Services · Quality Management
If you need to become NIS2-compliant, implement the EU AI Act, or simply deliver reproducible quality, you need systemic quality management. Approval processes, KPI frameworks, risk management. We work to CMMI methodology — methodical depth applied in practice.
Management · Owner
Poor quality costs measurably: rework, reputation damage, NIS2 audit findings, EU AI Act sanctions. A solid QM system is the cost insurance against these effects. Our QM maturity assessment (pricing on request) delivers a maturity diagnosis across five dimensions in 2–3 weeks, with a prioritized roadmap and an explicit separation of quick wins and multi-year investments. Not an ISO manual — a steering instrument.
Department head · Business unit
We deliver a risk register per ISO 31000 — operationally maintainable in Dataverse, with probability of occurrence, severity, evaluation history, and owner assignment per risk. Plus an NIS2 control matrix and an EU AI Act compliance module as integrated components, not as a parallel compliance world. Audit-proof toward external parties, livable for your operational teams.
IT leadership · CIO · Solution Architect
We implement CMMI-based quality gates per sprint and release, DORA metrics (deployment frequency, lead time, change-failure rate, MTTR) live in Azure DevOps or GitHub, approval workflows in Power Automate, KPI dashboards in Power BI. Microsoft-native process mining keeps you on a stack you already license. You work directly with an Internal CMMI Appraiser.
For Managing Directors · Quality as cost steering
In 2–3 weeks you get a maturity report across five dimensions — process maturity, risk management, data quality, supplier and management accountability. With Level-1-to-5 scoring per CMMI, interview-based data collection, and an explicit split into quick wins, medium-term, and multi-year roadmap. Afterward, you know what magnitude of QM investment is realistic over the next three years. Pricing on request.
For department heads · ISO 31000 risk matrix
Deliverable: risk register in Dataverse (not in an Excel list), with probability of occurrence, severity, evaluation history, owner assignment, and action tracking. Integrated modules for NIS2, EU AI Act, DORA, and BSI baseline protection — one control matrix, one reporting status. Audit-proof toward external auditors, operationally maintainable by your business units.
For IT leadership · CMMI, DORA, and quality gates
Topics for the architecture conversation: DORA metrics implementation in Azure DevOps or GitHub (deployment frequency, lead time, change-failure rate, MTTR), CMMI-based quality gates per sprint and release, approval workflows in Power Automate, KPI dashboards in Power BI, risk register in Dataverse, process mining with the Microsoft stack. Direct work with CMMI-methodology depth.
Why arades GmbH
There are plenty of quality-management consultancies — most sell ISO 9001 manuals and audit prep. We build the system that prevents problems, not the clipboard that records them.
We work to certified CMMI methodology — the maturity model is not quoted from a whitepaper, it is actively applied. Maturity assessments, appraisal methodology, methodical conversations with your teams: all firsthand, not from a training script.
Approval workflows in Power Automate, KPI dashboards in Power BI, risk register in Dataverse, and process mining with Microsoft tools you already license. You get a QM system that fits into your existing Microsoft landscape — no additional platform, no additional license, no clipboard.
NIS2, EU AI Act, ISO 31000, BSI baseline protection: all embedded as modules in the QM framework, not run as a parallel compliance world. One control matrix, one risk register, one reporting status — auditable from the outside, livable from the inside.
Section 1 · Assessment & Strategy
Before we overhaul processes, we calibrate the starting point. Maturity assessment across five dimensions, risk inventory along ISO 31000 and NIS2 — both deliver the data foundation for targeted follow-up investments rather than fireworks.
Pricing on request (SMB · mid-market · net)
Maturity evaluation of your organization across five dimensions — process maturity, risk management, data quality, supplier and management accountability. CMMI-based, in 2–3 weeks, with a written report and roadmap recommendation.
Pricing on request (net)
Risk-management system per ISO 31000, mapped to NIS2 and BSI baseline protection. You get an initially populated risk register with identified risks, evaluations, owners, and actions — not an empty template.
Section 2 · Processes & Controls
Where the maturity assessment and risk register deliver the diagnosis, this section builds the operational mechanics: quality gates that run in Power Automate; KPI frameworks that become visible in Power BI; process mining that shows the actual processes, not the idealized ones.
Documented process map with clear responsibilities, quality-gate criteria, and escalation paths. Implementation as Power Automate workflows with audit trail, connected to Teams, Outlook, and Dataverse.
Structured KPI system with 8–15 KPIs, separated into lead and lag indicators. Visualization in Power BI dashboards, including DORA metrics (deployment frequency, lead time, MTTR, change-failure rate) for engineering-oriented teams.
