Modern office workspace with six professionals collaborating, featuring white desks, ergonomic chairs, glass partitions, large whiteboard with diagrams, natural light from windows, and potted plants throughout the bright, open-plan environment.

Mental Health Risk Assessment: How to Conduct One | HSE Guide

Author

TL;DR

  • Identify psychosocial hazards through data, not assumption — use sickness absence patterns, survey instruments like the HSE Indicator Tool, and structured conversations to uncover work-design problems causing harm.
  • Assess exposure at the right level — organisation-wide surveys reveal systemic issues; team-level focus groups isolate departmental hotspots; individual conversations address specific return-to-work or manager-concern triggers.
  • Apply the hierarchy of controls to root causes — redesign workloads, clarify roles, and train managers before defaulting to Employee Assistance Programmes or resilience training, which address symptoms rather than sources.
  • Record findings with specificity — every action item needs a named owner, a concrete deadline, and a measurable outcome; “improve communication” with no further detail is not a control measure.
  • Review within one month, not one year — the most common failure mode is completing the assessment and never returning to check whether controls changed anything.

A mental health risk assessment is a systematic workplace process for identifying psychosocial hazards — such as excessive workload, poor management support, role ambiguity, and workplace conflict — evaluating which workers are exposed, and implementing controls to eliminate or reduce the risk of psychological harm. In the UK, employers are legally required to assess and act on stress-related risks under the Management of Health and Safety at Work Regulations 1999 (Regulation 3). Equivalent obligations exist in Australia, the EU, and — with increasing enforcement intensity — the United States.

Depression and anxiety cost the global economy an estimated US $1 trillion per year in lost productivity (World Health Organization, 2022). That figure is abstract until you trace it back to what drives it: work environments where demands outstrip capacity, where support is absent, where change is imposed without consultation, and where nobody has formally assessed whether the way work is designed is causing psychological harm. In the UK alone, 964,000 workers reported suffering from work-related stress, depression, or anxiety in 2024/25 (HSE, 2025).

Most organisations now acknowledge that workplace mental health matters. Far fewer have completed a structured mental health risk assessment — the process that identifies which working conditions create psychosocial harm, who is exposed, and what controls will reduce the risk. This article walks through that process step by step, grounded in the HSE Management Standards for work-related stress, aligned with ISO 45003:2021 and Australia’s model Code of Practice, and focused on the practical decisions and common failure points that determine whether an assessment produces real change or sits forgotten in a compliance folder.

Circular diagram showing five steps of mental health risk assessment: identify hazards, determine who is harmed, evaluate risks and set controls, record findings and action plan, and monitor review repeat.

What Is a Mental Health Risk Assessment in the Workplace?

A workplace mental health risk assessment evaluates working conditions and organisational factors — not individual employees’ mental health diagnoses. It follows the same risk management model applied to physical hazards: identify the hazard, evaluate who might be harmed and how, implement controls, record findings, and review.

The distinction matters because a common source of confusion — visible across competitor content and in practice — is conflating this process with clinical psychiatric risk assessment, which evaluates risk to self or others in a medical context. A workplace mental health risk assessment targets work design. It asks whether the way tasks, roles, relationships, and change are structured creates conditions likely to cause psychological harm.

Equally important: an employee wellbeing survey or Employee Assistance Programme uptake report is not a risk assessment. A survey may capture how workers feel, but only a structured assessment traces those feelings back to specific, controllable hazards in how work is organised.

Why It Matters: The Legal and Business Case

The legal duty to assess psychosocial risks is not discretionary in most jurisdictions. Under UK law, the Management of Health and Safety at Work Regulations 1999 require employers to make a suitable and sufficient assessment of risks to employee health — and HSE has confirmed repeatedly that this includes stress.

Work-related ill health accounted for an estimated 40.1 million lost working days in 2024/25 in Great Britain (HSE, 2025), with mental health conditions as the primary driver. Across Europe, nearly 45% of workers report facing risk factors that can adversely affect their mental health (EU-OSHA). In the US, mental health-related work absences surged 300% above 2017 levels (ComPsych, 2023).

