SAP GRC Access Control: Best Practise in Mitigating Risk When no longer a Risk in a Role

Hi

Example: transaction SU01 is designated as a critical transaction for authorisation (basis). Therefore one expects this transaction is only available to authorisation team through a dedicated role, and no other role must have it.

Rule set has a access risk as Authorisation Critical Action which includes function with SU01 transaction in it.

Question: when doing ARA for the authorisation team role it flags a critical action risk as it has SU01. Are we then be using mitigating risk option for this so it wont show up next time when doing ARA for the same role? If so, and since it is not a risk in this context, what sort of mitigation control should we create to cover this situation?

Thanks

Reza Ahoui