Faisal,
yes you are right - you have to mitigate before you can approve the request. BUT.. it is also possible that the mitigating control is not available at the time of mitigation. So the control has to be created first but all the other risks can be mitigated meanwhile and the request put on hold.
In my scenario we have 26 access risks, whereas some entities have only 10-13 risks in their environment. As per business definition we have only mitigating controls for risks which are defined in an internal control system so that the compensating control is properly defined. In case an entity has a new risk which wasn't showing up in the past, we have to create the control first (with mitigating control workflow so that compensating controls, etc. are properly defined before mitigation). In such cases the approver has to wait until the control is available and mitigate and approve the request later.
Look.. it is a functionality which is used very rarely but eventhough sometimes I am thankful that I can remove or add mitgations in the screen.
Regards,
Alessandro