Which statement correctly identifies the First Line's responsibility in risk management?

In risk management, those closest to the operations are responsible for owning and handling risk. The first line controls day-to-day activities, so they identify risks in their processes, design and implement the controls to mitigate them, and monitor performance against risk indicators. They’re the ones who act when risk materializes and escalate issues when needed, ensuring risk is managed in real time within the operating units themselves. The second line exists to provide oversight and support—establishing risk management frameworks, policies, risk appetite, and ongoing monitoring to ensure consistency across the organization. Internal audit, as the third line, provides independent assurance to the board on the effectiveness of governance, risk management, and controls. Developing IT strategy sits more with strategic governance and planning, not the ongoing ownership and management of risk in operations, which is the first line’s primary duty.