Risk & Assurance Program Lead

MORROW MEDICAL MORROW Medical is a physician‑led longevity and lifestyle medicine clinic in Singapore, focused on helping individuals understand, optimise, and protect their long‑term health. We combine comprehensive health screening, preventive care, and evidence‑based lifestyle medicine to identify early signs of metabolic, cardiovascular, and functional change—often before disease develops. Our fully licensed doctors diagnose conditions, prescribe medication, and manage chronic disease where required, while also guiding patients through personalised lifestyle interventions that support sustainable improvement. From preventive screening to ongoing medical management, MORROW Medical delivers integrated care designed to strengthen function, resilience, and long‑term health outcomes.

MORROW HEALTH MORROW Health is Singapore’s largest integrated fitness and recovery destination, designed to help individuals build healthier, more resilient lives through intentional daily habits. Grounded in lifestyle medicine, MORROW Health brings together physical activity, nutrition, restorative sleep, stress management, avoidance of risky substances, and social connection through structured programmes and purpose‑built environments that make sustainable lifestyle change achievable. Supported by evidence‑informed practice and data from wearables and lifestyle inputs, MORROW Health helps members recognise patterns, build consistency, and stay accountable—turning insight into everyday action that supports long‑term vitality, strength, and clarity, without medical diagnosis or treatment.

Build, operate, and continuously improve MORROW’s control layer, the set of governance functions that keep patients safe, protect data, comply with healthcare rules, and keep services running. The role ensures trust is earned through evidence, not intent, by maintaining concise policies, simple cadences, and auditable artefacts that demonstrate controls work in practice.

MORROW operates as a group with multiple entities, and will incorporate new operating entities over time, each with its own Board. This role establishes a consistent Group control‑layer operating model while maintaining entity‑specific compliance and evidence requirements.

• Primary reporting: Reports to the Board of the respective entities within the Group (or a delegated Board committee, for example Audit and Risk), for assurance matters.
• Administrative coordination: Works day to day with the CEO, COO and EXCO members to run cadences, maintain artefacts, and drive closure.
• Standing access and escalation: Has standing access to EXCO and Boards for material issues, including escalations supported by evidence, recommended actions, owners, and timelines.

You are accountable for the system and evidence:

• single source of truth for artefacts (SharePoint, Files channel)
• cadence execution (reviews, audits, drills)
• evidence quality and completeness
• control testing and verification
• issues tracking and action closure discipline
• independent assurance reporting to EXCO and Boards

You are not the accountable “Owner” of each control function domain, those owners remain as defined in the Control Layer.

You will operate the framework across these seven functions, ensuring each has current artefacts, a working cadence, and validated evidence signals:

Operate the ERM system so scattered concerns become owned risks with actions, dates, and owners; maintain the risk register and reporting packs; enforce escalation rules.

Run the intake and tracking system, maintain DOA and template libraries, track cycle times and exceptions, and evidence “zero out of policy signatures”.

Coordinate HSQ evidence, audit readiness, incident and near‑miss logs, CAPA tracking, and verification that practice matches policy.

Support and evidence the minimum standards, acknowledgement rates, MFA coverage, access reviews, and breach drill readiness.

Maintain the internal controls framework artefacts and evidence folders, support regular testing, and drive remediation of exceptions to reduce recurrence.

Maintain insurance artefacts, claims SOPs, incident‑to‑claim checklists, coverage gap tracking, and post‑incident claim reviews with evidence of timely notifications.

Maintain BCP artefacts (call tree, scripts, evacuation checklist), run tabletop and evacuation drills, and track improvements and tested RTOs.

Plan, schedule, run, and document the recurring beats that prove controls work:

• ERM: risk review committee, plus escalation within 24 hours for red risks per scoring rules.
• Legal, Compliance and Licensing: weekly intake triage, monthly compliance check‑in, annual licensing reviews.
• HSQ: monthly safety walk, quarterly HSQ audit.
• Privacy and Cyber: quarterly DPO and IT reviews, annual breach drill.
• Internal Controls: quarterly control testing with evidence folders.
• Insurance: annual broker review and post‑incident claim reviews.
• BCP: semi‑annual tabletop exercises, annual evacuation drill.

• Keep “policy on a page” artefacts current, link to living SOPs and templates, maintain registers and logs as the source of truth.
• Maintain evidence folders that are inspection‑ready at all times.

• Design and execute a risk‑based assurance plan across all seven functions, including spot checks, evidence verification, and control effectiveness testing.
• Report findings with owners and due dates, and confirm remediation is effective, not cosmetic.

• Operate an issue register (incidents, audit findings, control exceptions, compliance gaps), severity triage, owner assignment, due dates, and verification of closure.
• Reduce repeat failures by ensuring root cause is addressed and evidence signals improve (e.g., fewer repeat incidents, lower exception rates).

• Produce a concise monthly assurance pack: top risks, overdue actions, exceptions, drill readiness, insurance gaps, and trend movement.
• Escalate material issues with evidence, recommended actions, and timelines.

Track and report the cross‑control KPIs defined in the control layer:

• Policy acknowledgement rate and on‑time reviews
• Red risk escalation within 24 hours
• Action closure by due date
• Quarterly control exception rate
• Drill and audit completion rate
• Count and age of insurance coverage gaps

• 7+ years in risk, compliance, internal audit, assurance, governance, or regulated operations.
• Proven ability to build and run governance cadences, registers, evidence packs, and dashboards.
• Strong control testing capability (sampling, evidence standards, exception reporting, remediation verification).
• Able to influence senior owners without direct authority, and escalates cleanly with evidence.

• Healthcare, clinical governance, or health services operations exposure.
• Data privacy / cybersecurity governance experience (policy, access reviews, breach drills).
• Insurance and claims governance experience.
• Certifications (desirable, not mandatory): CIA, CISA, CRISC, ISO 27001, or similar.

• Evidence‑led thinking, low tolerance for “looks good on paper”.
• Independence and courage in escalation.
• Operational discipline: cadence, follow‑through, closure.
• Clear writing for Boards and regulators.