The three lines of defense model includes which of the following?

The three lines of defense model is a framework used to enhance risk management and strengthen governance within organizations. It is composed of three distinct roles that work together to manage and mitigate risks effectively.

The first line of defense typically involves operational management. This includes processes and controls that staff implement day-to-day to identify, manage, and mitigate risks as part of their regular activities. They are responsible for maintaining effective internal controls and, ultimately, the operational performance of the business.

The second line of defense consists of risk management and compliance functions that provide guidance and monitoring. This line supports the first by ensuring that risk management practices align with the organization's overarching risk appetite and regulatory requirements.

Finally, the third line of defense is represented by internal auditors or independent review functions. This line is responsible for providing assurance, evaluating how well the organization is managing its risks, and assessing the effectiveness of both the first and second lines of defense.

In this context, the option that accurately reflects the structure of the three lines of defense model—with a focus on the roles of governing bodies, management, and auditors—aligns with widely accepted definitions in risk management. It acknowledges the necessity of a robust governance structure that includes various levels of oversight, ensuring comprehensive risk management throughout the organization.