Director IT Risk and Compliance

A World-Class Team

BJ’s Wholesale Club is powered by more than 30,000 team members who make a real impact every day. Whether you're stocking shelves, solving problems or shaping strategy, your work helps families save on what matters most.

We’re a team built on purpose and opportunity. Join us and be part of something meaningful.

Why You’ll Love Working at BJ’s

At BJ’s Wholesale Club, our team members are at the heart of everything we do. That’s why we offer a comprehensive benefits package designed to support your health, well-being and future – both on and off the job. When you grow, we grow.

Here’s just some of what you can look forward to:

• Weekly Pay: Get paid every week so that you can manage your money on your terms.
• Free BJ’s Memberships: Enjoy a complimentary The Club Card Membership, plus a free Supplemental Membership for someone in your household.*
• Generous Paid Time Off: Take the time you need with vacation, personal, sick days, holidays, bereavement, and jury duty leave.*
• Flexible and Affordable Health Benefits: Choose from three medical plans, and access optional dental, vision, Health Savings Account (HSA), and flexible spending account options to fit your lifestyle.*
• 401(k) Retirement Savings Plan: Build your financial future with a company match (available to team members 18 and older).*
• Employee Stock Purchase Plan:  Accumulate funds through after-tax payroll deductions that can be used to purchase shares of BJ’s common stock at a 15% discount.*

*Eligibility requirements vary by position.

Reports To: VP, IT Security and Compliance                          

Team Size: Leads a team of compliance, risk, and security analysts

Travel: Minimal (≤10%)

Position Overview:

BJ’s Wholesale Club is a Fortune 500 membership-based wholesale retailer operating over 267 clubs and 205 gas stations across the Eastern United States. As a high-volume retailer processing millions of transactions annually, our IT Risk & Compliance function is mission-critical — safeguarding member data, ensuring regulatory adherence, and enabling the business to innovate with confidence.

We are seeking a Director of IT Risk & Compliance to lead the organization’s information technology risk management and regulatory compliance programs. This is a pivotal leadership role at a moment of transformation: you will lead a tenured, high-performing team and have the mandate to modernize processes — leveraging AI, automation, and purpose-built GRC platforms to shift the function from reactive to predictive.

The ideal candidate brings deep SOX ITGC and PCI DSS expertise, a track record of cross-functional influence at the executive level, and the vision to build a compliance program that is both rigorous and efficient.

Responsibilities:

Compliance Program Leadership

• Own and mature the SOX IT General Controls (ITGC) program end-to-end: scoping, control design, testing coordination, interim and year-end audit support, and remediation tracking.
• Direct PCI DSS assessment activities and annual penetration testing, partnering with QSAs and internal stakeholders to maintain compliance posture.
• Collaborate with the IT leadership team on Governance, Operating Model and SDLC to ensure compliance with internal policy, industry standards and regulatory landscape.
• Serve as the primary liaison to Internal Audit, External Audit and Legal; manage audit findings through to closure.
• Own the annual IT policy review cycle to ensure policies reflect current regulatory requirements, emerging risks, and operational capabilities.

IT Risk Management

• Lead enterprise IT and cybersecurity risk assessments; maintain the IT risk register and report quarterly to senior leadership and the Risk Management Committee.
• Oversee the Vendor Risk Assessment program and Third-Party Risk Monitoring, including platform management and escalation protocols.
• Partner with Legal and Privacy teams on e-discovery, Legal Hold requests, contract reviews involving technology, and data retention obligations.
• Drive Architecture and Solution reviews in partnership with the enterprise architecture team to embed security and compliance requirements into project delivery.
• Maintain and exercise Incident Response plans; lead or co-lead annual executive and technical tabletop exercises.
• Design and oversee the enterprise security awareness and phishing tests program, ensuring content is role-relevant, engaging, and aligned to the current threat landscape facing large-scale retail environments.  

AI, Automation & Process Modernization

• Champion the use of AI and automation to modernize compliance testing, evidence collection, and risk reporting — reducing manual effort and accelerating cycle times.
• Co-lead the monthly AI Working Group, evaluating emerging AI tools for risk and governance implications and piloting responsible AI use cases within the compliance function.
• Implement and optimize GRC platform capabilities to centralize controls management, automate workflows, and enable real-time compliance dashboards.
• Develop data-driven KPIs and metrics that provide the VP, IT Security and Compliance and ELT with actionable risk intelligence.

Stakeholder Engagement & Team Leadership

• Build and lead a high-performing team of IT risk and compliance professionals; provide coaching, career development, and performance management.
• Foster a culture of accountability and continuous improvement, where compliance is viewed as a business enabler rather than a gating function.
• Present risk and compliance status to the ELT, Audit Committee, and Board-level stakeholders; translate technical risk into business language.
• Collaborate across Technology, Finance, Legal, Internal Audit, and business units to drive cross-functional risk reduction initiatives.
• Interpret evolving legislation and regulatory guidance (SOX, PCI DSS, state data privacy laws) and translate implications into actionable organizational policy.
• Evaluate and manage strategic risk and compliance vendors and co-sourcing partners to supplement internal capacity.

Qualifications:

Required

• Bachelor’s degree in Information Systems, Computer Science, Cybersecurity, or a related field.
• 10+ years of progressive experience in IT risk management, IT compliance, or information security; including 3+ years in a people leadership role.
• Deep, hands-on expertise with SOX ITGC: control frameworks, testing methodologies, audit liaison, and remediation management.
• Substantive experience with PCI DSS compliance programs in a large-scale retail or financial services environment.
• Proven ability to manage complex, multi-stakeholder programs simultaneously under regulatory scrutiny.
• Strong executive communication skills; comfortable presenting to C-suite and Board-level audiences.

Preferred

• Professional certifications: CISA, CISSP, CISM, CRISC, or PCI ISA/QSA.
• Experience deploying or optimizing GRC platforms (AuditBoard, ServiceNow GRC, Archer, or similar).
• Demonstrated experience piloting AI or automation solutions within a compliance or audit function.
• Experience with third-party risk platforms (UpGuard, BitSight, Security Scorecard, or equivalent).
• Familiarity with state data privacy regulations (CCPA, VCDPA, CPA) and their IT implications.
• Prior experience in a Fortune 500 retail, consumer, or financial services environment.

• Strong communication and interpersonal skills Proven analytical and organizational skills

In accordance with the Pay Transparency requirements, the following represents a good faith estimate of the compensation range for this position. At BJ’s Wholesale Club, we carefully consider a wide range of non-discriminatory factors when determining salary. Actual salaries will vary depending on factors including but not limited to location, education, experience, and qualifications. The pay range for this position is $185,000.00 - $225,000.00.

This is a hybrid role. Tuesday through Thursday are in-office days at BJ's Club Support Center in Marlborough, MA and Monday and Friday are remote days.

 

 

We recognize the growing role of AI tools, including ChatGPT, and value familiarity with them. That said, we want to hear from your authentic self. Your application should reflect your own skills, experiences, and insights rather than AI-generated responses.