Process mining as a Microsoft-native implementation — via Power Automate Process Mining, Power BI, and Fabric. You see the actual process flows, bottlenecks, and deviations from the target model on a stack you already license.
Section 3 · Ongoing support
A QM system does not live on a one-time build — it lives on rhythm. Instead of setting up a project every year, we take over the ongoing QM work as a flat rate: same point of contact, same methodical state, same report.
Ongoing QM support as a fixed-price flat rate. You have a dedicated point of contact, an aligned methodical state, and a recurring rhythm of reports, workshops, and audit prep. No hour counter, no hidden surcharges.
Practical note: QMaaS works best from the second year onward — once the maturity assessment, risk management, and KPI framework are in place. In the first year, a build-up project usually makes more sense. We clarify the sequence in the initial conversation.
Section 4 · Quality Engineering (cross-reference)
Where the QM system builds the structures, our engineering team handles the technical quality implementation in software delivery. Test automation, Power Platform testing, AI-supported test-case generation — the bridge between QM theory and code reality.
End-to-end test automation for Dynamics 365 customizations and integrations — as part of the QM framework's quality gates.
Structured testing of Power Apps solutions, Power Automate flows, and Dataverse extensions — with versioning and CI/CD integration.
Test-case generation from requirements and user stories via LLM pipelines. More coverage, less clicking, documentable in the QM system.
Frequently asked questions
Quality Assurance (QA) is reactive: it finds problems after they occur — typically through tests, reviews, or audits at the end of a delivery. Quality Management (QM) is systemic and preventive: it builds structures, processes, and controls so that problems do not arise in the first place — via approval gates, documented responsibilities, risk registers, and continuous KPI steering. QA is a tool. QM is the system that puts the right tools in the right places.
Not necessarily — and for many mid-sized companies the answer is: no. ISO 9001 makes sense if you have to be certified as a supplier (automotive, medical devices, public tenders) or if your business requires auditable process maturity. If the lever lies in operational stability, NIS2 compliance, or reproducible delivery quality, a CMMI-based QM framework without certification obligation is typically more efficient — the methodology runs deeper and the bureaucracy is lower. We always clarify the goal first.
Among other things, NIS2 requires documented risk management, incident-reporting channels, supply-chain risks, and management-board accountability — all building blocks already present in a proper QM framework. We build the risk-management module per ISO 31000 and map the NIS2 obligations directly onto the controls and reporting structures. Instead of maintaining two parallel worlds (a compliance folder and a QM folder), NIS2 becomes an integrated part of the QM system. That saves effort and makes audits verifiable. More on this on the Compliance & NIS2 page.
Yes — and better than many classic QM approaches suggest. Since version 2.0, CMMI has been explicitly agnostic to the delivery method: it describes what a mature organization does, not how it iterates. Approval gates become Definition-of-Done criteria, KPI frameworks integrate DORA metrics (deployment frequency, lead time, MTTR, change-failure rate), and Power Automate workflows replace ISO clipboards. We have built several frameworks for teams using Scrum or Kanban — the methodology adapts, not the team.
CMMI (Capability Maturity Model Integration) is a maturity model from the CMMI Institute (now ISACA) that describes what an organization must achieve across disciplines such as development, service delivery, supplier management, and data management at five maturity levels. We work to certified CMMI methodology — and use the model as the methodical foundation for our QM assessments. You do not need CMMI as a certification, but you benefit from the methodical depth: the maturity assessment measures your organization against a proven, internationally recognized grid — not against a homemade checklist.
Related topics
QM is never alone — typical follow-on and parallel topics from our engagements.
NIS2 implementation as a standalone engagement — incident-reporting channels, supply-chain risks, management-board accountability. Tightly interlocked with the risk-management module.
EU AI Act, AI risk management, governance structures for generative AI in business processes. Integrated into the QM framework as an additional risk cluster.
Technical quality implementation in software delivery: test automation, Power Platform testing, AI-supported test-case generation. The operational bridge between QM system and code reality.
To take away · two materials
Two depths for different reading needs. The factsheet is quick reference (3–5 min) and immediately downloadable. The whitepaper is market education with methodology and comparison data (15–30 min) — you receive it by email after a short request.
3–5 min reading time · direct download · no form
Compact overview: scope, key figures, pricing model, approach — ideal for forwarding to CFO, procurement, or business unit.
15–30 min reading time · by email on request
Methodology, comparison data, recommendation framework — material for internal argumentation toward stakeholders.
QM maturity assessment
30-min initial conversation — we clarify whether a maturity assessment, a risk-management framework, or ongoing QMaaS support is the right entry. You receive a concrete recommendation, typically promptly.
