CRISC Question #419: Real Exam Question with Answer & Explanation

The correct answer is A: operational management.. In the three lines of defense model, operational management (the first line) is primarily responsible for managing risks and implementing controls as part of their day-to-day activities.

Submitted by andreas_gr· Apr 18, 2026Governance

Question

Within the three lines of defense model, the responsibility for managing risk and controls resides with:

Options

Aoperational management.
Bthe risk practitioner.
Cthe internal auditor.
Dexecutive management.

Explanation

In the three lines of defense model, operational management (the first line) is primarily responsible for managing risks and implementing controls as part of their day-to-day activities.

Common mistakes.

B. The risk practitioner typically supports management by advising on risk frameworks and assessments (often part of the second line), but doesn't hold primary responsibility for daily risk management.
C. The internal auditor is the third line of defense, providing independent assurance on the effectiveness of risk management and controls, not directly managing them.
D. Executive management sets the tone and strategic direction for risk management, but operational management executes the day-to-day risk and control activities.

Concept tested. Three Lines of Defense model

Reference. https://global.theiia.org/standards-guidance/Public%20Documents/PP%20The%20Three%20Lines%20of%20Defense%20in%20Effective%20Risk%20Management%20and%20Control.pdf

Topics

#Three Lines of Defense#Risk Management Roles#Operational Management#Risk Ownership

Community Discussion

No community discussion yet for this question.

Full CRISC Practice Browse All CRISC Questions