Visma Whistleblowing Channel

Visma will not tolerate any form of misconduct or critical conditions, such as violations of statutory rules, internal rules, policies or ethical standards, such as bullying, harassment, discrimination, corruption, money laundering or any other financial fraud, and will make efforts to ensure a safe, healthy and legal environment in all our business activities and legal units.

Visma will comply with all applicable laws and regulations and act ethically and socially responsibly. Breaches of any local and/or EU/EEA law may result in disciplinary actions, including termination / dismissal and reports to the relevant authorities.

The Visma Whistleblowing Channel is a tool enabling anonymous submission of any suspected breach of the local and/or EU/EEA law from both inside Visma and outside. It fosters confidential communication between reporter and case handler.

Visma Whistleblowing is compliant with the EU Whistleblower Directive (Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law) and the regulations regarding whistleblowing in the WEA (local working environment and protection laws). Visma is also, in some jurisdictions, due to being licensed by local Financial Supervisory Authorities, obliged to have a specific whistleblowing system in place.

Submit a report

What happens next?

1. Whistleblowing compliance

Visma will not tolerate any form of misconduct or critical conditions, such as violations of statutory rules, internal rules, policies or ethical standards, such as bullying, harassment, discrimination, corruption, money laundering or any other financial fraud, and will make efforts to ensure a safe, healthy and legal environment in all our business activities and legal units.

Visma will comply with all applicable laws and regulations and act ethically and socially responsibly. Breaches of any local and/or EU/EEA law may result in disciplinary actions, including termination / dismissal and reports to the relevant authorities.

The Visma Whistleblowing Channel is a tool enabling anonymous submission of any suspected breach of the local and/or EU/EEA law from both inside Visma and outside. It fosters confidential communication between reporter and case handler.

Visma Whistleblowing is compliant with the EU Whistleblower Directive (Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law) and the regulations regarding whistleblowing in the WEA (local working environment and protection laws). Visma is also, in some jurisdictions, due to being licensed by local Financial Supervisory Authorities, obliged to have a specific whistleblowing system in place.

Objective

The objective of this procedure is to describe the handling of cases submitted to the Visma Whistleblowing Channel, according to the EU Directive, local legislation and the internal procedures while at all times ensuring the protection of the Notifier.

The output of this process is that the reported case is handled with discretion and closed, with necessary actions taken.

This procedure is owned by Visma Chief Risk Officer and was last updated in May 2022.

Definitions

Case handler - the Whistleblowing Country Manager or other assigned personnel who will handle the report.

Intake Management Service (IMS) - a third-party service facilitated by the Whistlelink vendor which receives the reports and assigns cases within one business day based on a predefined schema.

Notifier - is a person who reports a breach of EU/EEA or local law. They can be any employee, former or existing, or self-employed person in Visma, a shareholder, or someone from outside of Visma, e.g third persons connected with the Notifier or Visma’s suppliers and customers who need to notify of a breach or a potential breach of the local or EU/EEA legislation or any of Visma’s internal rules/policies.

Report - the reported whistleblowing case.

Viewer - a case handler with temporary and limited access on Whistlelink, requested by the case handler to the Whistlelink Administrator.

Whistlelink - the chosen tool for handling whistleblowing reports.

Whistleblowing Country Manager (WCM) - a Visma employee, typically from Management, HR, Legal or Finance, responsible for coordinating and managing whistleblowing for all the Visma companies in their assigned country. Each country has been assigned two Whistleblowing Country Managers for backup purposes.

Whistlelink Administrator - a Visma employee who responds to user management requests at whistlelink.admin@visma.com.

2. Who can report

This procedure applies to a Notifier who needs to report a breach or a potential breach of the local or EU/EEA law or any of Visma’s internal rules/policies, such as Visma’s Code of Conduct.

It also applies to third persons who are connected with the Notifier, and who could suffer retaliation in a work-related context, such as colleagues or relatives of the Notifier.

As a Notifier, you are protected by law. You should not be treated unfairly or lose your job because you ‘blow the whistle’.


3. What can be reported

All reports shall be based on justifiable grounds of suspicion. Evidence is not necessary, but reporting must not be made with the intention to cause harm or with the knowledge that the accusation is false. Hence, the report you disclose must be made in the public interest. To identify if a report is in the public interest, you should look at the following criteria:

  • the number of people affected
  • the nature or impact of the harm
  • who is the reported individual.

In a nutshell, the report should go beyond the employee’s personal circumstances.

Some examples include the following:

  • a criminal offense, for example, fraud
  • someone’s health and safety are in danger
  • risk or actual damage to the environment
  • a miscarriage of justice
  • the company is breaking the law – for example, it does not have the right insurance
  • you believe someone is covering up wrongdoing
  • #MeToo cases

Whistleblowing that fulfils this criteria shall be treated as a “Qualified Reporting” and handled in accordance with the Visma Whistleblowing Procedure.


