I’m not going to deep dive into explanations here, but I had a discussion with a friend and in the end the things below came out. Make what you want of this.
TOGAF 9 specification::31.8 Summary
Risk Management is an integral part of enterprise architecture. Practitioners are encouraged to use their corporate risk management methodology or extend it using the guidance in this chapter. In the absence of a formal corporate methodology, architects can use the guidance in this chapter as a best practice.
We need to have those risk related entities inside the metamodel. However it should probably be treated as a metamodel extension to be consistent with the T9 MM structure.
TOGAF 9 specification::A.18 Control
A decision-making step with accompanying decision logic used to determine execution approach for a process or to ensure that a process complies with governance criteria. For example, a sign-off control on the purchase request processing process that checks whether the total value of the request is within the sign-off limits of the requester, or whether it needs escalating to higher authority.
This below is the simplistic model that we came up with.
Column #1 is the pattern
Column #2 is where I have used the definition from the TOGAF 9 specification and made an illustration
Column #3 is another sample using the same pattern