Answer: The corporate operational risk function, as part of the second line of defense, should challenge risk inputs from business line managers.

## Explanation In the three lines of defense model for operational risk management: - **First Line of Defense**: Business line managers who own and manage risks directly - **Second Line of Defense**: Corporate operational risk function that provides oversight, challenge, and independent risk management - **Third Line of Defense**: Internal audit function that provides independent assurance **Analysis of each option:** - **Option A**: Incorrect - Internal audit is the third line of defense, not the first line. It provides independent assurance rather than continual validation. - **Option B**: Incorrect - Business line managers (first line) should not challenge internal audit (third line). The challenge should flow in the opposite direction. - **Option C**: **CORRECT** - The corporate operational risk function (second line) should indeed challenge risk inputs from business line managers (first line) as part of its oversight role. - **Option D**: Incorrect - The corporate operational risk function is the second line of defense, not the third line. Model validation is typically part of the third line's responsibilities. The three lines of defense model creates a systematic approach where each line has distinct responsibilities, with the second line providing independent oversight and challenge to the first line's risk management activities.

Author: LeetQuiz .