The greatest concern with the situation of combining the second and third lines of defense in a new department that reports to a recently appointed C-level executive is that the independence of the internal third line of defense may be compromised. The second line of defense is the function that oversees and supports the risk management activities of the first line of defense, which is the function that owns and manages the risks. The third line of defense is the function that provides independent assurance of the risk management activities, such as the internal audit function. Combining the second and third lines of defense in a new department may compromise the independence of the internal third line of defense, as it may create a conflict of interest, bias, or influence among the functions, and impair the objectivity, credibility, and quality of the assurance activities. The independence of the internal third line of defense is essential for ensuring that the risk management activities are performed in a consistent and effective manner, and that the issues and gaps are identified and reported without fear or favor. The risk governanceapproach of the second and third lines of defense may differ, cost reductions may negatively impact the productivity of other departments, and the new structure may not be aligned to the organization’s internal control framework are also concerns, but they are not as great as the compromise of the independence of the internal third line of defense, as they do not directly affect the assurance and accountability of the risk management activities. References = CRISC Review Manual, 6th Edition, ISACA, 2015, page 36.