top of page
Working in the Warehouse

Investigative Risk Management (IRM)™

Rethink how risk is managed. Don't just assess it - investigate it.

The Investigative Risk Management (IRM)™ methodology was developed by SRA Global in response to a clear and consistent gap in the way organisations manage risk and learn from failure.

For years, we saw incident investigations conducted in isolation from risk registers. We saw critical controls verified but not truly tested. We saw businesses record risk but rarely interrogate it. So we created a new approach.

It’s grounded in frontline experience, control verification, systems thinking, and investigative science. And it’s designed to do what traditional risk management can’t:
✅ Uncover hidden vulnerabilities
✅ Strengthen control systems
✅ Turn insight into resilience

IRM™, IRA™, IRAn™, and ICM™ are proprietary methodologies developed by SRA Global™. All rights reserved.

What is Investigative Risk Management (IRM)?

Investigative Risk Management (IRM) is a transformative approach that blends the disciplines of risk management and investigative science to proactively identify, challenge, and strengthen controls — before failure occurs.

Traditional risk systems often rely on static assessments and lagging indicators. IRM breaks that model by applying forensic style thinking to risk identification, control evaluation, and systemic weaknesses. It’s not about waiting for incidents, it’s about uncovering the risks that haven’t failed... yet.

Whether triggered by a near miss, audit finding, verification gap, or intuition, IRM helps organisations get ahead of failure and build stronger, more resilient systems.

IRM includes a suite of structured methodologies:

  • Investigative Risk Assessment (IRA) – Diagnose and reassess risk through investigative techniques.

  • Investigative Risk Analysis (IRAn) – Forensically analyse emerging risks, failures, or near misses.

  • Investigative Control Management (ICM) – Scrutinise the design, implementation, and assurance of controls, especially critical controls.

 

Together, these tools form a powerful lens for viewing risk not just as something to record, but something to interrogate.

What is Investigative Risk Assessment (IRA)?

Investigative Risk Assessment (IRA) is a proactive method that applies investigative techniques to risk identification and evaluation. It challenges assumptions, interrogates existing control strategies, and exposes hidden or emerging vulnerabilities - long before they result in failure.

Where traditional risk assessments often rely on known risks and perceived likelihood, IRA digs deeper. It asks:

  • What don’t we know?

  • What assumptions underpin this assessment?

  • Where might our controls look strong but perform weakly?

  • Have we fully explored how a failure might occur?

 

When to Use IRA:

  • After a near miss, control failure, or audit finding

  • When introducing a new process, system, or contractor

  • To stress-test critical controls or high-risk activities

  • As part of an annual review for high-consequence hazards

 

How It Works:

IRA uses a structured methodology built on the foundations of:

  • Causal analysis and investigation frameworks (e.g. 5 Whys, ICAM)

  • Systemic thinking to explore the relationships between hazards, controls, people, and environment

  • Control resilience checks to assess not just whether a control exists, but whether it's likely to work under pressure

  • Feedback loops with frontline workers to validate the reality of control implementation

 

The Outcome:

A living, breathing risk profile that’s dynamic, evidence-informed, and grounded in investigative rigour. IRA strengthens your control strategy and enhances confidence in your critical risk management.

What is Investigative Risk Analysis (IRAn)?

Not all incidents happen suddenly — many are symptoms of deeper, systemic risks.

Investigative Risk Analysis (IRAn) is a specialised process that drills into risk-related events, weak signals, or emerging concerns to expose the underlying drivers and systemic conditions that allow failure to evolve.

While Investigative Risk Assessment is focused on prevention, IRAn is the method you use when the risk has slipped through the cracks - or is threatening to. It takes the mindset of an investigator and applies it directly to risk intelligence, uncovering patterns, themes, and overlooked control failures that standard investigations often miss.

When to Use IRAn:

  • After a serious incident or repeated near misses in the same area

  • When critical control failures are detected without a triggering event

  • During or after a complex audit or assurance process

  • To evaluate the effectiveness of a control framework following organisational change

 

What IRAn Involves:

  • Systematic evidence review – going beyond the obvious causes to explore deeper risk exposure

  • Pattern recognition – identifying themes across multiple incidents or risk areas

  • Control interrogation – determining if failures are due to absence, design, implementation, or assurance gaps

  • Scenario reconstruction – mapping out “how close we came” and what might happen next time

 

The Outcome:

IRAn generates a high-quality analysis that feeds directly into:

  • Updated risk registers

  • Enhanced control performance standards

  • CRQ™ adjustments

  • Strategic briefings to leaders and boards

  • Cultural insights into organisational blind spots

 

It closes the loop between investigation and risk - making learning actionable and risk insights real.

What is Investigative Control Management (ICM)?

Strong on paper doesn’t mean strong in practice. Investigative Control Management (ICM) ensures your critical controls are real, reliable, and ready.

