Certified in Risk and Information Systems Control (CRISC) — Question 1016

Which of the following is PRIMARILY a risk management responsibility of the first line of defense?

Answer options

• A. Implementing risk treatment plans
• B. Conducting independent reviews of risk assessment results
• C. Establishing risk policies and standards
• D. Validating the status of risk mitigation efforts

Correct answer: A

Explanation

The first line of defense is primarily responsible for implementing risk treatment plans as they are directly involved in managing risks in their operational activities. While conducting independent reviews, establishing policies, and validating mitigation efforts are important, these tasks are typically handled by the second and third lines of defense, which focus on oversight and governance.