Tembec, a global forest products company with headquarters in Quebec, Canada, chose to implement Control Objectives for Information and related Technology (COBIT) as a source of best practices and for a more formalized approach to managing IT. Tembec was seeking a way to measure its IT successes and create clear, measurable goals. COBIT enabled the company to determine maturity levels and advance on the journey toward Sarbanes-Oxley compliance. More than three years after implementing COBIT, Tembec has a core set of COBIT-based policies and continues to implement additional COBIT-oriented procedures.
Tembec has 10,000 employees who work at 55 locations in Canada, the US and Europe, including 90 IT staff members. The company’s annual revenues are approximately C $4 billion.
Tembec chose to implement COBIT for two primary reasons: to improve and optimize processes, and to increase its focus on governance. When the company first began implementing COBIT, the US Sarbanes-Oxley Act had not yet been passed, but Sarbanes-Oxley compliance has since become an important driver for using COBIT.
Before implementing COBIT, Tembec’s IT groups were focused on achieving the corporate goals of continuing growth and lowering costs, but there was little in the way of a formal IT governance framework. Some process documentation existed but there was no comprehensive suite of IT policies and procedures.
The company chose COBIT as its governance framework because it was vendor-neutral, comprehensive and developed by a world-class organization.
Tembec hoped to accomplish three main business objectives by implementing COBIT—increasing Tembec’s focus on governance, strategically aligning IT and the business, and improving and standardizing processes.
“It’s important to have good business reasons for COBIT implementation and to get support from top management, ” said Bob Gilbert, manager of corporate IT security and governance. “You don’t just ‘do’ COBIT. It’s more of a journey.”
The journey began by educating IT staff about COBIT-specific terminology and conducting a maturity assessment that led to the identification of 12 priority processes. Additionally, Tembec identified “the COBIT 7”—seven essential elements common to most of COBIT’s 34 processes. These consisted of policies, procedures, communication, training, adherence, monitoring and audit. The company’s goal in identifying the seven elements was to take the essence of COBIT and tailor it to fit Tembec’s needs.
To accomplish this, Tembec used COBIT’s maturity assessment indicators—nonexistent, initial/ad hoc, repeatable, defined, managed and optimized—to rate each of the seven elements at Tembec. In doing so, the company learned several important lessons: formal policies and procedures were essential and needed to be implemented, the level of training and monitoring needed to be increased, and additional controls needed to be added. By committing to COBIT implementation—and not treating it like the latest fad—the company was able to accomplish all of that and make COBIT an important part of Tembec’s culture.
“We liken COBIT to an onion,” Gilbert said. “We pull off one layer, digest it, and then start on the next one.”
Tembec has been implementing COBIT since 2002 and continues to develop procedures based on COBIT. The company has a core set of policies and procedures based on COBIT, and it plans to develop many more as it continues to address Sarbanes-Oxley compliance.
“COBIT has been a large part of the Sarbanes-Oxley solution,” said Gilbert. “It is a path toward a more efficient and effective IT organization.”