Hi,
As explained by Ken, SAP considers best practices across various industries to build their standard rulesets. There are multiple permutations and combinations while defining risk. If any one of the standard risk is not suitable for your business, you can always customize it to your needs. Standard ruleset is for initial assessment of your current set up. You can also check at the SU24 level, which objects are being triggered for the 2 transactions in question and why it could be a risk from an SAP business perspective. If i have more info, i will let you know. Need time for research 
Good Luck
Thanks
Venu Gudimalla