Hmmm, I may need to elaborate a little. Typically when doing risk management, an unacceptable risk (based on severity and probability of occurrence) may be identified. A risk mitigator is used to lower the risk to an acceptable level. The risk mitigator needs to be verified to have objective evidence it functions as intended. To define a sample size to test said mitigator it makes sense to me to use the pre-mitigation level as this effectively tells you how important the risk that you are reducing is. Using the post-mitigation risk level doesn't make sense to me. Thoughts?