Incident Investigation Methods: ICAM, 5 Whys, and Root Cause Analysis

An incident happens. Someone gets hurt, something breaks, or a near-miss makes everyone pause. The site manager calls a meeting. Someone fills out a form. A corrective action gets assigned. A month later, a similar incident happens again.

Sound familiar?

The problem usually isn’t a lack of investigation. It’s the quality of the investigation. Most workplace incident investigations stop too early. They find the immediate cause, assign blame to an individual, and move on. The deeper systemic failures that allowed the incident to occur remain untouched, waiting to produce the next event.

Effective incident investigation methods dig past the surface. They trace the chain of events back through contributing factors, organisational influences, and system weaknesses. Done well, they don’t just explain what happened. They reveal what needs to change to prevent it from happening again.

This guide compares the most widely used incident investigation methods in mining, construction, oil and gas, and heavy industry. We’ll cover how each method works, when to use it, and how to turn findings into controls that actually hold.

Why Incident Investigation Matters

Before comparing methods, it’s worth understanding why investigation quality has such an outsized impact on safety outcomes.

Every incident, whether it results in injury, equipment damage, or a near-miss, is a signal. It tells you that somewhere in your operation, a control failed, was absent, or was never adequate in the first place. Investigations exist to decode that signal.

Poor investigations produce corrective actions like “retrain the worker” or “remind everyone to follow the procedure.” These feel productive but change almost nothing. The hierarchy of controls tells us that relying on human behaviour is the weakest form of risk control. If your investigation findings consistently point to retraining and reminders, your investigation method isn’t going deep enough.

Good investigations produce findings that lead to engineering changes, system redesigns, improved barriers, and better monitoring. They connect to your risk register, update your bowtie diagrams, and strengthen the controls that matter most.

Method 1: ICAM (Incident Cause Analysis Method)

ICAM is the most widely used investigation methodology in Australian mining and heavy industry. Developed by the Minerals Council of Australia, it’s a structured framework built on James Reason’s Swiss Cheese model of accident causation.

How ICAM Works

ICAM breaks incident causation into four layers:

1. Absent or failed defences — The barriers, controls, or safeguards that should have prevented the incident but didn’t
2. Individual or team actions — The specific actions or errors that directly led to the incident
3. Task and environmental conditions — The conditions present at the time: equipment state, time pressure, environmental factors, communication breakdowns
4. Organisational factors — The management decisions, policies, culture, and resource allocation that created the conditions for the incident

The key insight of ICAM is that individual errors don’t happen in a vacuum. Someone made a mistake, but why were they in a position where that mistake was possible? What organisational decisions created the conditions? What barriers should have caught the error before it became an incident?

The ICAM Process Step by Step

Step 1: Data collection. Gather evidence as quickly as possible. Interview witnesses, photograph the scene, collect documents (procedures, permits, training records, maintenance logs), and build a timeline. The golden rule: evidence degrades fast. Start collecting within hours, not days.

Step 2: Build a timeline. Map out the sequence of events in chronological order. Include what happened, who was involved, what decisions were made, and what information was available at each point. Timelines often reveal gaps, moments where something should have happened but didn’t.

Step 3: Identify absent or failed defences. Walk through the timeline and ask: what barriers should have been in place? Which ones were present but failed? Which ones were absent entirely? Map these to your existing bowtie analysis if you have one. If a barrier on your bowtie failed during this incident, that’s critical information about control effectiveness.

Step 4: Identify individual and team actions. What did people do (or not do) that contributed to the incident? ICAM deliberately separates this from blame. The question isn’t “who screwed up?” but “what actions occurred, and what influenced those actions?”

Step 5: Identify task and environmental conditions. What was happening around the people involved? Were they fatigued? Was the procedure unclear? Was equipment in poor condition? Was there time pressure from production targets? These conditions explain why the individual actions occurred.

Step 6: Identify organisational factors. This is where ICAM goes deeper than most methods. What management decisions, resource constraints, cultural pressures, or system gaps created the task and environmental conditions? Common organisational factors include:

• Inadequate training programs
• Understaffing or budget cuts
• Production-over-safety culture
• Poor change management processes
• Lack of competency verification
• Insufficient maintenance resourcing

Step 7: Develop recommendations. For each contributing factor, develop corrective actions that target the appropriate level. The best ICAM investigations produce recommendations aimed at organisational factors, not just individual behaviour.