The most common trigger for regulatory scrutiny is not a single reported incident. It is a pattern of sickness absence data that an inspector can see the employer never investigated or acted on. The legal exposure is not in having a mental health problem on site — it is in failing to assess and respond.

Infographic displaying six interconnected factors of psychosocial risk in the workplace: demands, control, support, relationships, role, and change, each illustrated with icons and color-coded sections.

The Six Psychosocial Risk Factors to Assess

The HSE Management Standards define six areas of work design that employers must manage to control stress risk. These six factors form the internationally recognised foundation for workplace mental health risk assessment. ISO 45003 and Safe Work Australia’s model Code of Practice cover similar ground but extend the list to include hazards such as job insecurity, fatigue, and intrusive surveillance.

Demands

This covers workload volume, pace, deadlines, emotional demands, and cognitive load. The question is not whether the work is busy — it is whether the volume and intensity exceed what workers can reasonably sustain with the resources available.

Control

Autonomy over how tasks are completed, decision-making authority, and influence over pace. Low control combined with high demands is the interaction most strongly associated with psychological harm in the published occupational health literature.

Support

Both managerial and peer support, plus access to resources and occupational health services. Support is not about informal friendliness — it is about structured availability of guidance, feedback, and practical help when workload or complexity demands it.

Relationships

Bullying, harassment, interpersonal conflict, and exclusion. This factor captures the quality of working relationships and whether the organisation has effective mechanisms for addressing unacceptable behaviour.

Role

Clarity about what is expected, absence of conflicting demands, and appropriate use of skills. Role ambiguity — where a worker does not know what they are supposed to prioritise or who they report to — is a persistent finding in published stress investigation reports.

Change

How organisational change is communicated, consulted on, and managed. Restructures, redundancy programmes, and new systems imposed without adequate communication are among the most reliably harmful psychosocial exposures.

A critical assessment principle: these factors interact. A team facing high demands but with good support and genuine control over their workflow presents a fundamentally different risk profile from a team with identical demands but micromanagement and absent support. Assessing each factor in isolation — a common checklist approach — misses the compounding effect that drives actual harm.

How to Conduct a Mental Health Risk Assessment: Step-by-Step

The process follows the standard five-step risk assessment framework used for any workplace hazard, aligned with HSE’s guidance on stress risk assessment and the Working Minds campaign’s 5Rs — Reach out, Recognise, Respond, Reflect, make it Routine.

Before beginning, establish the scope. This process operates at three levels — individual, team, and organisation-wide — and the data sources and methods differ at each. An organisation-wide assessment uses population-level survey data. A team-level assessment uses focus groups and department-specific records. An individual assessment uses structured one-to-one conversation.

Step 1: Identify the Psychosocial Hazards

Start with data already available before commissioning new collection. Existing records frequently reveal patterns that predate any formal complaint:

  • Sickness absence data — short, frequent absences clustered around certain days or within specific teams are often the earliest signal of a psychosocial issue.
  • Staff turnover and exit interview themes — patterns in why people leave, particularly from specific roles or under specific managers.
  • Grievance and disciplinary records — concentration of complaints in particular areas.
  • Occupational health referral data — volume and nature of referrals over time.

For organisation-wide assessment, the HSE Management Standards Indicator Tool provides a validated 35-item questionnaire measuring employee exposure across the six factors. Results feed into the HSE Analysis Tool, which benchmarks scores against desirable standards.

For individual assessment — typically triggered by a return-to-work situation or a manager’s concern — direct conversation is the primary method. The conversation must be handled with clear confidentiality protocols communicated in advance. No single data source is sufficient on its own; triangulate across multiple inputs to distinguish isolated complaints from systemic patterns.

Step 2: Determine Who Might Be Harmed and How

This step identifies which workers or groups are exposed to the hazards identified in Step 1. The focus is exposure due to work design, not individual vulnerability — the latter is an occupational health matter.

