That's a fair point. I've only ever worked for responsible companies.
If the checklists are actual implementations at the other companies, then yes, maybe there is some value there. But then the law could still be improved to allow a little more leeway for companies that are responsible. I don't know how that would work though.
> But then the law could still be improved to allow a little more leeway for companies that are responsible.
Bad companies already try their darndest to present as responsible, and if they never succeeded there wouldn't have been call for these regs in the first place. I don't think making a determination as to who "is responsible" and loosening requirements makes any sense - Enron and WorldCom would probably have been "responsible".
Better would be to try and align the regulations so that they have minimal friction while people are acting responsibly. Maybe you don't need a key and active oversight to make a change - maybe the change can be logged non-destructively and audit can happen after the fact.
If the checklists are actual implementations at the other companies, then yes, maybe there is some value there. But then the law could still be improved to allow a little more leeway for companies that are responsible. I don't know how that would work though.