In his leadership book Russell Rules, NBA Hall of Famer Bill Russell described a key aspect of his unequaled success on the basketball court: the merging of the “horizontal game” and the “vertical game.”

Russell explained how the two “games” could be integrated, especially when playing defense, to “always be in a position to determine where the ball was and where it was going.” For Russell and the Boston Celtics, this led to a record 11 NBA championships in 13 seasons, a feat not likely to be equaled or surpassed.

How can these concepts, which resulted in resounding success on the hardwood, be applied to the world of third-party compliance? Admittedly, it is unlikely that many corporate compliance functions are staffed by imposing, 6’9” team members with preternatural shot-blocking ability. However, Russell’s insights on the merging of the horizontal and vertical games can be effectively applied to the notions of vertical and horizontal risk analysis in the third-party compliance process.

In our context, vertical risk analysis comprises the confirmatory assessment performed on a single third-party intermediary. Broadly speaking, this involves authentication of the third party’s ownership and registration, verification and understanding of business activities, consideration of business rationale, and screening against various sanctions and law enforcement lists. On the other hand, horizontal risk analysis evaluates third-party intermediaries in the context of myriad strategic and operational factors such as: the company’s existing third-party population, unique jurisdictional risks, and industry regulatory, enforcement, and social trends, such as ESG and labor mandates.

To view these concepts in action, consider the following case study in which horizontal risk analysis could have been employed to great effect.

Operation Resonance Case Study

In July 2018, Brazilian authorities arrested the then CEO of General Electric in Latin America, Daurio Speranzini Jr, alleging that he had taken part in a healthcare cartel while employed at Philips Medical Systems, a Dutch medical device manufacturer. Speranzini’s arrest was part of a corruption investigation dubbed “Operation Resonance,” which alleged that a cartel was formed by at least 33 companies acting as third-party distributors, including multiple front companies, to steer contracts to members of the group over the course of more than 20 years. According to a Reuters’ report, several other prominent multinational medical device firms have been questioned in connection to the probe, which appears to remain ongoing.

Although one could build out multiple case studies analyzing the root cause of the alleged wrongdoing and how it could have been prevented, let us consider one point in particular: 33 companies, including several front companies, formed the alleged cartel. These companies appear to all be located in the same state and were used as third-party distributors by Philips and potentially other multinational medical device manufacturers as well. Thus, it is reasonable to assume that each company underwent some form of due diligence or compliance risk analysis performed by their multinational partners.

Taken individually, a vertical risk analysis on each of these 33 companies likely may not have revealed any risk-relevant information. Indeed, this analysis probably confirmed the various companies’ business operations, validated their registrations, and corroborated the lack of sanctions or denied parties risks. From this perspective, it is difficult to blame the offending multinationals for partnering with these companies.

How might a horizontal risk analysis have been integrated with the vertical analysis? One possible analytical approach would include checking for any overlapping shareholders, addresses, email addresses, or phone numbers between any of the companies. Given that Brazilian prosecutors alleged that several companies were “mere front companies,” there may have been connections that were not identified.

Moreover, an enterprising and empowered compliance officer, drawing on industry and regional knowledge, may have questioned the high concentration of third parties in such a small geographic area, especially in a high-risk jurisdiction like Brazil. Furthermore, an understanding of Brazilian enforcement trends, most notably the sprawling Operation Car Wash investigation, might have caused someone in compliance to pause and search for additional data on the companies. Ideally, this would have spurred further discussions with commercial team members, yielding additional information as to why the partnerships with so many third parties were necessary and the business rationale for the unusual geographic concentration.

Ultimately, this brief case study is not presented as a condemnation of the compliance practices of the alleged offenders, but rather it represents a relevant and ongoing example of the potential benefits of integrating vertical and horizontal risk analysis throughout the third-party compliance process.

Concrete Steps to Merge Vertical and Horizontal Risk

Having defined the relevance of practical vertical and horizontal risk analysis, what now? How can compliance functions effectively integrate these considerations into their existing third-party compliance process? What tools might be utilized? For Bill Russell, it was preparation, an innate sense of timing, and being really, really tall. For the modern-day compliance function, these tools include technology that enables relationship mapping, hiring team members with deep regional expertise, and communication with commercial teams.

1. Tap into Technology

The growth of technologies such as machine learning and big data analytics are a boon for the modern-day compliance function. Compliance teams can utilize these resources to conduct relationship mapping to identify potential overlaps between third-party intermediaries. If left to manual processes, key connections between third parties, such as shared email addresses or telephone numbers, may go unnoticed. Properly implemented, technology can illuminate potential third-party networks and provide additional visibility for regional compliance teams.

2. Hire Employees with Regional Expertise

Individuals with regional expertise are critical for compliance teams in companies operating internationally. A nuanced understanding of regional and country-specific enforcement trends is essential to effective horizontal risk analysis. It may be challenging to hire and retain qualified individuals, however proactive compliance functions can promote the continued development of regional expertise through training, webinars, and site visits. Compliance functions should look for candidates with educational backgrounds in international business and highly value those with in-country experience.

3. Enhance Communication with Commercial Teams

For compliance teams to successfully integrate horizontal risk analysis, they must reach outside of their own function and collaborate closely with regional and country commercial teams. They often have the on-the-ground knowledge that compliance teams at headquarters might not have. Commercial teams are usually familiar with local industry players and would be able to contribute to and help sharpen any horizontal risk analysis. They also provide the business rationale for working with individual third parties, which has been a focus of recent DOJ guidance.


Unlike Bill Russell, compliance teams won’t receive any trophies, have their names etched in the record books, and win the applause of adoring fans for mastering the integration of the horizontal and vertical games. Nonetheless, compliance teams and the corporate boards that support them can take solace in the knowledge that integration of vertical and horizontal risk analysis is key for an effective third-party compliance program, and thus benefits all stakeholders in the process.

Get in touch today and discover how we can support your third-party risk management with custom solutions to suit your company’s unique business needs.

Click to download the PDF.

Applying Horizontal Risk Analysis to Third-Party Compliance

About the Author

Paul Hoffer is a life sciences compliance expert, supporting clients with strategic advice related to the development and maintenance of global compliance programs. As the lead on TDI’s life sciences consulting projects, Mr. Hoffer has significant experience with anti-bribery and corruption (ABAC) compliance, due diligence, third-party risk monitoring, and the analytics solutions used to support regulatory compliance.  Prior to this, Mr. Hoffer was embedded as an onsite consultant for a major US-based medical device manufacturer.