For Business: Planning for the Wrong Crisis: The Threats Have Changed. Has Your Plan?

Jul 02, 2026

The WHS conversation almost no Australian SME employer is having — and why that changes now.

While everyone has been consumed with Payday Super, you might have missed this! Every Australian jurisdiction now has explicit, legally enforceable obligations for employers to identify and manage psychosocial hazards at work. NSW completed the national picture on 1 July 2026, when its Code of Practice moved from guidance to benchmark. Falling short of it can now constitute a breach before anyone has been harmed. And the hazard most employers have never connected to these laws is the one they're least prepared for: the psychological cost of sustained disruption with no plan, no communication and no leadership response.

You've spent years building resilience to the risks you could see. Fire. Flood. Theft. Cyber. The threats reshaping this decade are different, and almost no Australian SME has a plan for them. Under current law, that gap is no longer just a business risk. It's a compliance exposure.

KEY POINTS

  • Most Australian SMEs have planned for fire, flood and theft. Almost none have planned for this decade's disruption risks: sustained outages, supply chain failure, infrastructure sabotage. That gap is now a legal exposure.
  • Every Australian jurisdiction now has explicit, enforceable obligations to manage psychosocial hazards at work — this is not optional best practice. Falling short of it can itself constitute a breach — regulators no longer need to wait for harm to occur.
  • Sustained uncertainty with no plan and no communication from leadership is an explicitly named psychosocial hazard under the model WHS Regulations — even when the cause is external.
  • Training and policy alone no longer satisfy regulators. You need documented, higher-order controls — evidence that the work itself has been redesigned around the hazard.
  • FuturePivots is uniquely set up to help with this.  

The New Threat Landscape for Australian Business 

Every business carries a working risk picture, even if it's never been written down. Insurance against fire. A rough sense of what to do when a flood warning comes through. Security cameras and tightened procedures since a break-in. An uncomfortable conversation about cyber cover after 2020. These are the risks Australian businesses have spent decades getting reasonably competent at — physical, localised, contained to a site or a single event.

The threats reshaping our life and world aren't a bigger version of those. They're a different category entirely.

The ASIO Director-General has described the current environment as one where threats are concurrent, cascading and compounding — they don't arrive one at a time the way a fire does. They stack. Australia's 2026 National Defence Strategy names the undersea cable network — the infrastructure carrying the world's banking, communications and cloud systems — as explicitly vulnerable to sabotage. Supply chains that ran smoothly for forty years are being actively redesigned by geopolitics, not just disrupted by weather. Fuel supply, container availability, digital connectivity: each of these was once a background assumption. All three are now live operational risks.

These threats don't replace fire, flood and theft. They sit on top of them. And unlike a fire — which is visible, local and over within hours — this kind of disruption can run for days, cannot be put out with a single response, and tends to land hardest on your people before it lands on your balance sheet.

The businesses that will navigate this uncertainty and unpredictability are the ones that read these signals early, build plans before the event, and give their teams something to hold onto when the noise starts. The ones still running on the risk assumptions of the last forty years are a single disruption away from finding out what they didn't have.

CASE STUDIES — This Has Already Happened to Australian Businesses

NOV 2023

DP World Cyberattack

A cyberattack on the operator handling roughly 40% of Australia's sea freight shut down port operations across Sydney, Melbourne, Brisbane and Fremantle simultaneously. Three days. Tens of thousands of containers stranded. No warning, no ramp-down — the disruption was immediate and the downstream supply impact ran for weeks.

NOV 2023

Optus Nationwide Outage

A routine software upgrade triggered a cascading network failure at 4am on 8 November 2023. By the time most businesses opened, their phones, internet, EFTPOS and business systems were down. The outage affected 10 million customers and 400,000 businesses across Australia. Melbourne's trains halted. Triple Zero calls failed. Businesses with no backup payment or communication method simply couldn't trade — and had no plan for telling their people what to do.

MAR 2020

COVID Supply Shock

Within 48 hours of widespread disruption warnings, supermarket shelves were stripped nationally. A preview of how fast 'just-in-time' supply chains collapse once uncertainty takes hold. Businesses that had no supplier alternatives, no cash buffer and no communication plan for staff found out the hard way. Many still don't have one.

