Resource Hub

Understanding HSE psychosocial risk assessments in the UK

Posted: 25 June 2026

TELUS Health

Content Marketing Team

In 2026, the Health and Safety Executive (HSE) is taking a more active role in how organisations manage psychosocial risk. While expectations around employer responsibility haven’t fundamentally changed, what’s different now is how closely those expectations are being monitored and enforced.

As David Stace, Director of Clinical Policy and Best Practice, Centre for Organizational Intelligence puts it: "the question is whether organisations will act before the crisis actually happens." 

The HSE now focuses on what organisations can evidence in practice, not what they claim to be doing. As enforcement continues, the questions HR leaders are asking become: 

  1. What triggers an HSE audit and could it happen to us?
  2. What does the inspector want to see?
  3. Where do most organisations fall short?

The six domains every UK employer must assess

The HSE's Management Standards define psychosocial risk across six core domains2. These are the legal framework against which organisations are now being inspected. The HSE made this unambiguous in its 2024/25 Annual Report:

"In the coming year, our inspections will consider how employers are preventing psychological as well as physical ill health."

The six domains of psychological safety

  1. Job demands: Workload, working patterns and complexity must be appropriately balanced with the time and resources available. This includes fatigue management and shift spacing. 
  2. Job Control: The level of autonomy employees have to apply their expertise, make decisions and manage how they complete their work.
  3. Support: Manager availability and presence, plus access to the resources employees need to do their jobs, including training, technology and time.
  4. Relationships: Whether workplace relationships are constructive, conflict is actively managed rather than condoned and space exists for healthy subject-focused debate that sound decisions require.
  5. Role Clarity: Whether employees clearly understand what is expected of them, what their role is and what outcomes they are accountable for.
  6. Organisational Change Management: When change happens, whether employees are adequately supported, informed and given what they need to navigate it.

These six domains are not aspirational. They are the minimum framework against which your organisation's approach will be measured.

How does an HSE audit get triggered?

HSE audits for psychosocial risk are triggered in one of two ways: reactively, in response to an incident or complaint, or proactively, as part of planned enforcement activity. In 2026, both routes are live and neither requires advance notice.

Reactive triggers:

  • An employee files a complaint or notification directly to the HSE citing unsafe working conditions, psychosocial hazards or a near miss
  • A workplace incident occurs and prompts a formal HSE investigation
  • A pattern of absence data or near miss reporting flags an organisation for scrutiny

Proactive triggers:

  • The HSE can arrive unannounced at any organisation, at any time. 
  • In 2026, any proactive inspection, even one that begins with physical hazards, will include a psychosocial risk component
  • The HSE targets inspections on areas of greatest risk, but its enforcement powers apply to all employers regardless of size or sector. 

For HR leaders, the question is not whether an audit could happen. It is whether your organisation can demonstrate compliance when it does.

What inspectors are looking for

When the HSE arrives, whether reactively or proactively, inspectors assess four specific things. If you cannot evidence all four, you have a compliance gap.

1. A completed psychosocial risk assessment across all six domains

The assessment must be recent enough to reflect your current organisation. If you completed an audit in 2024 and subsequently carried out a major restructure, that assessment may no longer reflect what employees are actually experiencing. A pre-restructure assessment presented post-restructure is not a defence. It may actually increase your exposure by demonstrating that the assessment process exists but was not maintained.

2. Documented evidence that the assessment led to tangible action

The HSE needs to see that your assessment transitioned into documented, tangible actions across all three levels of intervention:

  • Primary controls: Removing or redesigning the hazard at source, for example restructuring workloads, clarifying roles, or improving change management processes
  • Secondary controls: Policies, systems and practices that reduce risk, for example escalation frameworks, realistic deadline-setting and conflict resolution procedures
  • Tertiary controls: Support for individuals who have been affected, including employee assistance programmes (EAP) access, occupational health referrals and critical incident response

Organisations that can only evidence tertiary measures are not demonstrating control of the risk. They are demonstrating a reaction to it.

3. Live reporting pathways feeding into an incident register

Employees must have a clear, accessible route to flag psychosocial concerns, near misses and incidents. Those reports must feed into an active incident register. A spreadsheet that has not been updated in 18 months unfortunately may not hold up under inspection.

4. A documented response to every notification

Every complaint or concern raised must have a corresponding investigation record. Even if a complaint is unfounded, there must be a documented record of the appropriate level of investigation and what the outcome was. This is where most organisations often have a significant gap. Informal responses leave no trace and no trace means no defence.

Where most organisations fall short

The single biggest mistake organisations are making right now is focusing almost entirely on tertiary measures. Employee assistance programmes, individual counselling and wellbeing initiatives are valuable. But they are like offering a hard hat instead of preventing things from falling on people's heads.

If your organisation handled chemicals, a regulator would not accept a shower in the corner as the only safety measure. They would want to see that people are isolated from the hazard, that chemical handling practices limit the opportunity for a spill and only then that a response mechanism exists if something goes wrong.

Psychosocial risk management follows exactly the same logic. Regulators want to see evidence of all three levels. Organisations that skip primary and secondary controls, the changes to how work is actually designed and managed, are leaving themselves exposed to both enforcement action and the ongoing psychosocial risk they are not actually reducing.

Frequently asked questions

What's the difference between a reactive and proactive HSE audit?

A reactive audit is triggered by a specific incident, complaint or pattern of absence data that flags an organisation for scrutiny. A proactive audit is an unannounced inspection the HSE conducts as part of planned enforcement activity. In 2026, both routes are live and either can happen to any organisation, at any time, regardless of size or sector.

What happens if we don't have a recent psychosocial risk assessment?

You have a compliance gap. If you completed an assessment in 2024 but subsequently restructured your organisation, that pre-restructure assessment will not reflect what employees are currently experiencing. Presenting outdated assessments during an inspection may actually increase your exposure by demonstrating the assessment process exists but wasn't maintained.

What are the six HSE Management Standards and why do they matter?

The six HSE management standards are: job demands, job control, support, relationships, role clarity and organisational change management. These form the legal framework the HSE uses to assess your organisation during inspection. They're not aspirational—they're the minimum standard against which your approach will be measured.

Is an Employee Assistance Programme (EAP) enough to pass an HSE audit?

No. EAPs and individual counselling are tertiary measures—they support people after a problem has occurred. The HSE expects to see all three levels of intervention: primary controls (removing or redesigning the hazard at source), secondary controls (policies and systems that reduce risk) and tertiary controls (support for affected individuals). Relying only on an EAP leaves you exposed to enforcement action.

What's the difference between primary, secondary and tertiary controls?

Primary controls remove or redesign the hazard at source (for example, restructuring workloads or clarifying roles). Secondary controls are policies, systems and practices that reduce risk (escalation frameworks, realistic deadline-setting). Tertiary controls support individuals who have been affected (EAP access, occupational health referrals). The HSE expects evidence of all three.

The UK HSE 2026 Compliance

Access a one-page reference covering your six required domains, legal obligations and best practice steps under HSWA 1974 and MHSWR 1999.

Access the free checklist

Related resources

See all resources
Premium
TELUS Mental Health Barometer 2026

The impact of leadership quality in British workplaces

A group of women in a business casual environment smile and laugh.

Why happiness matters in the workplace: A conversation with happiness expert Vanessa King

How to promote a culture of wellbeing in your workplace

Unlock the full potential of your people

Discover how end-to-end care improves wellbeing, strengthens retention and builds resilience across your organisation.

Get in touch
90+years of combined expertise innovating with purpose¹