Answer: The safeguards of three lines of defense do not always work, because risk management systems always have loopholes and become obsolete quickly.

## Explanation The correct answer is **D** because this statement incorrectly describes the three lines of defense concept. ### Analysis of Each Option: - **Option A**: Correct - The first line of defense indeed consists of the business lines that generate, own, and manage risks as part of their operational activities. - **Option B**: Correct - The second line of defense includes risk management specialists who provide oversight, expertise, and day-to-day risk management support. - **Option C**: Correct - The third line of defense involves independent assurance functions like internal audit that provide periodic, objective oversight. - **Option D**: **Incorrect** - This statement is problematic because: - It makes an absolute claim that risk management systems "always" have loopholes and "always" become obsolete quickly - While risk management systems can have limitations and require updates, they don't "always" fail - The three lines of defense framework is designed to provide layered protection, not to be perfect - This statement misrepresents the purpose and effectiveness of the three lines of defense model ### Key Points: The three lines of defense model is a risk governance framework where: 1. **First line**: Business operations (risk owners) 2. **Second line**: Risk management and compliance functions 3. **Third line**: Independent assurance (internal audit) The framework acknowledges that no system is perfect, but it doesn't claim that safeguards "always" fail as stated in option D.

Author: LeetQuiz .