When to Use ICAM

ICAM is best suited for:

• Serious incidents (injuries, significant near-misses, high-potential events)
• Incidents where multiple contributing factors are likely
• Investigations that need to satisfy regulatory requirements (Australian mining regulators expect ICAM or equivalent)
• Organisations that want to move beyond blame-based investigation

Strengths and Limitations

Strengths: Systematic, thorough, well-suited to complex incidents, widely accepted by regulators, explicitly addresses organisational causes.

Limitations: Resource-intensive. A proper ICAM investigation can take days or weeks. Not practical for every minor incident. Requires trained investigators to do well.

Method 2: 5 Whys

The 5 Whys is the simplest root cause analysis technique. Originally developed by Sakichi Toyoda for Toyota’s manufacturing processes, it’s now used across industries as a quick, accessible investigation tool.

How 5 Whys Works

Start with the problem statement and ask “why?” repeatedly until you reach a root cause. The number five is a guideline, not a rule. Some problems need three whys. Others need seven.

Example:

• Problem: A worker slipped and fell on a walkway.
• Why? The walkway surface was wet.
• Why? A pipe fitting was leaking water onto the walkway.
• Why? The fitting hadn’t been replaced during the last maintenance cycle.
• Why? The maintenance schedule didn’t include that section of pipework.
• Why? When the pipework was extended last year, the maintenance schedule wasn’t updated to include the new section.

The root cause here isn’t “the walkway was wet.” It’s a change management gap: new infrastructure was installed without updating the maintenance program. That’s an organisational factor, and it’s fixable at a system level.

When to Use 5 Whys

5 Whys works best for:

• Simple incidents with a single causal chain
• Near-misses and minor events that don’t warrant a full ICAM investigation
• Quick initial analysis to determine whether a deeper investigation is needed
• Team discussions and toolbox talks

Strengths and Limitations

Strengths: Fast, easy to learn, no special training required, good for engaging frontline workers in investigation, produces clear causal chains.

Limitations: Assumes a single linear cause, which is rarely true for complex incidents. Different investigators asking “why” can reach completely different root causes depending on which branch they follow. No built-in structure for examining organisational factors. Can stop too early if the investigator lacks experience.

Making 5 Whys More Effective

The biggest weakness of 5 Whys is its linearity. Real incidents have multiple contributing causes, not just one chain. You can partially address this by:

• Running multiple 5 Whys chains, one for each contributing factor
• Combining 5 Whys with a fishbone diagram (Ishikawa) to map out multiple causal categories
• Using 5 Whys as a starting point, then escalating to ICAM if the chains reveal systemic issues

Method 3: Fault Tree Analysis (FTA)

Fault tree analysis takes a top-down, logical approach. It starts with the undesired event (the “top event”) and maps all possible combinations of failures that could cause it using Boolean logic gates (AND/OR).

How FTA Works

1. Define the top event. This is the incident or undesired outcome you’re investigating.
2. Identify immediate causes. What conditions or failures directly caused the top event? Connect them with logic gates:
   • OR gate: Any one of these causes alone could produce the event
   • AND gate: All of these causes must be present simultaneously to produce the event
3. Continue branching down. For each cause, ask what could cause that failure. Keep branching until you reach “basic events” (root causes that can’t be broken down further).
4. Analyse the tree. Look for “minimal cut sets,” the smallest combinations of basic events that would cause the top event. These represent your highest-priority risks.

When to Use FTA

FTA is best suited for:

• Equipment and system failures where the logic of failure matters
• Incidents involving complex technical systems
• Quantitative risk analysis (when you can assign probabilities to basic events)
• Safety-critical industries (nuclear, aviation, chemical processing)

Strengths and Limitations

Strengths: Rigorous, handles complex multi-cause scenarios, can be quantified, excellent for technical failures, identifies critical failure combinations.

Limitations: Complex to construct, requires specialist knowledge, time-consuming, less effective for human and organisational factors, can become unwieldy for non-technical incidents.

