Factoring regulator competence into your records program

Almost every risk program uses the basic idea of risk magnitude and risk frequency to make decisions about how seriously the organisation should take those events, and how heavily they should invest in them.

If you took the same approach to your records regulator, where would you end up?

When I look at most records programs, the risks posed by non-compliance are non-existent, and the chance that the regulator is ever going to show up is approximately zero.

Yet everyone jumps through hoops on behalf of regulators who clearly don't care whether their compliance standard is implemented or not.

Why?

Mostly what the compliance standard does is set a bar that's so high that no one ever reaches it, and forces perfectionist type system choices on organisations who are making every effort they can to be pragmatic.

In this scenario, why not ignore the regulator, and work on the quality of the organisations records and how they affect the results that it is achieving?

Your organisation would know how to fund you.

They'd understand that records was about results.

And you'd end up with better records overall - which is supposed to be the point of the compliance standards.

So why don't we factor the competence of our regulators into our programs at the start?