APRA’s revelations at yesterday’s Senate estimates hearings have
thrown a metaphoric hand grenade into the senior executive bunker at
Australia’s largest bank.

If the regulator has been raising
concerns about risk management with NAB senior management and the board
since August 2002, that was when the bank’s audit committee was
responsible for the adequacy and effectiveness of the risk management
and internal control systems.

This raises further questions
about the future of audit committee chair Catherine Walter,
particularly as APRA have claimed some of their concerns were still not
addressed by August 2003. Newly appointed
chairman Graham Kraehe
attended all audit committee meetings during the 2003 financial year,
as did fellow committee members Peter Duncan and Kenneth Moss.

to the annual report, former chairman Charles Allen also attended all
meetings during the year and former managing director Frank Cicutto
attended all meetings except one, even though neither were
members. The regular presence of the chief executive at such meetings
may raise concerns about the committee’s practical independence from
executive management and potentially compromise best practice corporate

Yesterday’s revelations may demonstrate APRA was on
top of any risk management weaknesses, but the real questions are about
what was going on inside NAB as banks should not be relying on external
regulators to be part of their control systems.

What actions
were taken by NAB’s own risk management and internal audit divisions
and how were these supervised by executive management and the board
audit committee? Were external consultants hired to investigate
independently, bearing in mind that any director has the right to
engage independent professional advice to help them fulfil their
responsibilities? At the very least, was trading activity temporarily
restricted while the alleged control weaknesses were investigated and,
if necessary, addressed? If Graham Kraehe’s new board risk committee
was a response to APRA’s concerns, might it not have acted with more
urgency since August 2003 than appears to be the case?

If the
August 2002 alert date is accurate, it also brings into question the
role of external auditor KPMG. External auditors rely on the adequacy
of a company’s internal controls in forming an opinion about
accuracy of the annual financial statements. Is it conceivable that the
regulator’s concerns were not discussed with KPMG through their
tripartite relationship with NAB and APRA? Would such concerns not have
been discussed at the auditor’s year end discussion with the bank’s
audit committee? In both 2002 and 2003? What did KPMG do to satisfy
themselves about the internal risk controls before signing off on the
accounts? Did they investigate themselves or merely accept assurances
contained in a management representation letter?

With shrapnel flying in all directions from APRA’s ordnance, it looks like tin hats all round is the order of the day.

Now, here is an earlier piece Stuart filed.

Graham Kraehe’s NAB baggage

By Stuart Mackenzie
NAB executive turned freelance journalist

appointed NAB chairman Graeme Kraehe appears to be distancing himself
from the bank’s $360 million forex losses on three grounds: the board
risk committee that he chairs was not formed until late last year; the
board as a whole sets risk policies; and executive management, not the
board, is responsible for day-to-day risk management.

As Alan Kohler said in The Age on Monday, Kraehe clearly wants it known that the forex losses are not his fault.

according to NAB’s 2003 annual report, the board’s responsibilities for
risk management are to “establish, monitor and review the risk
management processes with the guidance of the Risk Committee.”

committee was established on 28 August 2003 but according to the annual
report dated 11 November 2003, held no meetings during 2003. Its
responsibilities include “implementing and reviewing risk management
and internal compliance and control systems throughout the Group.”

to the risk committee’s formation, the board audit committee had
responsibility for “the adequacy and effectiveness of the Company’s and
the Group’s risk management and financial control, and other internal
control systems and evaluat[ing] the operation thereof.”

Kraehe has been a member of the audit committee since 2001, he was at
all relevant times both a member of the board that set risk policy and
the committee charged with monitoring the risk controls that appear to
have failed in the case of the forex losses.

executive management are responsible for the day-to-day management of
market risk, they do so within the policies established by the board
and controls monitored by the risk committee or previously by the audit
committee. Should next month’s PricewaterhouseCoopers report find
deficiencies in those risk policies or controls, Kraehe may again find
himself explaining why the forex losses were not his fault.

course, he might also be asked about some other little matters like his
membership of the audit committee when KPMG were reappointed after the
$4 billion Homeside debacle and his chairmanship of NAB’s ill-fated
e-commerce investment vehicle O2-e.

Established in April
2000, O2-e was to “create and accelerate” NAB’s new economy businesses
and introduce “value added Internet capabilities to our core
businesses.” The bank forecast that the venture would represent a
“significant proportion” of its operating profits by 2005.

fact, by October 2001 it was “not active” after writing off more than
$45 million of shareholders funds in failed dotcom investments –
something that was largely overshadowed at the time by the Homeside

Peter Fray

Fetch your first 12 weeks for $12

Here at Crikey, we saw a mighty surge in subscribers throughout 2020. Your support has been nothing short of amazing — we couldn’t have got through this year like no other without you, our readers.

If you haven’t joined us yet, fetch your first 12 weeks for $12 and start 2021 with the journalism you need to navigate whatever lies ahead.

Peter Fray
Editor-in-chief of Crikey