The second line of defense in the Three Lines Model plays a risk oversight and monitoring role rather than operational execution.
According to ISACA’s CRISC framework:
The first line (operational management) owns and manages risk and implements controls.
The second line (risk and compliance functions) provides risk oversight, guidance, and monitoring of risk responses and ensures adherence to policies and frameworks.
The third line (internal audit) provides independent assurance regarding the overall effectiveness of controls.
Therefore, the primary responsibility of the second line is to monitor and evaluate risk responses implemented by the first line to ensure they are effective and aligned with enterprise risk appetite.
Supporting Extract:
CRISC study notes (Slides 127–134) state:
“The most significant benefit of using the three lines of defense model is that it clarifies essential roles of key stakeholders. The second line of defense provides oversight and monitoring of risk and control activities.”
Hence, the correct answer is C. Monitoring risk responses.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit