Hi Faisal,
always appreciate to discuss some GRC stuff with you. :-)
Regarding 1072. SAP documentation says: Set the value to YES to require mitigation of Risks that are of the type Critical Access. I was wrong with that parameter as it has no impact on the workflow settings as I mentioned.
Regarding the MSMP workflow I've found a note which describs your problem:
http://service.sap.com/sap/support/notes/1667440
A mitigation gets obsolate as soon as the risk doesn't exist any longer. That might be due to remediation of the issue or also if the user doesn't exist. So if you delete the user the mitigation shows as obsolate.
As far as I know there is no workflow to get reminded in case of an obsolate mitigation. I have scheduled the analysis daily so that I can review from time to time and remove expired or obsolate mitigations.
Regards,
Alessandro