Why complicate a process more than it already is? Why not keep in simple?
For instance, take controlling the risk management cycle for your organization. First you have risks to your organization and its assets, so you implement security controls to then mitigate those risks. But you also need to assess and monitor both those risks, and the current implemented security controls.