FTA and Bowtie: Related but Different

If you’re familiar with bowtie analysis, you’ll notice similarities with fault tree analysis. Both start from a top event. The left side of a bowtie (threats and preventive barriers) has a lot in common with a fault tree. The difference is that bowties also map consequences and mitigating controls, and they’re designed for communication rather than quantitative analysis. Many organisations use fault tree analysis for detailed technical investigation and bowtie diagrams for ongoing risk visualisation and management.

Method 4: TapRooT

TapRooT is a proprietary root cause analysis system developed by System Improvements Inc. It’s widely used in petrochemical, energy, and manufacturing sectors.

How TapRooT Works

TapRooT uses a structured decision tree called the Root Cause Tree to guide investigators through causal categories including equipment difficulty, procedures, training, quality control, communication, management systems, and human engineering. Each category branches into sub-categories and then into “fix” categories with pre-mapped corrective action types.

When to Use TapRooT

TapRooT suits organisations that need high consistency across investigators, high-volume investigation environments (process plants, refineries), and situations where you want corrective actions built into the method.

Strengths: Consistent results, built-in corrective action guidance, comprehensive categories.

Limitations: Proprietary (licensing cost), can feel rigid, less common in Australian mining than ICAM.

Method 5: Fishbone Diagram (Ishikawa)

The fishbone diagram (also called a cause-and-effect diagram or Ishikawa diagram) is a visual brainstorming tool for identifying potential causes of an incident.

How Fishbone Diagrams Work

1. Write the problem at the “head” of the fish.
2. Draw main “bones” representing causal categories. The standard categories for workplace incidents are:
   • People
   • Procedures
   • Equipment
   • Environment
   • Materials
   • Management
3. Brainstorm specific causes under each category and add them as smaller bones.
4. Identify the most likely root causes from the full diagram.

When to Use Fishbone Diagrams

Fishbone diagrams work best for:

• Team-based investigation sessions
• Brainstorming potential causes before a formal investigation
• Simple incidents where a visual overview helps
• Training new investigators in causal thinking

Strengths and Limitations

Strengths: Visual, inclusive (everyone can contribute), covers multiple causal categories simultaneously, prevents tunnel vision.

Limitations: Doesn’t establish causal relationships (just lists potential causes), can become cluttered, requires follow-up analysis to confirm which causes actually contributed, not rigorous enough for serious incidents on its own.

Choosing the Right Method

No single investigation method is best for every situation. The right choice depends on the severity and complexity of the incident, your regulatory requirements, available resources, and team capability.

Here’s a practical guide:

Situation	Recommended Method
Serious injury or high-potential event	ICAM (full investigation)
Equipment or system failure	Fault tree analysis
Simple incident, single cause likely	5 Whys
Team brainstorming session	Fishbone diagram
High-volume investigations needing consistency	TapRooT
Quick initial triage	5 Whys, then escalate if needed
Regulatory investigation (Australian mining)	ICAM

Many experienced safety teams combine methods. A quick 5 Whys might determine whether a full ICAM investigation is warranted. A fishbone session might feed into the data collection phase of ICAM. Fault tree analysis might supplement an ICAM investigation for complex equipment failures.

Common Investigation Mistakes

Regardless of which method you use, certain mistakes undermine investigation quality across the board.

Stopping at the Individual

“The worker didn’t follow the procedure” is not a root cause. It’s a starting point. Why didn’t they follow it? Was the procedure practical? Were they trained? Was there time pressure? Did equipment design make the procedure difficult to follow? Did their supervisor know they weren’t following it?

Every investigation that stops at individual blame is an investigation that failed to find the systemic cause. And systemic causes produce repeat incidents.

Weak Corrective Actions

“Retrain all workers” is the investigation equivalent of “thoughts and prayers.” It feels like action but rarely changes outcomes. Effective corrective actions target higher levels of the hierarchy of controls: engineering changes, system redesigns, process modifications.

Ask yourself: will this corrective action still be working in 12 months without anyone actively maintaining it? If the answer is no, you need a stronger control.

Not Connecting to Risk Management

Investigations should feed back into your risk management system. If an incident revealed a failed barrier, update your bowtie diagram. If it exposed an uncontrolled hazard, add it to your risk register. If it showed that a risk assessment method missed something, review and improve that method.

