With over two decades of experience spanning finance, technology and risk — Paul O’Rourke brings a uniquely pragmatic lens to the evolving enterprise risk landscape. Now Chief Risk Officer at Tabcorp, Paul is redefining what that title means, finding ways to encourage business innovation (safely, of course) and building strong, agile and complementary teams, to tackle what lies ahead. He joined Atlas Director, Craig Gorton, for our Pathways Podcast.

 

 

Craig: Hi everyone, today I’m joined by Paul O’Rourke, who is the Chief Risk Officer at Tabcorp. Hi Paul, how are you?

Paul: Hello Craig, how are you?

Craig: Very well, thanks for asking. I’m going to run through a few questions, Paul, just to learn more about your journey – particularly your foundational learnings early on, right through to mentors. But let’s start at the beginning. Talk me through your career to date, including those early days – and what foundational learnings do you still use today?

Paul: I’ve been in IT and risk for about 25 years. I actually didn’t come from a risk or tech background. I started with an economics degree and worked in finance for a number of years. I moved across to technology in the late ’90s and focused on broad risk – especially cyber – for many years. That’s taken me across a number of companies, including a startup we launched, through to running large consultancies for major global brands. I’ve moved in-house a few times, but I’d say the bulk of my career has been in consulting. I think moving between both in-house and consulting has been a hallmark of my career.

Craig: Excellent. And what was it about risk that attracted you?

Paul: The first thing that attracted me was cyber – and this was as tech was really starting to take off in the early 2000s. Cyber was emerging as a key risk, but it wasn’t really well understood. I came at it from a risk perspective rather than a technical one. Back then, most people in cyber came from a tech background, but I always saw cyber as an enterprise risk. Ironically, I think technology is the solution, not the problem – risk is the problem. If you flip the equation, you realise you’re never going to solve cyber completely. It’s a risk you have to manage. That’s always been my approach: managing risk through technology, especially in the cyber space.

Craig: That’s really interesting. It sounds like the further you got into your career, the more you started identifying how things connect. Was that what you expected from the start, or did it evolve over time?

Paul: I’d love to say I predicted it all, but no – it definitely evolved along the way. I think my early hypothesis was right, but the scale of risk has gone beyond what I ever expected. Take cyber, for example. Fifteen years ago, it was seen as just a tech issue. Now it’s a top-three enterprise risk for nearly every company around the world, regardless of size. Helping organisations understand, manage, govern and report risk is a constantly evolving challenge. Cyber in particular has been one of the most complex risks for most organisations. Unfortunately, the market still tends to focus too much on the technology side, and not enough on the risk side.

Craig: It’s definitely an evolving space that changes day by day.

Paul: Even in the last week, we’ve seen Australian superannuation funds impacted. There was a relatively quiet period in terms of major breaches over the last two years, but now we could be entering a new phase of attacks – similar to what we saw a few years ago. Globally, it hasn’t slowed down at all. It remains a major risk.

Craig: Absolutely. Looking back into your career – when you transitioned into your first corporate leadership role at ANZ – was that a challenging shift?

Paul: In hindsight, no. A lot of the attributes are the same as consulting – stakeholder engagement, people leadership, and pragmatic management. To be honest, I didn’t find it difficult moving in, or moving back to consulting again. Even now at Tabcorp, I moved from consulting into the company in 2024 and found it fairly seamless. If you bring the same skills and approach, the environments are quite similar.

Craig: Yes, I agree – they do complement each other well. At the end of the day, the expectations and deliverables are fairly aligned.

Paul: The one big difference is that in consulting, you’re also driving sales, which obviously isn’t part of an in-house role. But aside from that, they’re quite similar.

Craig: What would you say are your top three lessons as a risk leader?

Paul: Number one is definitely the people you lead and the team around you. It doesn’t matter how good your frameworks, policies or standards are – without the right leadership and culture, you won’t get the outcomes. Second is pragmatism. Risk professionals can sometimes be too purist, and that can create a disconnect with the business. You’ve got to align with the business strategy and enable the business – otherwise, you risk becoming a blocker. I always talk about being the “manager of secure yes.” Our role is to help make things happen safely – not just say no all the time. Of course, there are times when the answer has to be no, but generally, we’re here to enable. Third would be agility. You’ve got to be agile in your leadership, decision-making, and in how you apply risk frameworks. Things change rapidly, and you need to be able to adapt.

Craig: Great advice – especially useful for future risk leaders. You’ve worked globally in consulting – is that a path you’d recommend for gaining experience and career growth?

Paul: Absolutely. I’ve lived overseas three times – once in the US, twice in Singapore – and held global roles from 2000 to 2024. That’s over 20 years of leading global or Asia-Pacific practices. Exposure to different markets and approaches is crucial. For example, Europe has led on privacy – so understanding that gives you perspective here in Australia. Tech maturity is more advanced in the US, and working with that can really round out your skills. And you don’t need to live overseas – even working on a global project or with international teams can give you that exposure. These days, a lot of technology and risk delivery is outsourced across markets. It’s a hybrid model – in-source, outsource, co-source – so having a broad view helps.

Craig: Totally agree. In risk especially, different jurisdictions have different regulations, and you naturally strengthen different skills depending on the region. Picking up best practices from each is so valuable. On to mentors – has anyone had a strong impact on your career?

Paul: Yes, I had a mentor for a number of years – I actually sought him out. He was the chairman of an ASX-listed company and a former global CEO of a major manufacturer. He really challenged me. I always tell people: don’t look for a mentor who just tells you what you want to hear. Find someone who challenges you and has strengths you don’t have. A mentor should ask the tough questions. Even if you’re performing well, you need someone to challenge you and help you grow. That’s what I try to do as a mentor too – I let people know upfront that I won’t just say yes. It’s not about being a cheerleader – it’s about being a challenger.

Craig: Totally agree. The role of a mentor is often misunderstood – it really is about keeping you in check and helping you grow.

Paul: Exactly. And as a leader, I’m very self-aware. I know what I’m good at – and what I’m not. So I build my teams with complementary skills. That’s something I always encourage in leadership – know where you’re not strong, and bring in people who are. That applies above and below you. A good team underneath you supports you, and a good mentor challenges you. That’s how you become a more well-rounded leader.

Craig: Excellent – really solid advice. To finish off – any final advice for future leaders?

Paul: Don’t be binary in your career. Take on roles that challenge you. Some of the roles I’ve taken on were probably a stretch at the time, but I backed myself. I often say I was like a swan – calm on top, paddling like mad underneath. If you’ve got the right support and you’re a strong leader, you’ll succeed. You don’t have to be a hero. It’s about building the right team, managing and supporting them, and pushing them to be better. That’s what defines success in leadership. And don’t be afraid of change – I’ve moved between in-house and consulting, lived overseas, taken on global roles. I wouldn’t change any of it – I’ve learnt something valuable each time.

Craig: Excellent. Thanks, Paul – some great insights not just for the risk space, but leadership in general. Really appreciate your time.

Paul: Thanks Craig.