Groups warranting specific consideration include:

  • New starters — limited organisational knowledge, weaker support networks, higher role ambiguity.
  • Lone workers and remote workers — reduced access to peer support and managerial contact.
  • Night shift and rotating shift workers — fatigue compounding other psychosocial exposures.
  • Workers returning from long-term absence — reintegration pressures, potential stigma.
  • Teams undergoing organisational change — restructuring, new management, process overhauls.

Consider how exposure manifests — not just absenteeism, but presenteeism (attending work while unwell), reduced performance, increased conflict, and physical health symptoms linked to chronic stress. Also assess indirect effects: when one team member is absent, the remaining team absorbs their workload, creating a secondary exposure.

Hierarchy of Controls diagram showing three-level pyramid for managing psychosocial workplace risks: eliminate work-design problems at top, reduce through workflow redesign and manager training in middle, and individual support via EAP and adjustments as last resort at bottom.

Step 3: Evaluate the Risks and Decide on Controls

The hierarchy of controls applies to psychosocial hazards exactly as it does to physical ones. The principle is straightforward: address the source before treating the symptom.

  1. Eliminate — remove the work-design problem entirely. Can the unreasonable deadline be removed? Can the conflicting reporting lines be resolved?
  2. Reduce through organisational change — redesign workflows, redistribute workload, clarify roles, improve change communication processes, deliver management training on supportive leadership.
  3. Provide individual-level support — training on stress management, occupational health referral, reasonable adjustments for affected workers.

Australia’s Commonwealth Code of Practice (2024) now mandates the hierarchy of controls for psychosocial risks — the first major jurisdiction to codify this requirement. ISO 45003:2021 frames the same principle within the Plan-Do-Check-Act cycle of ISO 45001.

The most prevalent error in current practice is treating Employee Assistance Programmes and resilience training as the primary control measure. These are individual-level responses — the psychosocial equivalent of issuing hearing protection rather than reducing noise at source. Regulators in the UK and Australia are increasingly challenging organisations that rely on EAPs without evidence of upstream work-design changes.

When the hazard is “poor management practice,” the action plan must not task the same managers with implementing controls unsupported. This circular structure — identified managers as both the hazard source and the control owners — is a recurring failure pattern in published enforcement cases and guarantees the problem persists.

Step 4: Record Your Findings and Action Plan

In the UK, employers with five or more workers must record the significant findings of their risk assessment in writing. Even where no legal threshold applies, documentation serves two purposes: it drives accountability and provides evidence of compliance if an inspector investigates.

A robust record includes:

  1. Scope statement — individual, team, or organisation-wide; dates of assessment.
  2. Data sources used — surveys, absence records, conversations, OH referrals.
  3. Identified hazards — mapped to the six Management Standards factors.
  4. Groups or roles exposed — with explanation of how exposure occurs.
  5. Current controls already in place — a common omission; without this, the assessment cannot distinguish between “no controls exist” and “controls exist but are ineffective.”
  6. Gaps and additional controls needed — specific, measurable interventions.
  7. Action plan — named owner, concrete deadline, measurable outcome for each action.
  8. Review date and trigger conditions.
  9. Confidentiality protocol — how individual-level data will be stored and shared.

Every action item should answer four questions: what specifically will change, who will implement it, by when, and how will we know it worked. “Improve communication” with an “ongoing” deadline is not a control measure — it is a statement of aspiration with no operational content.

Step 5: Monitor, Review, and Make It Routine

The Working Minds campaign positions this step as “make it routine” — embedding psychosocial risk monitoring into normal management practice rather than treating it as a one-off compliance project.

Review triggers include:

  • Organisational change — restructuring, new management, significant role changes.
  • Data signals — notable increase in sickness absence, turnover, or grievance filings.
  • Incident or complaint — a reported case of work-related stress, bullying, or harassment.
  • New work practices — introduction of hybrid working, new technology, changed shift patterns.
  • Scheduled periodic review — minimum annually, regardless of triggers.

Measure control effectiveness concretely. Are absence rates in the affected team changing? Are Indicator Tool scores improving on the relevant factors? Is the identified issue recurring in exit interviews?