Investigations that exist in isolation, filed in a cabinet or a standalone database, lose most of their value. The whole point is to improve your controls going forward.

Rushing the Data Collection

Evidence degrades fast. Memories change within hours. Equipment gets moved. Documents get updated. If you don’t collect evidence quickly and thoroughly, your investigation will be built on incomplete information.

The best practice: secure the scene, start interviews within 24 hours, and collect all relevant documentation before it can be altered.

Investigation Bias

Investigators bring assumptions. If you already think you know what happened, you’ll find evidence that confirms it and miss evidence that contradicts it. ICAM and TapRooT both have structures designed to counter this, but awareness is the first defence. Challenge your early hypotheses. Look for disconfirming evidence.

From Investigation to Prevention

An investigation isn’t finished when the report is written. It’s finished when the corrective actions are implemented, verified, and embedded in your risk management system.

Here’s a practical post-investigation workflow:

1. Assign corrective actions with clear owners, due dates, and success criteria. Vague actions like “improve communication” don’t work. Specific actions like “install a two-way radio system at the crushing circuit by April 30” do.

2. Track implementation. Corrective actions that sit in an unmonitored spreadsheet don’t get done. Track them in a system with visibility, reminders, and escalation paths.

3. Verify effectiveness. After implementation, check whether the corrective action actually reduced the risk. Did the new engineering control prevent similar events? Did the revised procedure get followed? Verification closes the loop.

4. Update your risk controls. Add new barriers to your bowtie diagrams. Update control ratings in your risk register. Revise risk matrix scores if the control landscape has materially changed.

5. Share learnings. Safety bulletins, toolbox talks, cross-site communication. The lessons from one investigation should benefit every part of the organisation, not just the site where the incident occurred.

Building an Investigation Capability

Running effective investigations isn’t just about picking the right method. It requires:

• Trained investigators. ICAM training is widely available in Australia and is often a regulatory expectation for safety-critical roles. Invest in building internal capability rather than relying on external consultants for every event.

• A just culture. People won’t share honest information if they fear punishment. Investigation quality depends on trust. A just culture distinguishes between honest errors (which deserve support), at-risk behaviour (which needs coaching), and reckless behaviour (which warrants consequences).

• Management commitment. Investigations take time and resources. If production pressure consistently overrides investigation quality, your organisation is choosing short-term output over long-term safety. That’s an organisational factor that ICAM would flag.

• Integrated systems. Investigation findings should flow directly into your risk management framework. When your investigation tool, risk register, bowtie diagrams, and corrective action tracker all live in the same system, nothing falls through the cracks.

How RiskSight Supports Incident Investigation

Incident investigation generates critical data about your risk controls. But that data only creates value when it’s connected to your broader risk management system.

RiskSight helps you close the loop between investigation and prevention:

• Link investigation findings to bowtie barriers. When an investigation reveals a failed control, update the relevant barrier in your bowtie diagram with one click. Track whether it’s been repaired, replaced, or redesigned.
• Track corrective actions with accountability. Assign owners, set due dates, and monitor progress. Overdue actions trigger alerts so nothing gets buried.
• Update risk registers automatically. When control effectiveness changes based on investigation findings, your risk scores reflect reality, not assumptions.
• Run structured risk assessments. Use HAZOP, FMEA, SWIFT, or WRAC with guided wizards to reassess hazards identified through investigation.
• Monitor control effectiveness over time. See which barriers have been involved in incidents, how often, and whether corrective actions actually improved them. Spot patterns before they produce the next event.

Investigations are only as valuable as the actions they produce. When those actions live inside a system that tracks, connects, and monitors them, you move from reactive incident management to genuine risk prevention.

Stop Investigating the Same Incidents Twice

If your investigations keep finding the same root causes, the problem isn’t the investigation. It’s what happens after. Corrective actions need tracking. Controls need monitoring. Findings need to feed back into your risk framework.

Start a free 30-day trial of RiskSight — no credit card required, demo data included — and connect your investigation findings to your risk registers, bowtie diagrams, and control monitoring. Turn every incident into a system improvement, not just a report.