The "Three Lines of Defense" model is a fundamental concept in enterprise governance and risk management. The second line of defense consists of functions that oversee risk, such as risk management and compliance. Its primary role is to provide independent oversight of the first line (operational management) by establishing risk management frameworks and monitoring the adequacy and effectiveness of the first line's risk management activities and controls. This monitoring ensures that risks are being managed in accordance with the organization's risk appetite and policies.

A. Conducting internal and external audits: This is the primary responsibility of the third line of defense (internal audit) and external auditors, who provide independent and objective assurance on the overall effectiveness of governance, risk management, and controls.

B. Implementing controls to manage risk: This is a core function of the first line of defense. Operational management owns the risks and is directly responsible for implementing and maintaining controls to mitigate them.

D. Identifying and assessing risk: This is primarily a first-line-of-defense activity. Those who own the processes and systems are best positioned to identify and assess the associated risks on a day-to-day basis.

1. ISACA

CGEIT Review Manual

8th Edition

2020. Domain 2: IT Risk Management

Section 2.4

discusses roles and responsibilities

aligning with the three lines model where the second line provides oversight and monitoring of risk management practices implemented by the first line.

2. The Institute of Internal Auditors (IIA)

The Three Lines of Defense in Effective Risk Management and Control

January 2013

Page 4. "The second line of defense...functions that oversee or specialize in risk management

compliance...These functions...monitor and facilitate the implementation of effective risk management practices by operational management and assist the risk owners in reporting relevant risk information up and down the organization."

3. COSO

Enterprise Risk Management—Integrating with Strategy and Performance

June 2017

Page 87. The framework discusses governance and culture

noting that risk management functions (a second line) "assist management in developing and monitoring risk management processes."