The gap between completing an assessment and reviewing it is where most programmes fail. If the first review is scheduled for twelve months out, there is insufficient momentum to maintain engagement. Scheduling the first review within one month of implementing controls, then moving to quarterly reviews for the first year, keeps the process visible and allows early correction if controls are not working.

In May 2025, HSE launched a free online learning module for employers on stress risk assessment, expanding the Working Minds campaign (HSE, 2025). This resource is designed specifically for managers and small business owners implementing the process for the first time.

What Should a Mental Health Risk Assessment Include? Key Components Checklist

At minimum, a workplace mental health risk assessment document should contain the following components:

  1. Scope statement — whether the assessment covers an individual, a team, a department, or the whole organisation.
  2. Data sources — surveys, sickness absence records, focus groups, one-to-one conversations, OH referral data, exit interviews.
  3. Identified psychosocial hazards — mapped to the six HSE Management Standards factors or equivalent framework (ISO 45003, Safe Work Australia’s expanded categories).
  4. Exposed groups or roles — with explanation of how and why exposure occurs.
  5. Current control measures — what is already in place and whether it is effective.
  6. Gaps — where current controls are absent or insufficient.
  7. Action plan — each action with a named owner, deadline, and measurable success criterion.
  8. Review date and conditions — when the assessment will be revisited and what triggers an earlier review.
  9. Confidentiality protocol — how individual data is stored, who has access, and under what conditions it may be shared.

Failing to document existing controls is one of the most common omissions. Without a baseline of what is already in place, the assessment cannot distinguish between a situation where no support exists and one where support structures are present but ineffective — two fundamentally different problems requiring different responses.

Infographic showing three levels of assessment for workplace wellbeing: organisation-wide surveys and aggregate data, team-level focus groups and department records, and individual structured conversations about workplace pressures.

Individual vs. Team vs. Organisation-Wide Assessments: When to Use Each

Most guidance treats mental health risk assessment as a single-level process. In practice, the scope decision determines the method, the data sources, and the type of controls that emerge.

Organisation-wide assessment is proactive and systematic. It uses population-level data — the HSE Indicator Tool survey, aggregated absence statistics, turnover rates — to identify patterns across the whole workforce. This level is best for detecting systemic issues embedded in organisational culture, policy, or structure. It answers the question: where are the risk concentrations across the business?

Team-level assessment is targeted. It uses focus groups, team-specific absence data, and departmental records. This level is triggered when organisation-wide data or management observation identifies a particular department or function showing warning signs. It answers: what is happening in this specific team, and what work-design factors are driving it?

Individual-level assessment is typically reactive — triggered by a return-to-work conversation, a manager’s concern about a specific worker, or a self-referral. It uses structured one-to-one discussion focused on workplace pressures affecting that person. The HSE Indicator Tool is not appropriate at this level — it was designed for population data, and applying it to a single person produces unreliable results.

These levels are complementary. An organisation-wide assessment may reveal a team-level hotspot, which then triggers individual conversations within that team. Treating them as alternatives rather than layers weakens the entire process.

One practical note on team-level assessment: teams sometimes resist because they interpret the assessment as management suspicion that something is wrong. Framing the process as a standard health check — consistent with how physical hazard assessments are presented — and communicating confidentiality protocols clearly before beginning dramatically improves both participation and data quality.

Common Mistakes When Conducting Mental Health Risk Assessments

Understanding the ideal process matters less than knowing where it breaks down. The following mistakes recur across sectors and organisation sizes.

Treating the assessment as a one-off compliance exercise. Completing the form and filing it satisfies nobody — not regulators, not workers, and not the legal test of “suitable and sufficient.” The assessment has value only within a continuous review cycle.

Defaulting to individual-level interventions without addressing root causes. Offering EAPs, mindfulness apps, or resilience workshops while leaving the underlying work-design problems untouched is the psychosocial equivalent of prescribing painkillers for a broken bone. Regulators in the UK and Australia have explicitly challenged this approach in published enforcement guidance.

