Most HR leaders within UK organisations know psychosocial risk matters. Far fewer can demonstrate they are managing it. That gap now separates organisations that receive an improvement notice from those that present a defensible audit. In 2026, the Health and Safety Executive (HSE) has moved from signalling intent to issuing enforcement action and the consequences of being unprepared are no longer theoretical.
As enforcement continues, the questions HR leaders responsible for compliance are working through become:
- What are the real consequences of HSE non-compliance in 2026?
- What does enforcement action look like in practice?
- How do you prove your controls are working, not just in place?
- Where do you start if your organisation is early in this journey?
The positive aspect is that preparing for an audit is not about building from zero. It is about taking the infrastructure that likely already exists in your organisation—your policies, your data, your employee feedback—and ensuring it is documented, maintained and connected to tangible action.
3 steps to audit readiness
Step 1: Conduct an internal audit against the six domains
You can begin by reviewing all existing policies, procedures and practices against each of the six HSE domains. Cross-reference your Employee Assistance Programme (EAP), utilisation data, exit interview themes and your incident register to map your likely risk profile. This gives you an evidence-based picture of where your exposure points are before anyone else identifies them for you.
“There are ways of mapping your EAP utilisation to categories of psychosocial hazard to get a picture of what your likely hazard profile looks like.”
- Oliver Brecht, Vice-president, Center for Organizational Effectiveness
This step is diagnostic. You are not looking for perfection. You are looking for gaps—the areas where you have a policy but no evidence it is being used, or where you have data (like absence patterns) but no corresponding investigation.
For each domain, ask:
- Do we have documented processes in place, such as job design frameworks, escalation procedures and role clarity tools?
- Does evidence exist that these processes are in active use?
- Do data points such as EAP utilisation, absence rates and turnover signal a gap between policy and practice?
This internal review takes time. It gives you a realistic baseline and prevents you from discovering gaps later, under inspection.
Step 2: Build stakeholder understanding before demanding action
The most common mistake at this stage is jumping too quickly to "we need to act now." Give leaders space to understand what psychosocial risk means for their teams before asking them to commit to action.
Leadership buy-in is more than an intellectual exercise. Senior leaders who lack genuine will to act will stall progress regardless of how well-designed your policies are.
Use your internal audit findings to start a conversation. Show your leadership team:
- Your current risk profile based on exit interview themes and absence patterns.
- The gap between primary (removing the hazard at source), secondary (policies and systems that reduce risk) and tertiary (support for individuals already affected) controls.
- The legal landscape and what enforcement now means for your organisation specifically.
Help leaders understand that this is not about creating new programmes. It is about connecting the work you are already doing into a coherent, evidenced, defensible system.
Step 3: Conduct a formal psychosocial risk assessment with employee consultation
Once you have internal data and stakeholder engagement in place, conduct a formal assessment that incorporates employee consultation. Leaders consistently perceive psychosocial risk differently from how employees experience it. Employee consultation is both a regulatory requirement and the foundation that gives your risk profile legitimacy.
Having your infrastructure in place before you run the assessment, such as your incident reporting pathways, your stakeholder engagement and your initial findings means you can respond to the results far more quickly. The assessment becomes a starting point for action.
The HSE audit preparation framework
For each psychosocial control you have in place, ask three questions and push for documented evidence at each level:
- What risk controls are in place?
- Is the risk control working?
- Is the measure sustained and meaningful?
Audit preparation example: job demands
What controls are in place?
You might demonstrate a workload review process for all teams. You can show the policy, meeting records and the calendar invitations that evidence this happens regularly.
Is the control working?
You can show evidence by demonstrating that overtime hours have reduced and workload-related EAP presentations have decreased this quarter compared to the same period last year.
Is the measure sustained and meaningful?
Workload reviews might happen quarterly. If so, the schedule should be formally logged, the outcomes documented and the changes implemented tracked.
The goal is clarity, showing how risks are identified, addressed and measured over time.
What happens if an audit finds non-compliance?
If an HSE audit finds your organisation unable to demonstrate adequate psychosocial risk management, there are five possible outcomes.
