Sumner Blount of CA puts together his thoughts on the lifecycles of policies:Policy Lifecycles: The Foundation for a Unified GRC Approach.
As you can easily see, it’s a constant feedback loop, where policies are devised, controls are created and tested, and risks adjusted based on the success of those controls.