Dear Pranjal,
you have to start to analyze your business and then based on your processes you have to define what is a risk. In the end a risk must be declared by your management. I would recommend to start with the pre-delivered rule set from SAP to see what has been defined as a risk. Basically that is a good start to develop your own rule set.
Personally I am using a risk matrix to identify SOD conflicts we have in our organization. Based on that we have identified critical risks and those are defined in the rule set. Please see the following matrix of general tasks:
As mentioned above in the end the risks must be declared by your management. Some SOD might not be critical in my organization but in yours they are. Hence you have to analyze your business, your processes and based on that defining what is critical and what not.
Please let me know if you need further details.
Regards,
Alessandro