IRM Code of Ethics

[Jeff Lowder]

Disclosure: This entire article is the result of a fairly lengthy chat I had with a generative AI. Other than this paragraph, I wrote precisely ZERO of this article. With that said, I like what I see, especially for a first draft. Any feedback, especially constructive criticism, would be appreciated.

Preamble

Information Risk Management (IRM) professionals operate at the nexus of uncertainty, decision-making, and organizational trust. As stewards of information integrity, their work must be grounded in rigorous analysis, ethical conduct, and a commitment to advancing the public interest, organizational resilience, and evidence-based practices. This Code of Ethics establishes the principles and obligations that define ethical conduct within the information risk management profession.

1. Integrity and Honesty

IRM professionals shall:

• Conduct their work with honesty and integrity, avoiding any conduct that might bring discredit to the profession.
• Disclose any conflicts of interest that may influence professional judgment or objectivity.
• Accurately represent their credentials, qualifications, and the scope of their competencies.

2. Evidence-Based Practice

IRM professionals shall:

• Base risk assessments, models, and recommendations on available evidence, sound reasoning, and appropriate analytical techniques as outlined in the Information Risk Management Body of Knowledge (IRMBOK) (e.g., Bayesian methods, value-focused thinking, decision analysis).
• Acknowledge and clearly communicate the limitations of data, estimates, and models, especially in cases of uncertainty or sparse information.
• Avoid the use of arbitrary scores, rankings, or “checkbox” practices that lack empirical grounding..

3. Accountability to Stakeholders

IRM professionals shall:

• Act in the best interest of their organization and its stakeholders while balancing legal, ethical, and public interest considerations.
• Communicate risk information in a manner that is accurate, understandable, and tailored to the audience’s decision context.
• Preserve and protect the confidentiality of sensitive organizational and personal information.

4. Commitment to Competence and Continuous Improvement

IRM professionals shall:

• Maintain and improve their knowledge and skills through ongoing professional development.
• Engage with new developments in risk science, probability theory, and decision analysis to ensure continued relevance and technical rigor.
• Recognize the limits of their own expertise and consult with appropriate experts when necessary.

5. Respect for Scientific and Professional Standards

IRM professionals shall:

• Uphold the standards of the IRMBOK and other professional bodies (e.g., ISO, NIST, ISACA, ISSA, IIA, etc.) where applicable.
• Use scientifically valid methods when estimating probability, utility, or impact, and avoid pseudoscientific or unsupported techniques.
• Accurately cite sources and give proper attribution to the intellectual contributions of others.

6. Responsibility for Risk Communication and Decision Support

IRM professionals shall:

• Ensure that risk assessments are connected to decisions—that is, that they support, not substitute for, judgment by accountable leaders.
• Make explicit the values and tradeoffs inherent in risk treatment recommendations.
• Strive for transparency and reproducibility in all analyses and models.

7. Stewardship of the Profession

IRM professionals shall:

• Contribute to the advancement of the IRM discipline through mentorship, publication, peer review, and participation in professional societies.
• Support initiatives that promote clarity, coherence, and rigor in the practice of risk management.
• Report unethical or unprofessional behavior that harms individuals, organizations, or the integrity of the profession.