Comprehensive and Detailed In-Depth Explanation from Expert in Enterprise Architecture, guiding in TOGAF and ArchiMate:
TOGAF adopts a formal risk management perspective aligned with widely accepted enterprise risk management practices. Within the ADM, risks are identified, analyzed, treated, and monitored throughout all phases, particularly during Architecture Governance and Implementation Governance.
TOGAF explicitly distinguishes between:
Initial Risk:The level of risk identified before any mitigation actions are applied. This represents the inherent exposure associated with an architecture decision, solution, or implementation approach.
Residual Risk:The level of risk that remains after mitigation measures have been applied. This residual risk must be explicitly accepted, monitored, or further treated by governance bodies.
Why Option D is correct:
TOGAF requires both Initial and Residual risks to be documented and monitored to ensure informed decision-making and effective governance throughout the ADM lifecycle.
Why the other options are incorrect:
A. Technical and Financial level: These are categories of risk, not the two monitoring levels defined by TOGAF.
B. Mitigated and Revised level: These terms are not used as formal risk levels in TOGAF.
C. Operational and Strategic level: These describe business risk domains, not TOGAF-defined monitoring levels.
Authoritative TOGAF References:
TOGAF Risk Management
TOGAF Architecture Governance
TOGAF ADM Guidelines and Techniques – Risk Management
============
