25 • Independent Risk Management (IRM) – IRM is the second line of defense . It establishes and maintains our risk management program and provides oversight, including challenge to and independent assessment of, the Frontline’s execution of its risk management responsibilities . • Internal Audit – Internal Audit is the third line of defense . It is responsible for acting as an independent assurance function and validates that the risk management program is adequately designed and functioning effectively . In addition to the three lines of defense, our control environment is strengthened by enterprise control activities that are performed by enterprise functions with specialized subject matter expertise such as accounting, reporting and tax, human capital, and legal services . Risk and culture Employees are encouraged and expected to speak up when they see something that could cause harm to our customers, communities, employees, shareholders, or reputation . Because risk management is everyone’s responsibility, all employees are empowered to and expected to challenge risk decisions when appropriate and to escalate their concerns when they haven’t been addressed . Effective risk management is a central component of employee performance evaluations . Our performance management and incentive compensation programs are designed to establish a balanced framework for risk and reward under our core principles that employees are expected to know and practice . The Board plays an important role in overseeing and providing credible challenge to our performance management and incentive compensation programs and reviews, and approves the compensation of the company’s executive officers and other officers or employees as it determines appropriate . Please see our most recent Proxy Statement (PDF) for additional details about how risk management is factored into executive compensation .