  

This Isn't Hypothetical Anymore — It's Already Law 

The regulatory shift on psychosocial hazards has been building since Safe Work Australia amended the model WHS Regulations in June 2022, implementing a key recommendation from the 2018 Boland Review of national safety laws. The Commonwealth applied those changes to federal agencies from 1 April 2023, uniquely requiring the full hierarchy of controls for psychosocial risk management — making it one of the strongest standards anywhere in the national framework. Each state and territory has since adopted equivalent obligations in their own legislation. NSW completed that national picture on 1 July 2026, when its Code of Practice moved from recommended guidance to a legally enforceable benchmark under the WHS Act.

The numbers explain why regulators are pressing this hard. Mental health conditions now account for around 12 percent of all serious workers' compensation claims in Australia. The median time lost on those claims runs close to five times longer than physical injury claims. The financial exposure for employers who don't manage this well is material — and it's growing.

What the legislation now requires isn't a policy. It isn't an EAP line in the handbook. It's a systematic, documented approach to identifying psychosocial hazards, assessing the risk they present to your workforce, and implementing controls proportionate to that risk — starting from the highest order of protection and working down. Every Australian jurisdiction now expects to see evidence of that approach, not just assertions that it exists.

Where Disruption Risk Becomes a Psychosocial Hazard 

I’m not a lawyer but this is my read on the changes. A psychosocial hazard isn't a physical risk. It's a workplace condition that causes psychological harm — and the model WHS Regulations define it broadly enough to include any hazard arising from the design or management of work, the work environment, or workplace interactions and behaviours.

The model Code of Practice names “lack of role clarity” explicitly as a recognised hazard — defined as uncertainty, frequent change, or ambiguous responsibilities and expectations. It also names “poor organisational change management” and “low job control” as separately listed hazards. The Commonwealth Code, registered in November 2024, goes further: it adds “job insecurity” and sustained uncertainty about the nature of work as named categories requiring structured identification and control.

A workforce that arrives to work not knowing whether they'll be able to trade, whether systems will function, whether their job is safe, or whether leadership has any plan — with no information and no communication — fits those definitions precisely. Based on all this, you have to ask, does the source of the uncertainty being external change the employer's obligation to manage its effect on workers? Disruption from outside the business lands inside your psychosocial risk register whether you've put it there or not and at the very least, your employees aren’t going to be effective if this risk isn’t managed.

“A workforce carrying unspoken worry about disruption, with no plan and no communication from leadership, is a psychosocial hazard sitting in plain sight — and as of this year, a legally documented one.”

Training Alone Won't Meet the Bar 

This is the part most businesses get wrong, often with genuinely good intentions. An EAP number in the induction folder. A wellbeing webinar in R U OK? Week. A mental health poster in the break room. Compulsory E-learning for workplace health and safety. Done.

My take is that none of it satisfies the standard regulators are now applying.

The WHS framework uses a hierarchy of controls for a reason. Training and administrative measures — policies, awareness campaigns, access to support — sit at the bottom of that hierarchy. They can support a response. They cannot be the response. Under both the Commonwealth Regulations and the state Codes of Practice, employers are now expected to demonstrate that they've applied higher-order controls first: elimination where possible, then redesign of the work itself, then management systems, and only then supported by training and policies.

For disruption risk, that means the control isn't a webinar about managing uncertainty. It's a documented plan that eliminates or reduces the uncertainty itself — role clarity written down before the event, a communication channel that works when your primary systems don't, cross-training that means no single absence collapses an operation. The plan is the control. The training is just the briefing that makes sure everyone knows the plan exists.

Regulators are no longer checking whether you have a wellbeing policy. They're checking whether your work design actually protects workers from identified hazards. The bar is higher than most SME employers realise — and it's enforceable now.

What Meeting the Obligation Actually Looks Like

Most business owners can answer instantly what they'd do if the building caught fire. There's a plan on the wall. There are roles. There's a meeting point. There's a number to call. They've probably done a drill.

People died in workplace fires before evacuation plans were mandatory. The data documented the harm. The law followed. We are at exactly that inflection point now with disruption and uncertainty — except the data is already in front of us. Three major independent Australian surveys published this year tell the same story: 64 percent of Australians are worried about national security, up from 42 percent in just fifteen months; 53 percent feel unsafe in the world, an all-time high; and the sharpest decline in optimism and life satisfaction is falling on working-age Australians — Gen X and Millennials — who make up the bulk of every Australian workforce. That anxiety doesn't stay at the door when your people clock on.