4. What cannot be reported

Types of cases other than those listed above should not be reported. Such cases that do not fulfil the criteria will be treated as “Non-qualified reporting”. A non-qualified reporting will not be handled within the Visma Whistleblowing Procedure.

Examples of cases that should not be reported through the Visma Whistleblowing Channel are:

  • General opinions on how the business is run
  • General opinions on salary, leadership or other personnel matters

Such cases shall be handled by reporting to the relevant manager or any other relevant person within the management of the company in question.

This is the standard response the Notifier will receive in case of a “non-qualified reporting”:

Thank you again for your report.

After a careful review, we do not consider this to be a whistleblowing matter and will close the case. Our recommendation is to speak with your closest manager or contact HR/other.

Please note that you will not be able to respond to this message. Should you not be happy with how your case was managed you are welcome to submit a new one.

Kind regards,
VISMA Whistleblowing

5. Where the reporting should be done

Reporting shall be made:

Both links will take the Notifier to an external secure page: https://visma.whistlelink.com which is the only and official Visma Whistleblowing Channel.

Reporting is made by submitting a form either anonymously or with a full name. Providing your full name might in some cases increase the chance of resolving the reported case, however, it is fully the Notifier’s decision to disclose their identity or not.

If you are reporting anonymously please make sure that you put down as much information about the matter as possible and at least the following:

  • The Visma company connected with the misconduct/breach of local/EU/EEA law
  • Description of the misconduct/breach and who’s involved
  • Facts, evidence or proof of the misconduct/breach

Note! If an alert is received through a different channel than the official one, the recipient shall use the Visma Whistleblowing Channel to register the case or contact the relevant Whistleblowing Country Manager. The same steps shall be used in handling the case.

6. The whistleblowing process and its actors

w1b.png


Figure 1. Whistleblowing case handling process overview

w2b.jpg


Figure 2. Process actors’ responsibilities and tasks


Report registration and case handler assignation

When Visma receives a report submitted through the Whistleblowing Channel, the third-party Intake Management Service (IMS) will immediately receive a notification for channeling the alert to the designated Whistleblowing Country Managers which are always two people either from Management, HR or Finance.

Visma uses this set-up also to ensure impartiality and transparency.

Each country has two Whistleblowing Country Managers assigned for backup reasons which include vacation or any type of leave, or if one of them is mentioned in the report, then IMS will assign the case to the other one.

Once the case is assigned to the main Whistleblowing Country Manager, the Notifier will receive an acknowledgement of receipt. According to our contract with the IMS provider, this will happen within one business day after the report was submitted.

The standard automatic response which will be sent to the Notifier is this one:

Thank you for submitting your concerns. We hereby confirm that we have received your case and we will review it carefully.

All future communications from us will be sent via this channel, so make sure you save and store your case and verification numbers.

Best regards,
VISMA’s Whistleblowing

Whistleblowing case handling

The provision in Article 8(3) of the EU Directive 2019/1937 specifies that each Visma company with 50 or more workers is required to set up channels and procedures for internal reporting, where such legal entities belong to a group of companies (please see Figure 3. below).

Article 8(6) allows medium-sized companies to share resources as regards the receipt of reports and any investigation to be carried out. It should be underlined that the responsibility to maintain confidentiality, give feedback, and address the reported breach remains, however, with each medium-sized company concerned. Only medium-sized companies can benefit from this possibility, and companies that belong to the same group.

The Whistleblowing Country Managers have the responsibility to create local procedures for internal reporting, while the local channels are facilitated through case handler assignation.

All cases reported through the official Whistleblowing Channel will be tracked through logs that can’t be tampered with, hence, cases can’t be deleted from the system.

Qualified or Non-Qualified report

The case handlers on the platform, i.e. the Whistleblowing Country Managers or the relevant personnel assigned to handle the case, will need to decide as per each internal procedure and local legislation whether the report is to be treated as Qualified or Non-Qualified report.

If the case handler decides that it is a Non-Qualified report, the report can be immediately closed by sending a standardized communication to the Notifier through the platform and by unticking the “​​Whistleblowing case” box which will exclude it from statistics.

Thank you again for your report.

After a careful review, we do not consider this to be a whistleblowing matter and will close the case. Our recommendation is to speak with your closest manager or contact HR/other.

Please note that you will not be able to respond to this message. Should you not be happy with how your case was managed you are welcome to submit a new one.

