Thesecond line of defensein the Three Lines Model plays arisk oversightandmonitoringrole rather than operational execution.

According to ISACA’s CRISC framework:

Thefirst line(operational management) owns and manages risk and implements controls.

Thesecond line(risk and compliance functions) providesrisk oversight, guidance, and monitoringof risk responses and ensures adherence to policies and frameworks.

Thethird line(internal audit) providesindependent assuranceregarding the overall effectiveness of controls.

Therefore, theprimary responsibilityof the second line is tomonitor and evaluate risk responsesimplemented by the first line to ensure they are effective and aligned with enterprise risk appetite.

Supporting Extract:

CRISC study notes (Slides 127–134) state:

“The most significant benefit of using the three lines of defense model is that it clarifies essential roles of key stakeholders. The second line of defense provides oversight and monitoring of risk and control activities.”

Hence, the correct answer isC. Monitoring risk responses.