How X5 Group automated the process of managing the anti-fraud and anti-corruption function using the BPM platform

GLEB KATAEV: Just before the start of the project, a fairly standard and simple set of tools was used to manage the processes in question - e-mail, internal regulatory documentation, a highly specialized accounting system once built on top of the MS SharePoint, and task trackers of a kind. I select these products among others, because being integrated they could form the basis for building the system we just required. They contained functions of managing documents, their accounting and transfer from employee to employee, as well as tools for information search and retrieval. But they were being developed sporadically, according to the well-known format of "patchwork" automation. It wasn’t possible to build a really effective solution with their help.

The problems we faced were quite traditional for the department that uses basic tools for in-house automation. "Manual" process management previously dominated at all levels. Tools for staff members activity monitoring and the life cycle management of various tasks were absent as well. We must work in four independent highly specialized systems with a good deal of functional flaws, which caused great inconvenience to users and made the management process extremely problematic. A unified view on historical data was also difficult to provide, which in turn compromise quality of reporting. In short, we had quite typical problems of basic automation, which prevented us from solving specific tasks. And what basic tools prevent us from doing in any way is to build a complex role model, which distinguishes access to information by business rules and takes the load off the end user’s mind. But we just needed all that.

GLEB KATAEV: Our unit is engaged in combating fraud and corruption, but let us first define what do we mean by these terms. Within the Economic Security Department of X5 Group Corporate Security we do not engage in direct embezzlement at our facilities, whether they are shops or distribution centers. This is to be monitored by other units. Our activities aimed at identification and prevention of illegal enrichment of employees through organization, direct, potential, or indirect damage to it, exposing various corruption schemes, etc. These may be price collusions, falsification of documentation, lobbying for counterparties, receiving "kickbacks" for services, actually creating their shadow business within X5 and similar mechanisms that may occur when the purpose of personal enrichment is set at the expense of the resources and authority of X5 Group and which can lead to direct, potential or deferred financial and other types of damage.

Our activities can be defined as the internal service that we provide to X5 Group and which should have certain quality characteristics. And we can’t provide quality without high technology approaches in information processing, without ensuring the integrity, cleanliness and preservation of unstructured data and various methods and tools functioning within the framework of efficient, transparent and managed processes. Plus, of course, it is necessary to provide the quick reaction and performance of the execution of our services (per year we conduct hundreds of investigations, within which tens of thousands of information requests are processed) without losing their effectiveness. While we already established the information processing rules and a set of tools, the process management itself had flaws and required high-quality development and modernization.

The system that we implemented helps us solve a number of problems. It is important to emphasize here that our system is not a direct tool for preventing company rules violations. The main goal of implementing the system was to create a solution that ensures convenient, prompt, effective and controlled end-to-end interaction of departments that are involved in countering fraud and corruption in the company. Now it supports more than 20 unique processes in several units of the X5 Group Corporate Security, involved in the implementation of this function. The exact number of divisions is difficult to name, since there is both organizational and functional subordination in the company. That is, if we are talking about the Economic Security Department , we supervise the economic security of all retail chains, business units and the managing company itself. There are also related Corporate Security units, such as the department of information and analytical activities, involved in this activity.

MSTISLAV MARTYNYUK: On behalf of the project contractor, I note that the customer's setting of business goals (which, of course, are the main ones) always involves a number of non-functional requirements and restrictions, that may not be directly related to business goals, but should be taken into account. And in this sense they have a serious impact on the architecture of the system and the composition of the project. For example, one of the key requirements for the system was the organization of its components in context of the customer's business units with the ability to independently manage the lifecycle of each component. This requirement (along with the reliability and scalability requirements of the solution) predetermined the choice of a microservice architecture. It was also necessary to develop a map of business processes and identify a diagram of information flows, take care of the integration layer and administration tools. Without setting such tasks and solving them, we may fail to achieve business goals of the project.

GLEB KATAEV: The well-known research company Gartner divides corporate systems into three categories, and our choice was based on this classification. On the lower layer there are systems, which usually solve the problems most commercial enterprises face. Gartner calls them Systems of Records. This includes, say, ERP or CRM class systems. They do not provide special competitive advantages and specialized functions, but they are well suited for solving standard tasks and maintaining a certain standard level of efficiency and quality of work. Such tools are not suitable for us at least because of the specificity of our tasks.

On the upper layer there are innovative products that, on the contrary, can provide high competitiveness to the business. At the same time, they are focused on supporting fundamentally new business ideas and their implementation is associated with high risks. This is also not our cup of tea.

