Hi Faisal,
the behaviour can be set up differently in each organization. From my point of view a request can be submitted if it has violations. The MSMP workflow offers functionality to deal with risk. For example you can activate that a request cannot be approved if there are risks (you can do that for each step, check MSMP workflow > paths > task settings).
It makes definitely sense to set up this behaviour at the last stage so that a request cannot be approved if there are risks. Risks need to be mitigated before approving. Also for mitigation you can set up a workflow if required.
Just to highlight our set up: a requestor can initiate a request eventhough there are risks. Line Manager (first approver) and role owner (second approver) see the risk analysis results (parameter 1071) and they can approve beside risks. Our last stage is security stage and there it is not possible to approve beside risks (setting in msmp workflow). If a request has a risk, the request is sent to a responsible person who does the mitigation. If a mitigation is set and the risks analysis is performed again, the risks shows as mitigated and the request can be approved.
With such process you can easily follow the motto "get clean, stay clean" as everything is controlled and documented in the workflow.
Hope this helps.
Regards,
Alessandro