Which function typically provides independent assurance in risk management frameworks?

Independent assurance in risk management is about an objective, unbiased evaluation of how risk management, controls, and governance processes operate. Internal audit fits this role because it has organizational independence and typically reports to the board or the audit committee. It conducts risk-based assessments, tests controls, and communicates findings and recommendations to management and the board, providing a clear, independent view of whether risks are being identified, assessed, and mitigated effectively. The risk management function itself handles identifying and mitigating risks but isn’t independent, since it’s part of management. Compliance focuses on adherence to laws and policies, and IT security concentrates on protecting information assets; neither provides the broad, independent assurance of the overall risk management framework.