Certified in Risk and Information Systems Control (CRISC) — Question 523

Which of the following is the PRIMARY risk management responsibility of the third line of defense?

Answer options

• A. Providing assurance of the effectiveness of risk management activities
• B. Providing advisory services on enterprise risk management
• C. Providing benchmarking on other organizations' risk management programs
• D. Providing guidance on the design of effective controls

Correct answer: A

Explanation

The correct answer is A because the third line of defense is primarily responsible for providing independent assurance on the effectiveness of risk management activities. Options B, C, and D describe supportive roles that are typically associated with the second line of defense or other functions, rather than the primary role of assurance.