I am reminded of the Swiss cheese model for managing risk. See https://infogovnuggets.com/2014/10/02/swiss-cheese/.
The awful shooting at the church outside San Antonio. How many controls to manage the risk of a lunatic buying a gun failed? Certainly, the Air Force failed by not recording the circumstances of his dishonorable discharge and related matters. (Was this systemic? What about other branches? Were there incentives/disincentives?) And the fact that he had been in a mental institution wasn’t in the data base either. Who else failed?
And what about the self-certification, where a gun buyer needs to certify that he/she hasn’t done a bunch of bad things, which in turn is confirmed by the background check? Do self-certifications work? How much do you rely on having your employees sign an annual certification that they’ve read and understood (and don’t know of any violations of) your Code of Conduct? Does that provide any protection? Or does it just give you false comfort and a metric to measure?