Conflating wellbeing surveys with risk assessments. A staff engagement survey may tell you that morale is low. It does not identify which specific psychosocial hazards in work design are causing harm, who is exposed, or what controls are needed. A survey can be an input to a risk assessment, but it is not a substitute.

Excluding workers from the process. Assessments conducted by management about workers — rather than with them — produce poorer data and lower trust. The HSE Management Standards framework explicitly emphasises worker involvement as a core principle, not an optional extra.

Setting vague action items. “Improve work-life balance” assigned to “HR” with a deadline of “ongoing” is not a control measure. It cannot be implemented, measured, or reviewed. Every action must specify what changes, who owns it, when it is complete, and how success is measured.

Breaching confidentiality. Sharing individual-level assessment findings with line managers without the worker’s consent destroys trust in the process and may deter future participation. Confidentiality protocols must be agreed, documented, and followed without exception.

Regulatory Frameworks Across Jurisdictions

Employer obligations on psychosocial risk management vary significantly in prescriptiveness. Organisations operating across borders should default to the most prescriptive standard applicable to their workforce.

United Kingdom. The Health and Safety at Work etc. Act 1974 (Section 2) establishes the general duty to ensure employee health, safety, and welfare. The Management of Health and Safety at Work Regulations 1999 (Regulation 3) require a suitable and sufficient risk assessment covering all health risks — including psychosocial risks. The HSE Management Standards provide the practical framework. Enforcement tools include improvement notices, prohibition notices, and prosecution.

European Union. The Framework Directive 89/391/EEC requires member states to ensure employers assess and manage all workplace risks, explicitly including psychosocial risks. Implementation varies by member state, but the legal basis is established at EU level. EU-OSHA provides guidance and monitoring data on psychosocial hazard management across the bloc.

Australia. The WHS Act and Model WHS Regulations now represent the most prescriptive regulatory environment globally for psychosocial risk management. Safe Work Australia’s model Code of Practice, published in 2022, was followed by the Commonwealth Code of Practice in November 2024, which added three psychosocial hazard categories — job insecurity, fatigue, and intrusive surveillance — and mandated the hierarchy of controls. PCBUs (persons conducting a business or undertaking) must identify, assess, and control psychosocial hazards with the same rigour applied to physical hazards.

United States. No specific federal OSHA standard addresses psychosocial risks. However, the General Duty Clause (Section 5(a)(1) of the OSH Act) requires employers to provide workplaces free from recognised hazards likely to cause death or serious physical harm. OSHA has applied this clause with increasing frequency to workplace violence, fatigue-related incidents, and safety culture failures with psychosocial dimensions. The enforcement trajectory suggests growing regulatory attention even without a dedicated standard.

International standards. ISO 45003:2021 provides guidelines for managing psychosocial risk within an OHS management system built on ISO 45001. The WHO Guidelines on Mental Health at Work (2022) offer 12 evidence-based recommendations covering organisational interventions, manager training, and return-to-work programmes. An estimated 15% of working-age adults have a mental disorder at any point in time (WHO, 2022), reinforcing that psychosocial risk management is a workforce-wide concern, not a niche issue.

Tools and Templates for Mental Health Risk Assessment

Effective tools are publicly available and regulator-endorsed. The practical question most assessors face is not whether tools exist but which one fits their assessment level.

HSE Management Standards Indicator Tool. A free, validated 35-item questionnaire measuring employee exposure across the six Management Standards factors. Designed for team or organisation-level use. Results are entered into the HSE Analysis Tool, which generates scores benchmarked against desirable standards. This is the instrument most commonly recommended for UK workplaces.

HSE Talking Toolkit. A structured conversation guide designed to help line managers discuss stress-related issues with their teams. Particularly useful for team-level assessment where a full survey would be disproportionate.

HSE Working Minds free online learning module. Launched in May 2025, this resource helps employers — particularly small businesses and first-time assessors — understand and implement the stress risk assessment process (HSE, 2025).

