I have a question about the requirement to list the top 3 risks and mitigation strategies for those risks. Are these risks that you have identified and already dealt with in your design, or are they risks that exist despite your design? So will I answer I identified that there is this risk so i introduced this component, or will it go since i did this there is this risk that this will happen and if that happens it can be dealt with like so and so?
They are risks that still exist. You can have done some things to mitigate them, but you can't have completely resolved them so they are no longer a risk.
For example, there is the risk that the server this site his hosted on goes kaput. This is mitigated with backups. If this was a banking site, it'd be mitigated with a hot standby site as well. But even with these mitigations, it can still happen. So still a risk.