How a PRisMA Assessment Actually Runs: 3 Stages, 11 Steps

Employers usually meet PRisMA as a single line in a compliance briefing: conduct a psychosocial risk assessment. What the line hides is a precisely defined process — three stages, eleven steps, each one specified in the DOSH Guidelines on Psychosocial Risk Assessment and Management at the Workplace 2024. If you are about to commission an assessment (or run one), this is the map.

Stage I — Hazard identification (Steps 1–7)

Steps 1–2: Distribute and collect LEO26

The LEO26 questionnaire goes to every employee in the targeted work units. And "work units" includes middle and top management, which get assessed like everyone else. The guideline tells the employer and PTP to announce the programme early, because the arithmetic of the later steps depends on response rate. A unit where only a third reply produces a risk percentage that means very little.

Steps 3–4: Individual scores against RICoV

The Psychosocial Trained Person calculates three scores per respondent (Job Control, Work Demand, Job Support) and compares each against the published Risk Indicator Cut-off Value. Each component comes out high or low. No middle category exists, by design.

Steps 5–7: From individuals to an organisational status

High-risk individuals are counted per work unit, converted to a cumulative percentage, and compared against the LEO26 organisational cut-off table. The output is a risk status for each component, for each work unit. This is the number that decides everything downstream.

Stage II — Risk assessment (Steps 8–9)

Stage II only activates for units that scored high. The employer completes the EPC23 (Employer Practice Checklist): 23 points auditing what controls already exist: grievance mechanisms, workload review, management training and the rest. The PTP then matches EPC23 responses against the LEO26 findings to prioritise the risks. A unit can be high-risk on paper but already well-controlled in practice; the matching step is what tells those situations apart.

Stage III — Risk control (Steps 10–11)

Step 10 turns priorities into a PRiMA action plan (Psychosocial Risk Management Plan of Actions). The guideline organises interventions under seven themes, from workload and job matching through transparency and fairness — concrete actions with owners and dates, not a wellness poster.

Step 11 closes the loop. Units that scored high are reassessed after 12 months. Units that scored low go on a two-year cycle, or sooner if circumstances change (a restructure, a spike in turnover, a notified case). The report itself is due to the employer within 30 days of completing the assessment, and records must be kept for at least seven years for DOSH audit.

What this asks of you as an employer

Less than you might expect. Your part is the early announcement, access for the survey window, the EPC23 conversation if a unit scores high, and ownership of the action plan. The instrument work (scoring, classification, reporting) sits with the PTP. The typical end-to-end engagement runs three to six weeks depending on headcount and the number of work units.

Dr. Kirath Sidhu (Dr. Harkirath Singh Harbans Singh) is a registered Occupational Health Doctor and certified Psychosocial Trained Person (DOSH PTP-291/26). He provides PRisMA 2024 assessments for employers across Penang and Malaysia through ASP Medical Group.