Map the internal control vulnerabilities identified using COSO Internal control 2013/ERM 2017 principles for two risk types identified above.  Recommend controls to be strengthened: preventative, detective, corrective.

1) Map the internal control vulnerabilities identified using COSO Internal control 2013/ERM 2017 principles for two risk types identified above.  Recommend controls to be strengthened: preventative, detective, corrective. Primary control and secondary controls.
2) To mitigate the control vulnerability, recommend project/s with estimated timelines and required resources; mechanism to track, escalate and report to relevant committees (operational risk, risk committee, IT risk committee).
Note: Senior management has limited budget/resources and prioritizing helps focus effort/ resources for projects the mitigate most critical internal control vulnerabilities. For example, in terms of data leak- did they know what are the crown jewels, where are they located, how is that data flowing (internally and external vendors), what are the control weaknesses, and the risks?
3) Recommend best practices and standards (Cyber frameworks, OCC guidelines for third party oversight, maturity models if needed) to enhance risk management capabilities and maturity.