Simple example could be a role containing the transaction code ME21N, which can cause a Action level risk with other finance transactions; as it is a "create" transaction, but the authorizations assigned to the objects within the role could be ACTVT 03 (display), therefore it is unlikely the risk would really be realised at Permission level.
A mundane example, but that is one easy way describe a "False Positive" risk results.
That was a good example to explain .
False positives usually are because of org level restrictions . If your company is org level structure then it is better to use org level analysis and if they exists at transaction level , then you need to look at your GRC rule set . Default rule set should always be tweaked depending upon nature of the business, client business process and client requirements. Check your GRC rule set and you should be able to take care of all the false positives.
Hope it gives you some clarification.