Control vs Oversight - Why Most Organisations Are Running Blind with Their Eyes Open

The most dangerous point in any process is not when the controls are missing - it is when the controls are working perfectly and nobody is asking whether they are measuring the right thing.

Wells Fargo had internal controls, compliance teams, audit functions, performance dashboards, and an ethics hotline. By every operational measure, the process was working - and yet the signals were there from 2002, documented and escalated internally, for fourteen years before any external accountability arrived.

What failed was not the control infrastructure. What was absent was the organisational mechanism to ask the question the controls were never designed to ask.

That is the distinction between Control and Oversight, and it is one that most organisations - and most leaders - have not drawn deliberately. Control asks whether the process is working. Oversight asks whether the process is producing the right outcomes. One is operational infrastructure that can be systematised and delegated. The other is a leadership responsibility that belongs to no system and no dashboard - only to the people who govern the work.

In my latest article, I explore this distinction through the Wells Fargo case, connect it to what the LSS Control phase actually protects against, and look at what genuine Oversight looks like in practice - including why it so rarely gets built into the organisations that need it most. The timeline alone, from first internal escalation to public accountability, is worth pausing on.

If this is relevant to your work, I would be glad to hear how your organisation draws the line between the two.

#OperationalExcellence #LeanSixSigma #Governance

Between 2002 and 2016, Wells Fargo employees opened approximately 3.5 million unauthorised bank and credit card accounts in customers' names, without their knowledge or consent. The bank had internal controls. It had a compliance function. It had an internal investigations unit, a dedicated sales quality oversight unit, an ethics hotline, and a risk management group that grew by more than 15 percent in 2015 alone. It had performance dashboards that were, by all operational measures, producing results.

And yet the fraud ran for fourteen years.

What makes this case particularly instructive is not the scale of the misconduct - it is the timeline of what was known, and when. As early as 2004, an internal investigations manager described his efforts to escalate concerns about increasing sales practice problems to senior leadership, writing internally that he wanted leadership to be constantly aware of what he called "this growing plague". By 2005, a corporate investigations manager described the problem as "spiraling out of control". This reporting continued through 2016, and generally emphasised increases in various forms of sales practice misconduct.

The controls were not missing. The signals were not missing. What was missing was the organisational mechanism to act on what was already known. This is not a story about control failure. It is a story about the absence of Oversight - and the two are not the same thing.

What Control Actually Means

In Lean Six Sigma, the Control phase is the final stage of DMAIC - Define, Measure, Analyse, Improve, Control. It is where improvement gains are locked in. Control plans are established, statistical process control charts are implemented, response plans are defined for when processes go out of specification, and ownership is transferred to the process owner.

Done well, Control is not simply documentation. It is the operational infrastructure that prevents regression and answers a specific question: is the process performing as designed?

Internal controls, in the broader governance sense, serve a parallel function. They are the policies, procedures, checks, and automated safeguards that ensure transactions happen correctly, risks are managed, and compliance is maintained - segregation of duties, approval thresholds, audit trails, reconciliation cycles.

Both are essential. Neither is Oversight.

Where Oversight Begins

Oversight operates from a fundamentally different vantage point. While Control asks whether the process is working, Oversight asks whether the process is producing the right outcomes - and whether it still should exist in its current form.

Oversight is the function of stepping back from the operational machinery and asking harder questions: are we measuring what actually matters, or what is convenient to measure? Have the conditions this process was designed for changed? Are the controls we have built creating bureaucratic drag without proportionate risk reduction? Who is accountable - not just responsible - for this process?

The distinction matters in how it sits organisationally. Control is largely a technical and operational discipline. It can be delegated, systematised, and embedded in process infrastructure. Oversight cannot. It requires human judgement, distance from the day-to-day, and a willingness to question systems that are, by visible measures, functioning.

Back to Wells Fargo. The bank's decentralised corporate structure gave considerable autonomy to the Community Bank's senior leadership, and this structure allowed parts of the bank to operate without oversight, impeding corporate risk management functions. The sales incentive process was working exactly as designed. Accounts were being opened. Metrics were being hit. Bonuses were being paid. Every control said the machine was running.

Nobody in a position of authority was asking the Oversight question: is this machine producing the right outcomes for our customers?

The Anatomy of What Went Wrong

What makes the Wells Fargo case particularly useful as a study is that it illustrates how a control infrastructure - even a well-resourced one - cannot substitute for Oversight when the process itself is misaligned.

The gaming of sales practices was first identified as an issue in a 2004 internal report. Over the years that followed, those concerns were raised through multiple channels: the internal investigations unit, the Community Bank's own sales quality oversight unit, regional managers, and regular complaints from lower-level employees and customers reporting serious sales practice violations. The information existed. The escalation mechanisms existed. What did not exist was a governance structure that treated the question of whether the sales model itself was appropriate as anyone's specific responsibility.

