Answer: The third line of defense should continuously monitor the bank's implementation of its ERM framework to ensure its effectiveness.

## Explanation In the three lines of defense model: - **First line of defense**: Business line managers who own and manage risks - **Second line of defense**: Risk management and compliance functions that provide oversight and guidance - **Third line of defense**: Internal audit that provides independent assurance **Option A is correct** because the third line of defense (internal audit) should indeed continuously monitor and provide independent assurance on the effectiveness of the ERM framework implementation. This aligns with their role of providing objective assessment and ensuring the framework is working as intended. **Option B is incorrect** because business line managers (first line) should not have unilateral authority to make risk mitigation decisions without oversight. The three lines of defense model requires appropriate checks and balances - the second line provides oversight and the third line provides independent assurance. Business decisions regarding risk mitigation should be made within the bank's established risk appetite framework and with appropriate oversight from the risk management function. The CRO's goal to ensure the ERM framework reflects the bank's risk appetite and risk culture requires proper governance where all three lines work together with clear roles and responsibilities.

Author: LeetQuiz .