AE & CC 5.2 Controlling access to Mitigation Controls

Hi,

We are configuring Risk Analysis & migitation control from AE to CC and we have a requirement from upper management that BPOs who create & process AE requests and perform role/user risk analysis can only use predefined mitigating controls for the risk associated with their own business unit.They should be blocked from selecting mitigating controls from other BU.

Can anyone share their experiences on how we can prevent users from accessing unauthorized mitigation controls?

Thanks in advance