Between these layers lie the so-called Systems of Differentiations stratum, designed to automate either advanced business ideas, or unique processes which are not covered by systems of the first category. All this is much closer to our situation. BPM systems are now mostly associated just with Systems of Differentiations. Or, when it comes to strong customization for business processes, more with the so-called BPM engines. So we came to the conclusion that it is advisable to implement a product of this class, the choice of which was based on the TCO indicator, competitive advantages and the complexity of support and development.

MSTISLAV MARTYNYUK: The objective function of Camunda BPM is just the business processes automation and decision making support. This solution was previously positioned as a BPM system, now promoted as a platform, a BPM engine focused on building extremely flexible customized solutions. It cannot be said that this system ideally "falls" on the client processes out of the box. Perhaps this is not its main advantage, and a certain work goes to the developer. But we definitely win in terms of flexibility and have not yet faced a situation where we lack functional or architectural capabilities.

GLEB KATAEV: I cannot disclose details of the processes themselves (who is doing what, and how he is doing that) due to the confidentiality of this information, so I will comment more in the general terms. As part of the investigation, we (Economic Security Department) use some internal services delivered by one or another unit of X5 Group Corporate Security. First of all, in order to minimize other business department disturbances, we work with information, which, as a rule, is the result of some previous research, or with data sets from internal or external information systems. To get this information, we, as employees conducting the investigation, have to formulate requests correctly. Then, depending on their type, we must coordinate our joint activity, monitor the time and quality parameters of its fulfilment. In some cases we also must clarify some details with an authorized employee and link the results of the processing with that investigation. After the investigation is complete, it is necessary to agree on its results, inform the persons concerned, and monitor the implementation of the measures proposed as a result of the investigations. All this forms the process that is currently implemented in Camunda.

GLEB KATAEV: If we are talking about outside rollout, it is difficult to replicate unconditionally, but this is not primarily due to the IT solution’s limitations. It's the matter of the uniqueness of the Company's organizational structure and processes. For example, you no longer need to come up with processes from scratch, invent methods for improving analytics necessary to combat fraud and corruption. Having an out-of-the-box solution, you can leverage all that to further develop an effective structure of the business unit and this will be much more effective. If we are talking about internal replication, then there are no problems at all. If, say, X5 Group buys any business tomorrow, then it will be necessary to determine whether we migrate them to our processes or leave the practice adopted in this company. If we migrate, then the replication scheme I just talked about will be optimal.

MSTISLAV MARTYNYUK: During the project, we just had a non-functional requirement regarding the possibility of extrapolating the solution into new business units. Due to a number of architectural techniques, we took this requirement into account.

GLEB KATAEV: Yes, we have implemented and use our system for similar purposes as well. Moreover, the assessment can be done both qualitatively and quantitatively. It is possible, for example, to determine if the Economic Security Department officer made certain information requests through the investigation, that present an objective picture of the subject of the investigation and provide comprehensive evidence for confirming its results. It is also possible to establish rules that limit the scope of the request if the employee has not yet completed the mandatory activity required by internal regulations. All this minimizes the risk of superficial and biased investigation, or vice versa, excessive waste of resources to process redundant requests.

Quantitative estimates are also obtained without any problems. How many investigations a staff member had conducted, what work he was involved in, what damage he was able to prevent, how his activities today differ from those of the previous period, as well as in comparison with the work of his colleagues - all these parameters must be obtained together and an integrated analysis should be carried out. Only in this way can we have all the things at our fingertips, and here again we cannot do without the IT support facing these problems.

GLEB KATAEV: Of course, as I just said, a significant part of our work is related to requests for certain data. In order to start this work, you at least need to know what information sources are available to us, and what data can be taken from them. Our system has some kind of directory of information "services" and in most cases the information required during investigations is presented in this directory.

If we talk about non-functional requests, the results of which are not explicitly used in investigations, today we, for example, have integration with SAP HR, with Active Directory and master data management system IBM MDM. Certain data from the ERP system can be queried as well. A gateway to an external system Spark Interfax is also used. From that system, if necessary, we receive information about companies that are not our counterparties.

MSTISLAV MARTYNYUK: Integration is probably a separate technical task for the contractor in each serious IT project and our project, of course, is no exception. For this to be done in relation to some of the above mentioned systems, we, in cooperation with the X5 Group team, developed special adapters. Synchronous mechanisms based on REST API were used to interact with external IT resources . For internal integration, we have largely used the resources of Apache Kafka, which today is actually the standard for information exchange between systems by means of asynchronous messages.

