What are the three lines of defense in ORM?

The three lines of defense model is a widely accepted framework in operational risk management that clarifies roles and responsibilities within organizations for managing risk effectively. The correct choice emphasizes the three key components that contribute to an organization's risk management structure.

Operational management serves as the first line of defense, responsible for identifying and managing risks within their own processes. They are the front-line employees who implement control measures and ensure risk awareness among their teams. Their direct engagement with daily operations makes them instrumental in risk management.

The second line of defense includes the risk and compliance functions. These teams monitor the risk environment and ensure that the organization adheres to regulations and internal policies. They act as advisors to operational management, providing guidance on risk management practices and assessing risks identified by the first line.

Lastly, the internal audit serves as the third line of defense. This function provides independent assurance to the organization’s board and senior management regarding the effectiveness of governance, risk management, and control processes. The internal audit evaluates the adequacy of the risk management framework established by the first and second lines of defense, ensuring there are no gaps in the coverage of risks.

This structure fosters a comprehensive approach to managing operational risks, ensuring accountability at various organizational levels. In contrast, the other options do not accurately