What does the "three lines of defense" model refer to in compliance?

The "three lines of defense" model is a widely accepted framework in risk management and compliance that outlines the roles and responsibilities in an organization to ensure effective governance and accountability. The correct answer identifies operational management, risk management, and internal audits as the three lines of defense.

The first line of defense is operational management, which involves the day-to-day functional teams who own and manage risks. They are responsible for implementing risk management policies and procedures, and their actions directly affect the risk profile of the organization.

The second line of defense encompasses risk management functions. These teams help to develop risk management frameworks, provide guidance, and monitor the risks taken by the first line. They ensure that the organization's risk management practices align with regulatory requirements and internal policies.

The third line of defense consists of internal audits, which provide independent assurance. They evaluate the effectiveness of the first two lines of defense, ensuring that the risk management processes are functioning correctly and are compliant with regulations and organizational objectives.

This model is essential in promoting a cohesive approach to risk management, where each line plays a distinct but complementary role in maintaining compliance and managing risk within the organization. The other options provided do not accurately capture the structure and intent of the "three lines of defense" model as established in risk