MSTISLAV MARTYNYUK: First of all, we were counting on remote collaboration, which, as we believe, is effective by a number of reasons. Moreover during the peak period of the pandemic, on which our project largely fell upon. Fortunately, tools in the X5 Group IT-landscape allowed us to do this. We are also consciously focusing on the DevSecOps methodology (close interactions between developers, support team and business professionals) and apply flexible software development methodologies (Agile, Scrum). I also want to make a point that many functions of the system we implemented as microservices, and although this is, in fact, an architectural concept, it clearly affects the operational processes of managing the project in the making.

To organize a wide range of tasks of operational project management and collaboration - from informal communication and requirements management to source code management, we used various and well-known tools: Microsoft Teams, Confluence, GitLab, SonarQube. In general, the management of this project was very rich both from the methodological side and from the point of view of programming technologies. But this does not seem excessive or eclectic to us. In our case, this definitely increased the efficiency of our work. And once again, remembering the pandemic still experienced by all of us, and given that the Time-To-Market indicator was one of the most important for our customer, it would be difficult for us to get along without this arsenal.

GLEB KATAEV: Our processes have been optimized, became traceable for all involved divisions and are absolutely transparent for both internal users and auditors. All units of Corporate Security that engaged in combating fraud and corruption now work in a unified information environment, which in turn directly affects the qualitative indicator of our overall work. Now we have a digital repository of our materials, which can be used as an internal knowledge base. It was also possible to implement a complex role model and delineate the authorization of access to data. In fact, the pros are countless, but I mentioned only those, which primarily concern business processes.

We also brought data management in our company to a new level. More specifically, we got rid of the need to "manually" search and enter (sometimes very often) data. It was possible to improve the quality of information - we ensured its completeness, saturation and at the same time eliminate duplication, while maintaining confidentiality. The daily work of employees is now carried out through a unified user-friendly interface. The present solution left tools used earlier far behind, both in terms of functionality and usability.

And finally, we can talk about benefits that are directly expressed in business terms. We obviously got rid of unnecessary bureaucracy, ensured the completeness and cleanliness of data, accelerated the execution of all user processes. Despite the rapid growth of the company, it was possible to cope with the increased work volume with the same number of employees of the X5 Group Corporate Security. Well, one of the most important advantages is flexibility. The company continues to grow rapidly, new business units appear, the system allows you to scale processes into new divisions and develop processes.

GLEB KATAEV: Naturally, we decided not to limit ourselves to one, albeit such a large-scale area as the function of combating fraud and corruption. Our efforts were also aimed at automating other areas of X5 Group Corporate Security. Quite recently, we launched a module for managing the function of operational duty officers who record and process all possible incidents at the company's facilities (stores, distribution centers, offices). It can be any event - from a power outage in the store, a conflict situation and the detection of a fake bill, to the suspension of the facility, fire incident, etc. As you understand, considering the scale of the X5 Group (more than 18 thousand objects), there are quite a lot of such incidents processed. You can't process all of them without automation. Moreover, if we are talking about a high-quality component and compliance with some internal SLA. The developed solution fully covers the demand of the internal customer in terms of automation, reduction of human effort for incident processing, completeness of data, simplicity and manageability of the process for end users, as well as control function and analytical capabilities.

Several less global services that provide process control both for fire fighting departments and physical safety units, are now at the launch stage. A module for automated processing of information security incidents concerned with trade secrets protection is under development. According to feedback from units previously involved in the investigation of such incidents, the optimization of this process has already reduced their workload by 30-40% depending on the region of presence. This, in turn, allows them to focus on other areas of their activities. All this is being implemented as individual services in the framework of our centralized solution. Automation of a number of processes is also in the cards for this and next year. We are talking about both the internal processes of the Corporate Security and the processes in which we are a participant along with other business divisions of the Company.

A separate vector of the project and, accordingly, the next phase of qualitative development of automation functions is largely associated with the development of business analytics. Now the well-known concept of Data-Driven Decisions, or decision-making based on data, is quite relevant for us. It is important to see where there are more violations, what particular types of violations are most common, where it‘s necessary to tighten up control procedures, where to adjust the process, and where to focus our efforts in the future. Based on this information, it is possible to build up a kind of dynamic model and on its basis, in turn, to organize interaction with a number of related units to jointly develop a policy of risk mitigation.

There are also plans to make greater use of robotic process automation (RPA). In particular, to maintain our business performance with required quality, without increasing the number of employees and providing continuous growth of the company.

MSTISLAV MARTYNYUK: I will add that the predictive analytics model is largely supposed to be implemented by means of powerful BI systems. In particular, through the Tableau system already used in the X5 Group. And here Camunda BPM will have to demonstrate its rich integration capabilities.