Quality Management in Identum
Introduction
As part of Visma, Identum AS is committed to delivering services and products of the highest quality. Our approach to quality management is built on the principles of recognised standards such as ISO/IEC 27001 and is aligned with the Visma Quality Management System, which is ISO 9001 certified. This ensures the robust, secure, and certifiable handling of all our deliveries.
Organisational Structure and Division of Responsibilities
Identum is organised into five specialised main teams: Administration, Sales & Marketing, Service Delivery, Product, and Development. A central part of our organisational model is that most employees are members of two different teams, which promotes knowledge sharing, better collaboration, and makes the organisation more flexible and robust. Typically a developer will have their primary membership in the Development team, with a secondary membership in the Product team. Likewise, a Product Team member may also have a secondary role as a member of the Service Delivery team.
Administration: Handles overarching functions such as finance, HR, legal, compliance, and sustainability.
Sales & Marketing: Responsible for sales, marketing, and partner and customer relations.
Service Delivery: Focuses on project deliveries, consultancy services, and technical customer support.
Product: Drives the product strategy, including CX, product roadmap, design (UX/integration), and quality assurance (QA).
Development: Responsible for all technical development, infrastructure, hosting, security, and testing.
Identum has a dedicated security officer (CISO) with responsibility for the Visma Application Security Programme (VASP) and Visma Infrastructure Security Programme (VISP). The CISO can block releases and development of functionality that is deemed to be detrimental.
Quality Assurance
Quality assurance at Identum is a systematic process to ensure that our deliveries meet the expected quality standards.
Mandatory Peer Review: All code must be reviewed and approved by another developer before it is merged into the main codebase.
Dedicated QA and Testing: The responsibility for QA and testing is formalised within the Product and Development teams. Product Team is responsible for QA both before and after development.
Comprehensive Testing Process: We conduct multiple phases of testing (functional, integration, performance, security) before deployment to production.
Formal Change Management: To protect the stability and integrity of our production environments, all changes—from minor patches to major feature releases—are governed by a strict Change Management process. This process includes a formal risk assessment, comprehensive testing in a dedicated staging environment, and an approval workflow by relevant stakeholders before any deployment. This ensures that all changes are implemented in a controlled and safe manner, minimising any potential disruption to customer services.
Audit and Certification Programme: Identum is currently onboarding to the Visma Quality Management System (QMS), which is certified according to the ISO 9001 standard. This process will be completed in 2026Q2. As part of this, we will be subject to regular internal and external audits to ensure compliance and drive continuous improvement.
Resource Management and Competence
Effective resource management is crucial for delivering high-quality projects. Our team structure, combined with the following principles, ensures we have the right expertise available.
Competence and Awareness Monitoring: Employee competence and awareness are actively monitored to ensure they align with the requirements of their roles and our quality standards.
Obligatory Training: All employees must complete mandatory training provided through the Visma Learn LMS platform. This includes courses in critical areas such as information security, anti-corruption, responsible use of AI, and GDPR.
Risk Management
Identum has a risk-based mindset that permeates the entire organisation. Our approach is built on a cycle of annual assessments and continuous monitoring. We conduct annual assessments of Security, Legal, Sustainability, Corruption, and Vendor Risk.
Ownership and Follow-up: Each risk is assigned a dedicated owner, and a concrete mitigation plan is mandatory for all identified risks.
Escalation and Monitoring: Risks at a medium or higher level and their mitigation strategy must be approved by the Board of Directors. Very high risks and their mitigation strategies must be approved by Visma Group management.The Identum management team is responsible for day to day risk monitoring.
Continuous Risk Monitoring and Scoring
While comprehensive risk assessments are conducted annually, our risk posture is not static. Risk compliance is continuously monitored, and performance is quantified through a monthly Risk Score provided by Visma. This gives us a dynamic, data-driven overview of our performance.
