Certified in Risk and Information Systems Control (CRISC) Practice Test

The three lines of defense model in risk management is structured to provide a clear framework for organizations to manage risk and ensure effective governance. The correct choice highlights the roles and responsibilities of various stakeholders in the risk management process.

In this model, the first line of defense is typically composed of operational management, which is responsible for managing risks within their areas and ensuring that controls are in place. The second line of defense consists of oversight functions, such as risk management and compliance, that provide guidance and support to the first line and monitor the effectiveness of risk management processes. Finally, the internal audit function acts as the third line of defense, providing independent assurance that the organization effectively manages risks and adheres to policies and procedures.

The other choices do not accurately represent the three lines of defense framework. The option that lists internal audit, external audit, and compliance emphasizes audit and compliance aspects but fails to include the operational management role, which is crucial in the first line. The choice referring to operational, strategic, and tactical does not speak to the three lines of defense model; instead, it implies a hierarchy of planning rather than risk management responsibility. Lastly, the option mentioning policy, procedure, and practice refers to governance and operational standards rather than the distinct layers of responsibility in