Which of the following is not a component of the three-lines-of-defense model in risk management?
A. Business Unit as the first line
B. Enterprise Risk Management Program as the second line
C. Customers as the third line
D. Independent Auditors as the third line
FUD
