Starting his career in risk in the 90s for Australia Post, and now Chief Risk Officer for Australian Securities and Investments Commission (ASIC), Zack Gurdon‘s career has spanned the full evolution of modern risk management. Zach joined Atlas Director Craig Gorton for our Pathways Podcast to share how a foundation in security and intelligence shaped his leadership, and why it takes strategy, storytelling — and a bit of self efficacy — to step confidently into a CRO role.
Craig Gorton:
Hi everyone, today I am joined by Zack Gurdon, who is the Chief Risk Officer of ASIC. Welcome, Zack.
Zack Gurdon:
Pleasure, guys. It’s great to be here.
Craig Gorton:
Let’s start with your career to date, including the early days. What were your foundational learnings that you still use today?
Zack Gurdon:
So, my career path has come through from a security and intelligence perspective.
I almost joined a security agency in Canberra and made a career choice very early on and ended up working for Australia Post. One of the reasons why was I just didn’t like the idea of living in Canberra — it’s pretty cold there for me.
My studies have had a strong interest in security and intelligence so my first role at Australia Post was as a security advisor/analyst. There was a lot of emphasis there on how to better manage security of all the Australia Post infrastructure and sites, particularly at that point in time, which was in the late ’90s, the offices were being targeted for armed robbery, which was quite a common thing back then. We did a lot of analysis of risks — what kind of risks were present at different outlets that increased the likelihood of being targeted for armed robbery. We developed some pretty interesting tools that we used to upgrade those sites based on different risk factors.
That really piqued my interest in risk as a tool you could use to inform decisions — about where to take action, how to invest your time and energy based on the exposures that existed. That’s always carried through in my future roles. Over the years, my roles expanded into general security, business continuity, crisis management, fraud, and corruption in the first half of my career. Eventually, my interest in risk took me into more operational and strategic risk roles. To my mind, when used correctly, risk management is a really valuable tool. It helps you realise opportunities while taking appropriate measures to avoid major downsides from decisions. That’s always grown and expanded over the years.
Craig Gorton:
Yeah, fantastic. That’s the full gamut of risk. Coming from the ’90s to today, that’s a broad spectrum you’ve seen.
You transitioned your career relatively recently into your first CRO position from GM positions. How was that transition, and how did you manage it?
Zack Gurdon:
One of the things you learn in leadership is that your success is really affected by the success of your team. What your team can achieve based on your leadership and guidance.
Stepping into a CRO role presents a slightly different challenge because you really need to lean on your own abilities and rely on your own judgement. In your early career, you lean heavily on technical skills to build credibility. But the more senior you become — particularly in a CRO role — you’re expected to have an opinion. Sometimes your opinion or judgement won’t be right, but you need the willingness to take a risk, lean in, and have a view. You may not be the expert in everything, but your role is to add value. If you want to be an adviser to your CEO or EXCO then you need to rely on your own judgement and opinions to be successful.
So that’s one aspect. The other is that you’re responsible for setting the strategy. You have to sell your vision — the strategy, the approach to risk management and the other activities in your portfolio.
What worked for you before may not work now. You’ve got to be aware of what your organisation is willing to accept — the culture, what they’re prepared to do in relation to risk management. My approach here was to start softly, engage the executive , and develop an approach — but never told them what the end game was. Because if I had, they might’ve run in the opposite direction. But over time, things mature and they get accustomed to the activities.
So, the two key things are:
1. Lean on your ability to articulate, develop, and sell a strategy that fits your organisation.
2. Build your personal credibility. You’re in the room as an executive — be willing to share your opinion. Sometimes it won’t land well, and that’s OK. But often, it will. That’s crucial if you want to succeed in a CRO role and be a true adviser to the executive.
Craig Gorton:
Yeah, great. That key adviser role — that’s really the essence of it.
Over your career, what would you say are the top three lessons that allowed you to progress to where you are today?
Zack Gurdon:
I’ve had some advantages.
Coming from a background where risk management wasn’t regulated — it didn’t have to be done in a certain way — meant I had to build frameworks, tools, and systems that added value.
At the end of the day, boards from those organisations didn’t t have to do risk management. They see its conceptual value, but practical execution is the challenge.
So, lesson one: Understand the personality of your organisation — where it’s at culturally, its mindset, and how far it’s willing to go with risk management. Every version of risk management is different. This is the third time I’ve built a framework from scratch. The foundations are the same, but the approach varies. Right-size your framework and approach — it might not be perfect on day one but keep the end goal in sight and work toward it.