Kind regards,
VISMA’s Whistleblowing Function

If the report is considered to be Qualified, the relevant case handlers are obliged to start the investigation process. The report will be marked as a “​​Whistleblowing case” on the platform so it will count in the statistics.

Case handling per company size
imaget76i9.png

Figure 3. Company size and type-specific requirements

For Visma companies with more than 250 employees, the Whistleblowing Country Managers will forward the report to the assigned contact points in these legal units.

For this reason, one of the fields in the report that should be filled in is “Please select the Visma company this report pertains to.” This is not a mandatory field, which is why if this information is not provided, the Whistleblowing Country Manager should double-check with the Notifier if the report does not pertain to one of the large Visma companies, or they are not comfortable providing this information. It should be made clear that this information is important so their case is better handled by the relevant people and in accordance with the EU directive.

The Whistleblowing Country Managers will include in their internal procedures an overview of all the Visma companies in their assigned responsibility. This will include contact persons such as HR, legal, financial or environmental matters..

For all Visma companies that are regulated by a financial supervisory authority and required by any specific regulations other than the EU Directive referred to above to provide for a whistleblowing Channel, the Whistleblowing Country Managers will send the report to the local contact point who will inform about the receipt of the report the company's Board of Directorsand keep them informed throughout the process. The case will be handled locally, according to Visma Whistleblowing procedure and the local specific regulation.

Best practices for case handling

If the Notifier decides to submit the case by presenting their identity they should be invited to a meeting to discuss the content of the report and to provide more background information regarding the relationship and/or discussion of further handling of the case. In this meeting, agreements shall be made on how to communicate in the further course of the case, including consideration to immediately inform the relevant Visma Company's Board and/or the Visma Group Board, as per the local internal procedures.

If the report is submitted anonymously through the whistleblowing channel, the Whistleblowing Country Managers will coordinate the best course of action for handling the case, depending on the specifics of the reported issue.

To collect more information, the Whistleblowing Country Managers or any other assigned case handler on the case, can and are encouraged to contact the notified in confidentiality using the whistleblowing platform as all messages pertaining to the report will be stored on the platform for further reference.

Important to remember

  • Involve external assistance depending on the degree of impartiality and persons involved (e.g. the management)
  • The method should be adapted to the nature of the problem, the content and the persons involved. Methods that may be used:
  • Document analysis
  • Conversations
  • Use of experts
  • Consultation with immediate contradiction (gather both parties in one room, when possible - get the facts on the table)
  • Interviews with key persons that may have information regarding the suspicion or the case
  • Review of documents, e.g. accounting, project implementation
  • Keep the Notifier informed - they need to receive at least one follow-up notice within 90 days
  • When the Notifier discloses their identity, their manager shall ensure that any retaliation is prevented
  • If at any point the Whistleblowing Country Manager or the case handlers encounter whistleblowing reports including but not limited to reputational damage, litigation, financial risk, etc. they should involve Visma’s Group Crisis Team, for support.
  • Ensure the wellbeing of the Notifier by providing them:
  • Legal aid
  • Health care (often necessary)
  • Leave of absence (when necessary)


Follow-up

As per the requirements of the EU Directive, the main case handler who can be the Whistleblowing Country Manager or assigned personnel, needs to provide follow-up communication to the Notifier within 90 days since the report was submitted, even if the case is not concluded within that time frame.

  • Depending on the severity, the Whistleblowing Country Manager or relevant Board of Directors will consider contacting the local National Authority for Investigation and Prosecution of Economic and Environmental Crime.
  • Appropriate measures should be taken (mitigation or/and prevention regarding future similar cases).


7. Documentation requirements

All activities related to the case must be documented. Necessary documentation must be gathered by the case handlers or the Board of the Visma company (when applicable) who shall document everything during the process.

All documentation shall be stored on the Whislelink platform which allows tracking all changes made in relation to a report (e.g. document added, messages sent, etc.)

Even though the whistleblowing reports can be exported from the platform in a pdf format, we don’t recommend doing so, because we lose track of changes and progress in handling them.

Personnel data will be processed in accordance with the Visma Privacy Statement.

8. User access and management on Whistlelink

The whistleblowing platform has four types of users: owner, administrator, case handler and viewer.

For safety reasons, there are only two users that have elevated rights: the Whistlelink  Administrator and the Intake Management Service.

Permanent access on the platform is provided only for the Whistleblowing Country Managers, while any temporary access (e.g. viewing rights) shall be requested by them to the Whistlelink Administrator who will add and remove user access as per an as-needed basis.

The Whistlelink Administrator shall be contacted at whistlelink.admin@visma.com who will resolve the request in one business day.

9. Onboarding new companies

For onboarding companies the Whistlelink Administrator needs the following info: country, company size, whether they are financially regulated (running under a license).

Drag
Request access