Wells Fargo employees described intense pressure, with expectations of sales as high as 20 products a day. Others described frequent crying, levels of stress that led to vomiting, and severe panic attacks. This was not hidden. It was the lived experience of thousands of employees, surfacing through every available channel. And still, the process continued - because the controls were designed to monitor whether sales targets were being met, not whether the targets themselves were appropriate.

The scandal led to the resignation of CEO John Stumpf, a series of settlements between Wells Fargo and various parties, and pledges from new management to reform the bank. In total, Wells Fargo agreed to pay $3 billion to the Department of Justice, the Securities and Exchange Commission, and other federal bodies to resolve illicit sales practices spanning from 2002 to 2016.

The financial cost was significant. The more consequential cost was structural: fourteen years of compounding harm that could have been interrupted far earlier, had there been a mechanism specifically designed to ask whether the process was serving the right purpose.

The Collapse That Happens in Practice

The Wells Fargo pattern is more common than most organisations would be comfortable acknowledging - though rarely at the same scale or with the same consequences. The underlying dynamic, however, is recognisable.

Organisations build robust control infrastructure and, over time, come to treat it as equivalent to Oversight. They have dashboards. They have KPIs. They have monthly review meetings where RAG statuses are debated. They have internal audit functions, risk registers, and control self-assessments.

And yet the process drifts. The original intent erodes. Workarounds become normalised. The control chart shows green while the actual outcome for the customer, the employee, or the business deteriorates.

This happens because control systems are designed to detect deviation from the norm - not to question whether the norm itself is correct. The dashboard can tell you whether the process is running within specification. It cannot tell you whether the specification is still appropriate.

This gap is particularly visible after Lean Six Sigma improvement projects. The Control phase delivers a control plan, the team is trained, and the project closes. Six months later, the Black Belt has moved on, the process owner has changed, and the control plan is in a SharePoint folder no one opens. Control was implemented. Oversight was never established. The question of whether the process remains fit for purpose was never formally assigned to anyone.

In my experience, the absence of Oversight rarely announces itself. It compounds quietly, the way most systemic risks do - through small deviations that each seem manageable, until they are not.

What Real Oversight Looks Like

Oversight is not a meeting. It is a posture - and a set of deliberate mechanisms that sit above the dashboard, not inside it.

It includes management reviews with genuine challenge - not status updates where everyone reports green, but sessions where leaders ask what would have to be true for this metric to be misleading. It includes sunset reviews for controls, where the question is not whether the control is operating, but whether it is still proportionate to the risk it was designed to address, and whether it should still exist at all. It includes process governance structures with clear accountability for who has the authority and obligation to ask whether a process remains fit for purpose - separate from who runs it day to day. And it includes voice of the customer loops that feed external signal back into internal process reviews, so that operational performance is always anchored to actual outcomes rather than internal metrics.

Following the scandal, Wells Fargo directed more than 4,000 risk professionals to report to the central corporate risk team rather than the various business sectors they had previously reported to, hired more than 2,000 new members in risk management, and created the Office of Ethics, Oversight and Integrity to handle ethics complaints and oversee sales practices. These were structural responses - recognising that the problem was not individual misconduct alone, but an architectural absence of cross-functional visibility and accountability.

Had that architecture existed from the beginning - had someone in leadership been structurally required to ask whether the sales model was producing the right outcomes for customers - the trajectory of that institution might have been very different.

The Leadership Implication

This distinction matters most at the leadership level, because Control is largely a technical and operational responsibility, but Oversight is a leadership one.

Leaders who rely solely on control infrastructure are, in effect, delegating their governance role to process systems. They are trusting that the dashboard will surface the right problems at the right time. Sometimes it does. Often it does not - precisely because systems are designed to detect deviation from the norm, not to question whether the norm is correct.

In the Wells Fargo case, the norm was a sales culture built on volume. The controls confirmed that the volume was being produced. It took an external regulatory intervention to establish that volume was not the right measure at all.

Oversight requires leaders to remain genuinely curious about the processes they govern - to ask questions that feel disruptive, to create space for the people closest to the work to surface what the dashboards are not showing. It requires treating the question of process fitness as a standing governance responsibility, not a project-phase deliverable.

A Practical Starting Point

If you are in quality, operations, or process improvement, the next time you are closing out a project or reviewing your control framework, it is worth separating two distinct sets of questions.

The control questions: is the process stable? Are we within specification? Are the monitoring mechanisms functioning as designed?

The oversight questions: is this process still fit for purpose? Are we measuring the right things? Have the conditions it was designed for changed? And - perhaps most critically - who is responsible for asking these questions in twelve months?

Wells Fargo had the first set covered. The second set belonged to no one. That is the difference. Control keeps the process running. Oversight ensures it is worth running.

The organisations that sustain improvement - truly sustain it, not just in the months after a project closes, but over years and under shifting conditions - are the ones that treat those two questions as equally important, and structurally different, responsibilities.

Ready? Let's talk.