B is correct. Sound operational risk governance, according to Basel, relies on three lines of defense: (i) First line of defense - business line management, which is responsible for identifying and managing the risks inherent in the products, activities, processes and systems for which it is accountable; (ii) Second line of defense - an independent corporate operational risk management function, generally complementing the business lines' operational risk management activities; (iii) Third line of defense - an independent review and audit of the bank's operational risk management controls, processes and systems. Basel II and Basel III define operational risk (inclusive of technological risk) as "the risk of direct or indirect loss resulting from inadequate or failed internal processes, people and systems or from external events." Although a number of financial institutions add reputation risk and strategic risk (e.g., due to a failed merger) as part of a broadened definition of operational risk, they are not within the scope of definition by Basel II/III.