Ironbark AdvisoryIRONBARK ADVISORY
All Briefings

Intelligence & Analysis

Legal RiskEdition 3 · 28 May 2026

Duty of Care and Threat Assessment: What Australian Organisations Are Now Required to Show

In December 2025, the Department of Defence became the first Commonwealth employer convicted for failing to manage psychosocial risks. The conviction settles something that had been contested for years: having a policy is not the same as meeting your duty of care.

Key Judgement

The duty of care in Australian workplaces now requires organisations to show they assessed specific risks when those risks were present — not merely that a policy existed. Having a framework is necessary. It is no longer sufficient.

The situation

Having a policy is not the same as meeting your duty of care. In December 2025, the Department of Defence was convicted for exactly that distinction — and the consequences extend well beyond the $188,000 fine imposed.

For General Counsel and heads of legal, the conviction is not a workplace safety technicality. It is a statement about what Australian organisations are now required to show when a specific risk was present and something went wrong.

On 19 December 2025, the NSW Local Court convicted the Department of Defence under the Work Health and Safety Act 2011 (Cth), finding it had failed to take reasonably practicable measures to manage psychosocial risks in the workplace. [1]

The case arose from the death by suicide of a 34-year-old RAAF technician at an Air Force base in New South Wales in July 2020. In the six months before his death, the worker had been placed on four formal Work Plans as part of a performance management process. During that period, he showed increasing signs of distress. Defence admitted it had failed to train supervisors on the performance management tool being used. [2]

Magistrate Brett Thomas convicted Defence for a Category 3 criminal offence under the WHS Act, imposing a fine of $188,000 — the maximum available was $500,000 — and an adverse publicity order requiring Defence to publicise the offence, its consequences, and the penalty. [3]

It is the first time a Commonwealth employer has been convicted for failing to manage psychosocial risks under federal work health and safety law. The matter was prosecuted by the Commonwealth Director of Public Prosecutions on referral from Comcare.

The assessment

The conviction makes a precise legal finding that organisations should read carefully: Defence did not fail to have a framework. It failed to ensure the people using that framework were equipped to recognise and respond to deteriorating psychological health. The policy existed. The training did not.

The legal test under the WHS Act — whether an employer took measures "so far as is reasonably practicable" — requires organisations to identify hazards, assess risk, and implement effective controls. What this conviction establishes is that a control embedded in a policy document, untrained and unverified, does not satisfy that standard.

The hazard in the Defence case was foreseeable. The worker was under sustained performance management pressure. He was showing signs of distress. Supervisors were in regular contact with him and were using a formal process that directly affected his psychological safety. The signals were present. The capacity to assess and respond to them was not.

This is the gap most organisations carry. Not an absence of process — an absence of assessed, applied judgement when a specific situation was in front of them.

Escalation pathways

Regulatory enforcement in this space is likely to intensify following the Defence conviction. Three pathways warrant attention.

Most likely: Comcare increases inspection and enforcement activity in Commonwealth-regulated workplaces where psychosocial risk is documented and visible. The adverse publicity order signals that courts are prepared to use available powers beyond fines. This creates reputational exposure that financial penalty alone does not.

Plausible: State WHS regulators pursue comparable prosecutions in the private sector under equivalent legislation. NSW, Victoria, and Queensland WHS frameworks mirror the Commonwealth standard in most relevant respects. The Defence conviction removes the argument that the standard is uncertain.

Less likely, but worth noting: A significant civil claim arising from a separate incident amplifies the impact of the regulatory framework. Civil liability and criminal prosecution run on separate tracks. An organisation's failure to demonstrate structured assessment creates exposure on both.

Implications

For organisations across energy and mining, universities, financial services, transport and logistics, and government, the pattern the Defence case describes will be recognisable.

A worker under performance management showing signs of distress. An employee whose grievance has escalated to a point where colleagues and managers are concerned. A third party whose behaviour has changed in ways that are difficult to characterise but impossible to ignore.

In each situation, the organisation has a legal obligation not just to have a process, but to demonstrate it assessed whether that process was working — and whether the specific risk in front of it was adequately understood.

That is what structured threat assessment does. It documents that the organisation identified a risk, assessed it with appropriate rigour, and made a considered, defensible response. It is the difference between "we had a policy" and "we assessed this situation."

For General Counsel now reviewing their organisation's psychosocial risk frameworks, the question to put to operational leaders is not whether a process exists. It is whether, when a specific situation arose, someone with the appropriate capability assessed it — and whether that assessment is documented.

Bottom line

The Department of Defence conviction shifts the question regulators will ask when something goes wrong. The question is no longer whether the organisation had a process. It is whether, when a specific risk was present and visible, the organisation assessed it — and whether the people responsible for responding were equipped to do so. Organisations that rely on documented policy without demonstrated assessment are exposed. The exposure is criminal, not just reputational.

References

1. Comcare, "Defence convicted after RAAF worker's death" (19 December 2025), https://www.comcare.gov.au/about/news-events/news/defence-convicted-after-raaf-workers-death

2. Simpson Grierson, "$188k reminder: psychological risks are health and safety risks" (2026), https://www.simpsongrierson.com/insights-news/legal-updates/188k-reminder-psychological-risks-are-health-and-safety-risks

3. Region Canberra, "Defence handed first-ever Commonwealth employer penalty for psychological harm death" (December 2025), https://region.com.au/defence-handed-first-ever-commonwealth-employer-penalty-for-psychological-harm-death/931676/

4. Hamilton Locke, "Department of Defence convicted for failing to manage psychosocial risks" (19 January 2026), https://hamiltonlocke.com.au/department-of-defence-convicted-for-failing-to-manage-psychosocial-risks/

Previous

Escalating Employee Behaviour: What Australian Organisations Get Wrong About the Warning Signs

Need a threat assessment for your organisation?

Ironbark Advisory provides intelligence-led risk advisory for organisations facing threats, emerging risks, and high-stakes decisions.

Request a Confidential Conversation