You must first define a mitigating control before you may assign it to Users, Roles, Profiles, or HR Objects to mitigate a Risk.

Risk Analysis and Remediation permits only defined Mitigation Controls to be applied to a Risk. A Risk is identified through Risk Analysis and cannot be mitigated unless the Control has been previously defined.

The first step in defining, or creating, a mitigating control is to create a mitigating control ID. This ID appears in risk analysis reports.

All risk IDs associated with the control must also be mitigated with the this control.