required
before use."

[PASTE THE MAPPED THEMES FROM PROMPT 2 BELOW]

A worked example, end to end

Take a national general insurer running a claims contact centre. The WHS lead, a competent person under the Act, is preparing the annual psychosocial risk assessment for the team. The contact centre handles distressed customers making claims after fires, floods, and motor accidents. The known pressures are obvious to anyone who has worked the phones: high job demands, low control over call flow, and repeated exposure to other people's worst days.

Setup. The WHS lead creates the Psychosocial Risk Assistant project, pastes in the custom instructions above, and uploads the model Code, a de-identified survey export, and consultation notes from two worker forums. Before uploading, the survey export is scrubbed at source, so a comment that once named a team leader and a fatality claim now reads "my team leader [EMPLOYEENAME] told me to take the next call straight after a fatality claim, claim [CLAIMNUMBER]", with the real name and number already removed.

Synthesise. The lead runs Prompt 1. The model returns themes such as "back-to-back distressing calls", "no recovery time between calls", "unclear escalation path", "low say over rosters", and "manager support varies by shift", each with an approximate count and a few de-identified quotes.

Map. The lead runs Prompt 2. The model lines the themes up against the Code's categories: back-to-back distressing calls maps to exposure to traumatic events; no recovery time and tight call targets map to high job demands; low say over rosters maps to low job control; variable manager support maps to poor support. One theme, "the new claims system keeps crashing", is flagged as not mapping cleanly to a psychosocial category, which is useful, because it is a real issue that belongs in a different register.

Draft. The lead runs Prompt 3. The model produces a clean assessment table. Every likelihood, consequence, and risk-rating cell reads [COMPETENT PERSON TO DETERMINE]. The candidate-controls column offers options drawn from the Code, ordered by the hierarchy of control: redesigning call routing to build in recovery time, capping consecutive high-distress calls, clarifying the escalation path, and offering trauma-informed support. An illustrative fragment of that draft:

Prompt
Hazard category: Exposure to traumatic events
How it presents: [TEAM] at [SITE] take consecutive calls from distressed
  customers making claims after fires, floods, and serious accidents, with
  little recovery time between calls.
Who is exposed: Claims contact centre consultants on inbound queues.
Likelihood: [COMPETENT PERSON TO DETERMINE]
Consequence: [COMPETENT PERSON TO DETERMINE]
Risk rating: [COMPETENT PERSON TO DETERMINE]
Candidate controls (human to select):
  1. Redesign call routing to build in scheduled recovery time after
     high-distress calls.
  2. Cap the number of consecutive high-distress calls per consultant.
  3. Clarify and publish the escalation path for traumatic calls.
  4. Provide trauma-informed support and structured debriefs.
Human review required before use.
Chat interface showing the drafted psychosocial risk assessment fragment for a claims contact centre, with the exposure-to-traumatic-events hazard, the likelihood, consequence, and risk-rating fields all reading competent person to determine, and four candidate controls listed for a human to select
Illustrative Claude interface mockup of the drafted assessment showing blank rating fields and candidate controls. Not a real screenshot.

The human decision gate. This is where the competent person takes over, and it is explicit. The WHS lead reads the draft against the consultation record, applies the organisation's risk matrix, and determines that exposure to traumatic events for this team is, on the evidence, a high risk requiring immediate attention. The model did not reach that conclusion. The lead did. From the candidate controls, the lead selects two to implement now, recovery time in the call-routing logic and a cap on consecutive high-distress calls, and schedules the escalation-path work for the next quarter, recording why the other options were deferred. The lead then signs the assessment as the competent person, dates it, and logs the de-identified source data and the model's drafts as the working trail. The signature is human. The rating is human. The control selection is human. The model produced a faster draft and nothing more.

What this buys a WHS function, and what it does not

What it buys you is time and consistency on the mechanical work. Synthesising free-text, mapping to categories, and producing a structured first draft are tasks where a model is genuinely faster and more even-handed than a tired person at the end of a survey cycle. The auditable trail, from de-identified data through to a drafted assessment with blank ratings, is itself a governance asset: it shows a regulator that the method followed the Code and that the judgement stayed with a competent person.

What it does not buy you is a shortcut around the duty. The duty to manage psychosocial risks so far as is reasonably practicable, expressed through the model regulations and the primary duty in the WHS Act, rests on the organisation and on the competent people who assess and control the risks. A model that drafts well can make that work more thorough. It cannot make it someone else's responsibility.

If you take one thing from this piece, take the boundary. AI synthesises and drafts. A competent person rates, selects controls, and signs. Build that into your project instructions, your prompts, and your sign-off process, and the tool stays a drafting aid rather than a liability.

---

General information and education only. Not legal, compliance, or professional WHS advice. WHS laws are model laws adopted differently across Australian jurisdictions, including the Commonwealth Comcare scheme, and Victoria and Western Australia operate distinct arrangements. Verify the specific provisions that apply to your workers, and have a competent person determine all risk ratings and controls. Never paste real personal, claim, health, or incident data into a model that is not an approved enterprise instance.*

TheAICommand. Intelligence, At Your Command.

For practitioners

Use AI to do the slow, mechanical parts of a psychosocial risk assessment: clustering de-identified survey free-text into themes, mapping those themes to the hazard categories in the model Code of Practice, and producing a tidy first draft of the written assessment. Keep the risk rating and the controls in your own hands. The model leaves those fields blank and a competent person fills them in.

For governance leads

This workflow gives you an auditable trail from raw consultation data to a drafted assessment without ever letting the tool decide the risk level. Set the boundary in writing: AI assists with identification, synthesis and drafting only. A competent person determines the rating, selects the controls, and signs off. Confirm the data fed to the model is de-identified and that the instance is an approved enterprise one.

Primary sources

WHS provisions referenced

Model WHS Regulations, regulations 55A to 55D (psychosocial hazard, psychosocial risk, duty to manage psychosocial risks, and control measures)Model WHS Act 2011, section 19 (primary duty of care, including psychological health)Work Health and Safety Act 2011 (Cth) for Comcare scheme employers; Commonwealth WHS Regulations psychosocial amendments effective 1 April 2023
WHSPsychosocialRisk AssessmentSafe Work AustraliaAI GovernanceHITL
← Back to WHS & AI

Read next

Brisbane Eagle Street Pier Dusk

AI for Incident Analysis and Leading Indicators: A Human-in-the-Loop WHS Playbook

A practical, human-in-the-loop guide for Australian financial-services WHS teams. Use AI to surface leading indicators across de-identified incident data and to propose ICAM-style contributing factors, while keeping the notifiability decision firmly with a competent person.

Read more

Content disclaimer: This article is for general educational purposes only and does not constitute legal advice, WHS advice, or a substitute for professional judgement. Work health and safety duties, including psychosocial duties and incident notification duties, vary by jurisdiction under the model WHS laws (with Victoria, Western Australia, and the Comcare scheme differing). Risk ratings, controls, and notifiability decisions must be made by a competent person. All AI outputs described in this article require human review before use.