Ask the same question about a digital outage or a supply chain failure, and the answer is usually silence — or a vague sense that someone would figure it out. And this is even after Optus and COVID.

That silence is a massive gap. And closing could now be a legal requirement, not a stretch goal.

Answer these honestly before you read the next section.

  • If your internet went down for three days, what would your business actually do? Not your IT provider. You, personally — what's your first call?
  • Who tells your team what's happening during a disruption — and what channel do they use if phones and email are both down?
  • If your key supplier disappeared overnight, who finds the alternative, and how long would it realistically take?
  • If half your roster couldn't get in tomorrow — fuel, road closure, family emergency — who covers what, and does your team already know that?

Could you answer those questions for a fire? Almost certainly. The gap between your fire plan and your disruption plan is exactly what your psychosocial duty now requires you to close.

Here is what a genuine, documented disruption response could look like at an SME level — built to satisfy the hierarchy of controls, not just tick a box.

  1.  Map your real points of failure. Name the one supplier, one platform, one piece of digital infrastructure that — if it failed tomorrow — would stop you trading. Be specific. 'Cloud storage' isn't an answer. 'Xero going offline and no one knowing where the paper invoice books are' is. You cannot control what you haven't named.
  2.  Build role clarity for each scenario, in writing. Actual names against actual decisions. Who tells the team what's happening. Who decides whether you open, close or send people home. Who manages customer communication if systems are down. Who authorises emergency spending. This is not a general emergency plan — it is a named-person, named-action document for each identified disruption type.
  3.  Build a communication channel that doesn't depend on what might fail. If your plan for 'the internet is down' requires the internet, it isn't a plan. A phone tree using personal numbers. A printed contact list in a physical location. A WhatsApp group that runs on mobile data when broadband drops. Choose one and make sure every person in your business knows it exists.
  4.  Apply genuine redundancy, not just insurance. Insurance pays out after the fact. Redundancy prevents the failure from being fatal to operations in the first place. Cross-train so no single role is a single point of failure. Identify a backup supplier for your highest-risk input before you need one. Build a manual fallback for your most critical digital process. These are higher-order controls. A policy is not.
  5.  Document the process — not just the outcome. What scenarios were identified. Who was consulted. What controls were selected and why. When the plan was last reviewed. This is the paper trail regulators now expect. Not a polished manual — a genuine record that you identified the hazard, thought about it seriously, involved your team, and made considered decisions. The process is the evidence.

This isn't a fire drill you run once a year and put away. It's a living part of how the business operates — reviewed when your circumstances change, when a near-miss happens, or when a signal tells you a new disruption scenario has become realistic.

The methodology behind this is the same structured scenario thinking used in government and big corporations. It scales. A business with twelve staff can do this in an afternoon with the right framework. A business with one hundred can build it into an existing risk register and WHS management system. The question isn't whether you have time. It's whether you can afford not to.

Where I Come In

I spent fifteen years briefing governments on structured scenario thinking — reading signals, building plausible futures, helping institutions plan for what they couldn't fully predict. I now do that work through FuturePivots, and I work directly with business owners and leadership teams who want the same clarity mapped to their operations and their current WHS obligations.

The consultation I offer isn't a compliance audit. It's a structured disruption scenario session: we identify your real points of failure, build the role clarity documents and communication protocols that satisfy the higher-order controls framework, and produce a Futures Strategy Document your business actually owns and can use. Not a report that sits in a drawer. A plan that runs.

I also work with employers or small business owners who want to go further — helping their people feel genuinely prepared at home, so they show up to work with their heads in the right place, not carrying the background anxiety that makes the psychosocial risk worse before a disruption even starts. That's a separate conversation, and one worth having.

If reading this is the first time disruption risk and your psychosocial duty of care have landed in the same sentence — that’s not a gap in your judgement. It’s a conversation almost nobody has been offering Australian business owners. Until now.  To start that conversation: hello@futurepivots.com.au | futurepivots.com.au 

Get a strategic perspective on a volatile world.

I translate high-level global & national events into actionable systems for your lifestyle, home or business. Subscribe for information on personalised and practical systems to help you navigate with more certainty.   

Don't worry, your information will not be shared.

We hate SPAM. We will never sell your information, for any reason.