crisc-d1-governance-enterprise-risk-management-and-three-lines-of-defe

Enterprise Risk Management and Three Lines of Defense

isaca-crisc · framework · Production-ready

Drawn fromCRISC Review Manual · ISACA peer-reviewed case sets·Reviewed May 5, 2026

How this was built ▾

Every cubelet runs through five agent passes before publishing. Each stage's output is recorded so we can trace how a claim got here.

01 · RESEARCHSource synthesisClaude Haiku
02 · WRITERSix-face draftingClaude Sonnet
03 · EDITORCoherence + clarity passClaude Sonnet
04 · QAQuality gate scoringClaude Opus
05 · PUBLISHERCatalog + graph commitClaude Haiku

This runcourse-factory-pipeline-v1

1

Face 1 of 6 · WHAT

What is Enterprise Risk Management and Three Lines of Defense

Enterprise Risk Management (ERM) is a structured, organization-wide framework for identifying, assessing, responding to, and monitoring risks that could affect an organization's ability to achieve its strategic objectives. The Three Lines Model (IIA, 2020) is the governance operating model embedded within ERM that assigns clear, non-overlapping accountability across three distinct organizational layers. First Line — operational management and process owners who own and control risks day-to-day. Second Line — dedicated risk, compliance, and control functions (CRO office, compliance team, information security) that design frameworks, provide tools, and monitor risk across the organization. Third Line — internal audit, which provides independent, objective assurance to the board and senior management on the effectiveness of governance, risk management, and controls. ERM supplies the strategy and risk appetite context; the Three Lines Model supplies the organizational structure to execute it.

Where it stops · what it isn't

—ERM is NOT a project or one-time risk assessment — it is a continuous governance capability embedded in strategy and operations
—The Three Lines Model is NOT a hierarchical chain of command — each line has distinct, complementary accountability; no line holds supervisory authority over another
—First Line is NOT merely frontline employees — it includes all operational management who own specific risk domains and controls
—Second Line is NOT internal audit — it provides oversight and frameworks but does NOT independently test controls; that is exclusively the Third Line's role
—Third Line (internal audit) is NOT a management function — it must maintain independence from both First and Second Lines to provide objective assurance
—COSO ERM 2017 and ISO 31000:2018 are NOT compliance checklists — they are principles-based frameworks requiring interpretation and tailoring to organizational context
—The Three Lines Model does NOT replace a risk committee, risk appetite statement, or board governance — these are prerequisite structures the model operates within

Connected concepts in the graph

Every cubelet sits in a knowledge graph. Here's what this one connects to.

REQUIRES

Risk Appetite, Risk Profile, and Risk ToleranceOrganizational Structure, Roles, and Responsibilities

ENABLES

Risk Assessment and Treatment (CRISC Domain 2)Risk Response and MitigationControl Design, Implementation, and Testing

PART OF

CRISC Domain 1: Governance

RELATED TO

Organizational Culture and Risk AwarenessPolicies, Standards, and ProcessesProfessional Ethics in Risk Management

CONSTRAINS

Risk Event Escalation and Reporting

Practice this judgment ↗

Adaptive, ~8 min

Sit in the practitioner's chair ↗

Live simulator

06 · APPLYSign up to enter the judgment simulator →

Watch your judgment grow on this concept

Create a free account to unlock all 6 faces, the judgment simulator, and a mastery score that updates with every attempt.