Which description best characterizes the second line of defense in an organization's risk management framework?

In a three-lines-of-defense model, the second line is the risk oversight layer. Its role is to establish the risk framework, set policies and standards, monitor risk exposures, and challenge the first line to ensure controls are effective. Groups like risk management, compliance, and legal fit here because they oversee risk across the organization and provide guidance and oversight rather than handling day-to-day operations. External consultants performing audits belong to independent assurance, which is the third line. While executive leadership and the board set risk appetite and oversee strategy, these are governance activities at the top, not the ongoing risk oversight function of the second line. So, the description that best characterizes the second line is internal groups within the company that provide risk oversight.