Lesson two is a leadership one. I had a great mentor who taught me: don’t be the expert in the room. Hire people smarter than you, fill the gaps where you’re weak, and get out of their way. My success depends on the success of the leaders in my team. Let them do their job, and if they succeed, you will too. You can’t be the smartest person in the room all the time. That limits your function. I didn’t start out that way — I was very technical and almost quit my first leadership role because I struggled with that. But I’ve grown into it.
Lesson three: Be willing to have an opinion and be vulnerable. Early on, I relied too much on my technical expertise. Another mentor pointed that out. But credibility is also built on judgement and being able to advise based on knowledge and practical experience — not just technical knowledge. That’s how you accelerate your career: by advising beyond technicalities. Risk gives you a unique skill set that can really add value to an organisation — even outside traditional risk frameworks.
Craig Gorton:
Yeah, good. Mentors seem to be a theme in two of those lessons.
What’s your experience with mentors, and what advice would you give to someone looking for one?
Zack Gurdon:
Mentors for me — I need to admire them and how they go about things.
They need to share similar values. You may not start off calling someone a mentor, but over time, the relationship can evolve.
I’ve always made a point to seek out people I respect and ask for advice.
The friendships I’ve developed with mentors have lasted — they’re still influential to me today.
So, my advice is: seek out people you admire and who share your values. If you do that, they’re likely to stay with you throughout your career, and over time, those conversations become two-way — you’ll share insights and even mentor each other.
Craig Gorton:
You’re putting your hand up as a mentor, Zack — that’s what I’m hearing.
Zack Gurdon:
Yeah, I do mentor people who’ve worked with or for me.
I’ve built strong relationships with them, and I enjoy it.
That’s the benefit of experience.
It’s tough progressing your career — you need support.
I know how impactful a bit of wisdom or advice from someone experienced can be.
So, I’m always happy to pass that along if it helps someone else.
Craig Gorton:
Absolutely. I’m sure it will.
Let’s reflect on how you’ve seen risk evolve in your career.
How do you see the CRO role changing over the next 5–10 years?
Zack Gurdon:
It’s hard to see past technology.
Everything is about AI and rightly so.
We used to do thematic analysis with 400–500 risks in a spreadsheet.
Now we run machine learning algorithms over risk registers to find themes and relationships.
The real game-changer is AI. Risk expertise is still important, but data and tech — AI — are becoming just as critical. That hygiene-level risk work? We should automate that. Organisations generate so much data — tap into it. Use it to find insights.
Risk people need to think about working with data scientists and AI experts — bring those skill sets together. Whether AI will replace analytical skills is unclear — maybe not, because human judgement still matters. But who knows?
Secondly, I think we’ll see more emphasis on strategic risk. Risk registers can get too complex and impractical. We need to evolve to be strategic business partners — embedded in decision-making, strategy. That’s happening in some organisations already, and I think it will grow.
So, the CRO of the future needs to be a strategic adviser, not just a technical one. And the #1 challenge? Data and technology. If you don’t embrace that and leverage tech to bring efficiency and insight to your function, that’ll be a threat to your role.
Craig Gorton:
Lots to digest there.
Final question: what advice do you have for future leaders looking to step into their first CRO role?
Zack Gurdon:
I’ve always sought out broad experiences.
I’ve worked in cyber, fraud, business continuity, strategic and operational risk, M&A. it.
That broad experience is powerful.
It’s important to see how risk works in different contexts.
Organisations have different risk needs, and your ability to adapt is key.
Put your hand up for projects outside your area — that’s how you grow. In 2013, I wanted to be a CRO. I applied for the role, didn’t get it. But I asked to work with the new CRO to build experience. I stepped down from an executive role to an GM role to do it because I was pigeonholed in my old role. That decision changed my career. If you feel stalled, think broadly. Sometimes going sideways or even down is worth it if it gives you a new experience.
And finally, relationships matter. I’ve often been tapped on the shoulder for roles because of my networks. Mentors, connections — those relationships lead to opportunities. So, build your network. They’re just as important as your skills.
Craig Gorton:
That’s great. Fantastic advice throughout the conversation. I know this will help a lot of people.
Thanks for joining us today, Zack. We really appreciate your time.
Zack Gurdon:
I appreciate it, guys. Thanks. It was a pleasure.
Craig Gorton:
Thank you.