As an example, the report for December 2025 shows an overall Risk Score of 90 out of 100. This composite score is aggregated from several key areas:
Legal Score (25 % weight)
Security Score (25 % weight)
Sustainability Score (15 % weight)
Training & Awareness Score (5 % weight)
Vendor Management Score (5 % weight)
Financial Reporting Score (25 % weight)
This monthly scoring allows management to track trends, identify emerging issues promptly, and verify the effectiveness of our mitigation efforts. For example, when a score is reduced compared to the previous month, the responsible owner must investigate. They are then required to create a clear action plan with specific steps to fix the decline. The clear goal is always strive to improve the score. This process ensures that for every number, there is a person responsible for making measurable improvements.
The monthly monitoring also includes VASP and VISP status level (Bronze to Platinum). Identum is currently Gold on VASP and Platinum on VISP.
Risk Ownership and Follow-up
Our process for managing these identified risks is built on clear accountability:
Ownership: Each identified risk is assigned a dedicated owner.
Mitigation Plans: It is mandatory to develop a concrete mitigation plan for all identified risks.
Board of Directors' Role: Risks assessed at a medium or higher level are regularly monitored by the Board of Directors.
Group-Level Monitoring: For risks classified as very high, the mitigation plan must also be approved by Group management (Visma), which also monitors them closely.
Key Performance Indicators (KPIs) for Quality Management
To systematically monitor and improve quality, Identum uses a defined set of Key Performance Indicators (KPIs).
Technical KPIs
Infrastructure uptime % | Our SLA guarantees an uptime of 99,9 %. |
Defect density | A low frequency of bugs per release is a measure of product development quality. |
Organisational KPIs
eNPS | A high Employee Net Promoter Score indicates engaged employees, who are motivated to deliver high-quality work. |
Workload and Mental Health | A healthy work environment is a prerequisite for consistent, high-quality output. |
Customer and Market KPIs
pNPS | A direct measure of overall customer loyalty and a primary indicator of perceived quality. |
CSAT | Provides immediate feedback on specific interactions, allowing us to improve the quality of individual touchpoints. |
Churn | Low customer churn is one of the clearest indicators of customer satisfaction and product quality. |
Management's Responsibility and Continuous Analysis and Improvement
The management at Identum holds the overall responsibility for the quality management system. Our process for continuous improvement is structured around the Plan-Do-Check-Act cycle, which is central to the Visma QMS.
Plan
Objectives and Risks: We conduct annual risk assessments and define strategic KPIs to set the direction for our quality objectives.
Improvement Planning: As an active part of the Visma quality structure, improvement suggestions are reported to the central Quality Improvement Group (QIG), ensuring our local plans align with group-wide strategy.
Do
Implementation: We execute our defined processes, from software development to customer support.
Training and Awareness: We ensure all employees are trained in our quality procedures and their responsibilities through the Visma Learn platform.
Check
Monitoring and Measurement: We systematically monitor our KPIs, Risk Scores, and data from Survicate to measure performance.
Audits: We participate in regular internal and external audits to verify that our processes comply with the QMS.
Management Review: The management team conducts an annual Management Review with an agenda aligned with ISO 9001 standards, covering audit results, customer satisfaction, and the status of corrective actions.
Act
Corrective and Preventive Actions (CAPA): When a significant non-conformity is identified, a formal corrective action process is initiated to investigate the root cause and implement changes to prevent recurrence.
Improvement and Deviation Reporting: All employees are encouraged to contribute to quality improvement. Deviations, errors, and suggestions are registered as tickets in Jira, providing direct input for review and action.
Actionable Feedback Process: Low CSAT scores or negative feedback on a specific delivery are not just recorded; they are actioned. Each piece of feedback is automatically flagged and assigned to the responsible Team Lead (e.g., in Service Delivery) for immediate review and direct customer follow-up. Should the feedback highlight a recurring issue or a potential systemic weakness, it is escalated and registered as a formal non-conformity, initiating our full CAPA process.