Hi Deepak,
there is no mandatory / one recommended approach here. Decision should be based on risk analysis/assessment , as between Fn1 and Fn3 there maybe a risk with lower impact on your client organization. Namely F1&F2&F3 maybe be a high risk, and should never been accepted in user authorization but F1&F3 can be accepted in some user / role cases taking into account there is compensating control in place. So from conflict resolution perspective organization response maybe different in case of F1&F3 and different in F1&F2&F3.
Therefore I would create a new risk here for F1&F3.
Filip