Hi Madan
I agree with all the comments above, just a small addition;
The trick is to have mitigating controls which are as effective as possible. Its about quality, not quantity.
Some questions which need to be asked when creating / assigning mitigating controls:
Which control mitigates the risk better than others ? Is this control activity currently being performed ? Has this control been tested in the past by Internal Audit / External Audit ? Is this control due to mitigate a high / critical risk ?
The last thing you want, is to be over-controlled in some areas which are not considered a high and/or critical risk areas by the business.
Regards
Sam