Investigative Control Management (ICM) is the discipline of interrogating controls, especially critical controls, through an investigative lens. It focuses not just on whether controls exist, but whether they are embedded, understood, effective, and verifiable in real-world conditions.

In many organisations, control failure is not a result of absence, but of assumptions. ICM exposes those assumptions by systematically examining control design, implementation, ownership, and assurance.

Why ICM Matters:

  • Critical risks demand high-functioning, high-trust controls - not checklists and wishful thinking

  • Many incidents involve controls that were “in place” but failed under pressure

  • Verification often becomes a tick-the-box activity, not a true measure of effectiveness

 

What ICM Covers:

  • Control Design Review – Is the control appropriate for the risk? Is it the right type (engineering vs admin)? Does it prevent or mitigate?

  • Implementation Reality Check – Are frontline teams using the control as intended? Is it intuitive, resourced, and supported?

  • Control Ownership Clarity – Is there a clear owner responsible for maintenance, monitoring, and review?

  • Verification Integrity – Is the verification process rigorous, independent, and meaningful?

 

When to Use ICM:

  • During control failure investigations (post-incident or as part of an IRAn process)

  • During periodic reviews of critical control performance standards

  • When a control appears ineffective despite being “verified”

  • As part of ongoing control assurance and maturity modelling

 

The Outcome:

Stronger, evidence-backed control strategies that reduce exposure, increase resilience, and meet both regulatory and operational expectations. With ICM, controls become more than a list — they become a living defence system.

How SRA Global Supports Businesses in Investigative Risk Management

At SRA Global, we don’t just help businesses meet compliance — we help them understand risk at its root.

Our approach to Investigative Risk Management (IRM) is grounded in real-world experience, critical control expertise, and a deep understanding of what causes systems to fail. Whether you’re a small business seeking clarity or a high-risk enterprise with complex operations, we tailor IRM to meet your needs.

Our Services Include:

  • Facilitated Investigative Risk Assessments (IRA)
    We work directly with your team to challenge assumptions, explore emerging risks, and stress-test your critical controls — long before failure occurs.

  • Independent Investigative Risk Analysis (IRAn)
    When something has gone wrong — or nearly has — we step in to provide a deep, forensic review of the risks, controls, and systems that contributed. You get actionable insights, not just an investigation report.

  • Critical Control Reviews through Investigative Control Management (ICM)
    Our specialists interrogate the design, implementation, and assurance of your critical controls, ensuring they’re not just documented — they’re dependable.

  • Training and Capability Building
    Through our online workshops, in-house sessions, and 1:1 advisory, we build your team’s capacity to think like investigators and act like risk leaders. We also offer structured learning in IRA, IRAn, ICM, and control performance standards.

 

Why It Works:

Our model blends practical safety experience, behavioural insight, and investigative rigour. We don’t believe in surface-level reviews or templated controls. Instead, we work alongside you to build risk intelligence that actually prevents incidents, strengthens culture, and supports your strategic goals.

With SRA Global, you’ll never hear “we didn’t see it coming” again.

How Can We Help?

Please complete the form below for an obligation-free chat about your Investigative Risk Management Program

Looking for a Partner, Not Just a Provider?

Whether you need a Project Manager to build and implement your IRM program, or a long-term business partner to guide and support you every step of the way - we’re here to help.

 

Contact us for a quote or to book a free discovery call. Let’s build something that works.

Upcoming Investigative Risk Management Courses

Related Products and Services

We don’t have any products to show right now.

We don’t have any products to show right now.

We don’t have any products to show right now.

We don’t have any products to show right now.

We don’t have any products to show right now.

We don’t have any products to show right now.

We don’t have any products to show right now.

We don’t have any products to show right now.

We don’t have any products to show right now.

We don’t have any products to show right now.

We don’t have any products to show right now.

We don’t have any products to show right now.

We don’t have any products to show right now.

We don’t have any products to show right now.

We don’t have any products to show right now.

We don’t have any products to show right now.

We don’t have any products to show right now.

We don’t have any products to show right now.

We don’t have any products to show right now.

We don’t have any products to show right now.

We don’t have any products to show right now.

We don’t have any products to show right now.

We don’t have any products to show right now.

We don’t have any products to show right now.

We don’t have any products to show right now.

We don’t have any products to show right now.

We don’t have any products to show right now.

We don’t have any products to show right now.

We don’t have any products to show right now.

We don’t have any products to show right now.

We don’t have any products to show right now.

We don’t have any products to show right now.

We don’t have any products to show right now.

We don’t have any products to show right now.

We don’t have any products to show right now.

We don’t have any products to show right now.

We don’t have any products to show right now.

We don’t have any products to show right now.

We don’t have any products to show right now.

We don’t have any products to show right now.

Related Articles

bottom of page