Safe Work Australia model Code of Practice templates. Provide structured formats aligned with the Australian regulatory framework, including the expanded psychosocial hazard categories introduced in the 2024 Commonwealth Code.

ISO 45003. Functions as a framework rather than a standalone tool, guiding organisations on how to integrate psychosocial risk assessment into their existing ISO 45001-based OHS management system.

One important caution: generic employee engagement surveys — even well-designed ones — are not substitutes for a structured risk assessment tool. Engagement surveys measure satisfaction and sentiment. Risk assessment tools measure exposure to specific, controllable hazards. Treating engagement data as if it fulfils the risk assessment duty is a compliance gap that regulators will identify.

Frequently Asked Questions

Yes in the UK — employers must assess risks from stress under the Management of Health and Safety at Work Regulations 1999 (Regulation 3). Yes in Australia, where WHS Regulations mandate psychosocial hazard identification and control. Yes across the EU under Framework Directive 89/391/EEC. In the US, no specific psychosocial standard exists, but OSHA’s General Duty Clause (Section 5(a)(1)) is applied with increasing frequency where psychosocial hazards contribute to recognised safety failures. Always confirm obligations under the specific jurisdiction governing your workplace.

A wellbeing survey measures employee self-reported mood, satisfaction, and engagement. A risk assessment systematically identifies specific psychosocial hazards in work design, evaluates who is exposed and how, and mandates controls to reduce risk. A survey may provide useful input data for a risk assessment, but it does not replace the structured hazard-identification and control process that the law requires.

Typically the line manager with operational responsibility for the team or work area, supported by HR, occupational health, and health and safety professionals. The key requirement is competence — the assessor must understand the six psychosocial risk factors and the assessment methodology. Complex cases, particularly those involving individual clinical concerns, may need external occupational health support. The assessor does not need to be a mental health clinician.

At minimum annually, and sooner whenever there is significant organisational change, a notable increase in sickness absence, a reported incident or complaint, or a return-to-work situation. Best practice is to schedule the first review within one month of implementing controls, then move to quarterly reviews for the first year. This cadence maintains momentum and catches ineffective controls early.

Yes — and it should be. Remote work introduces specific psychosocial hazards including isolation, blurred work-life boundaries, digital fatigue, and reduced access to managerial and peer support. Australia’s Commonwealth Code of Practice (2024) explicitly includes fatigue and job insecurity as psychosocial hazards relevant to remote and gig workers. The assessment methods may need adaptation — virtual focus groups, digital survey tools, scheduled video check-ins — but the obligation and the framework apply equally.

In the UK, failure to assess stress risks is a breach of health and safety law. HSE inspectors can issue improvement notices, prohibition notices, or initiate prosecution. In Australia, regulators can issue compliance notices and financial penalties under WHS legislation. In the US, OSHA citations under the General Duty Clause are possible where psychosocial hazards contribute to recognised workplace safety failures. Beyond enforcement, the reputational and financial cost of failing to act — through absence, turnover, and litigation — compounds over time.

Infographic showing five essential steps for mental health risk assessment in workplaces: using multiple data sources, applying hierarchy of controls, recording measurable actions, involving workers, and reviewing within one month.

Conclusion

A mental health risk assessment follows the same logic as any workplace hazard assessment: identify what causes harm, determine who is exposed, implement controls at the source, record what you found and what you are doing about it, and come back to check whether it worked. The psychosocial context adds complexity — the hazards are embedded in work design, relationships, and organisational culture rather than in visible physical conditions — but the methodology is not new.

The differentiator between organisations that manage psychosocial risk effectively and those that accumulate regulatory exposure is not awareness. It is execution. Specifically: whether the assessment produces an action plan with named owners and measurable outcomes, whether controls target work-design root causes rather than defaulting to individual-level programmes, and whether review happens early enough to catch controls that are not working.

Every workplace generates psychosocial exposure. The question is not whether a mental health risk assessment is needed — the law in most jurisdictions has settled that — but whether the one you conduct is rigorous enough to change anything.