- Financial penalties: There is no upper limit on fines in the UK. HSE enforcement notices for psychosocial risk failures are also now being issued, with the East of England Ambulance Service receiving a Notice of Contravention in April 2025 under the Management of Health and Safety at Work Regulations 1999.
- Criminal liability: Where a serious incident such as a suicide connects to organisational negligence, directors and managers face personal criminal liability.
- Operational changes: The HSE can mandate changes to how your organisation designs and carries out work. This creates significant financial and operational disruption.
- Reputational damage: The HSE publishes enforcement notices and non-compliance orders publicly. This damages your ability to win contracts and attract and retain talent.
- Insurance consequences: UK employers' liability premiums connect directly to claims history. As mental health claims rise in volume and complexity, insurers treat psychosocial risk management as a material underwriting factor. Organisations with poor claims records face higher premiums at renewal and potential difficulties securing cover.
A closer look at enforcement action
The HSE operates under an Enforcement Management Model that gives inspectors discretion to issue an improvement notice, a prohibition notice or proceed directly to prosecution depending on the severity and circumstances of the breach. There is no guaranteed sequence.
In practice, for organisations with no prior enforcement history and where no serious incident has occurred, an improvement notice requiring remedial action within a defined timeframe is the more common first outcome. But this is inspector discretion, not a right. The cost of investigation, management time and remediation at that stage significantly exceeds the cost of acting before any notice arrives.
What HSE inspectors expect every employer to have ready
In a recent webinar hosted by the Centre Of Excellence, experts were asked to name the single most important thing every organisation should have ready. Their answers, taken together, form a complete picture:
“Organisations should be able to answer four basic questions: What are your risks? What controls do you have in place? Do you have a delivery partner supporting these changes? And how are you monitoring whether those controls are working?”
— Leona Thomson, Vice President of Global Learning Operations at The Centre for Organizational Effectiveness
“Leadership needs to move beyond agreement to show clear, visible commitment in action. When leaders demonstrate this consistently, it sets the tone for the wider organisation and enables meaningful progress.”
— David Stace, Director of Clinical Policy at The Centre for Organizational Effectiveness
“Clear, consistent documentation is a critical foundation. Without documentation, it becomes harder to demonstrate what is in place. Applying a ‘prove it’ approach ensures every control can be evidenced in multiple ways.”
— Oliver Brecht, Vice President at The Centre for Organizational Effectiveness
An HSE audit for psychosocial risk is not a future possibility. For UK organisations in 2026, it is a question of timing. The organisations best placed are not the ones with the most policies. They are the ones that document, evidence and prove three cuts deep that their controls are in place, working and sustained.
Frequently asked Questions
What is psychosocial risk management?
Psychosocial risk management is about identifying and controlling factors in the workplace that affect employee mental health and wellbeing. This includes workload, role clarity, management support, workplace relationships, and organisational change. The HSE now requires organisations to manage these risks as part of their health and safety obligations.
Do we need to create new programmes to be audit-ready?
No. Audit readiness is about connecting the work you're already doing—your policies, EAP data, absence data, and employee feedback—into a coherent, evidenced system. You're documenting and proving what exists, not starting from scratch.
What happens if an HSE audit finds non-compliance?
Possible outcomes include financial penalties (with no upper limit in the UK), criminal liability for directors and managers, mandatory operational changes, reputational damage through public enforcement notices, and increased insurance premiums due to poor claims history.
How do we prove our controls are working, not just in place?
For each control, gather three types of evidence: (1) what controls exist and are documented, (2) data showing the control is having an effect (such as reduced overtime hours or lower EAP presentations), and (3) evidence the control is sustained over time (such as scheduled reviews and tracked outcomes).
What should we do first if we're early in this journey?
Start with an internal audit. Review your existing policies, procedures, and data (EAP utilisation, absence patterns, exit interviews) against the six HSE domains. This gives you a baseline and prevents discoveries under inspection.

Psychosocial Risk Enforcement and Your Legal Obligations
Watch the on-demand webinar to hear directly from Oliver Brecht, David Stace and Leona Thomson on what the HSE is looking for and how to build a defensible audit-ready programme.
Watch the on-demand webinar



