DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 02/26/2021 has been entered.

Status of Claim
This action is in reply to the action filed on 26 of February 2021.
Claims 1 and 9 have been amended.
Claims 11 and 21-22 have been cancelled.
Claims 23-25 have been added.
Claims 1-10, 12-18 and 23-25 have been examined and stand rejected.

Response to Amendment/Argument
35 USC § 101
Applicants asserts that when the Office's interpretation of the law is applied to the facts of the case, the Office has ample basis to find that Claims 1-10 and 12-18 are not "directed to" an 
Applicant asserts that Claims 1-10 and 12-18 do not "set forth or describe" an abstract idea. The process is computer-implemented, receives data from computers, executes machine transformations, and outputs new data that did not previously exist, and therefore the claimed process and system provide improvements in computing technology that signal that they provide practical applications of computing technology and significantly more than the asserted abstract idea.  Examiner respectfully disagree.   Examiner must consult the specification and determine whether the disclosed invention improves technology, and if so the claim must be evaluated to ensure the claim itself reflects the improvement in technology. The full scope of the claim under the BRI should be considered to determine if the claim reflects an improvement in technology (e.g., the improvement described in the specification). To show that the involvement of a computer assists in improving the technology, the claims must recite the details regarding how a computer aids the method, the extent to which the computer aids the method, or the significance of a 
Examiner notes the test under Alice is not a matter of evidence but rather a test of law. The question of patent eligibility under Alice rests on whether an abstract idea is contained in the claims and, if so, whether that abstract idea, when embodied on a computer, provides something more. A proper Alice rejection has been made in accordance to the October PEG 2019 as shown below, and thus the claims are ineligible.

35 USC § 103
Applicant asserts that the proposed Ghent-Barday combination fails to disclose, teach, or suggest at least the emphasized limitations of independent claims 1 and 9.  Examiner respectfully disagree.  Examiner no longer relies on secondary reference Barday to teach the limitations, and has introduced the secondary references Akkiraju and Choudhari as necessitated by the new 

Claim Rejections 
35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-10, 12-18 and 23-25 are rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea) without significantly more. 
When considering subject matter eligibility under 35 U.S.C. 101, it must be determined whether the claim is directed to one of the four statutory categories of invention, i.e., process, machine, article of manufacture, or composition of matter.  If the claim does fall within one of the statutory categories, it must then be determined whether the claim is directed to a judicial exception (i.e., law of nature, natural phenomenon, and abstract idea), and if so, it must additionally be determined whether the claim is a patent-eligible application of the exception. If an abstract idea is present in the claim, any element or combination of elements in the claim must be sufficient to ensure that the claim amounts to significantly more than the abstract idea. Alice Corporation Pty. Ltd. v. CLS Bank International, et al., 573 U.S. ____ (2014).  First, it is determined whether the claims are directed to a statutory category of invention. See MPEP 2106.03(II). 
The claims are then analyzed to determine if the claims are directed to a judicial exception. MPEP §2106.04(a). In determining, whether the claims are directed to a judicial exception, the 
With respect to 2A Prong 1, claim 9 recites “…receive…entity information from an entity…transmit…a SIG questionnaire to either one of the entity, the vendor, or the third party, said SIG questionnaire relating to the vendor, the entity, and a relationship between the vendor and the entity; receive, via…from the entity, vendor, or the third party, the SIG questionnaire populated with a SIG response result set; determine a set of controls applicable to both the entity and the vendor by processing the SIG questionnaire populated with the SIG response result set using a control-questionnaire relationship map, wherein: each control, included in the determined set of controls, is associated with predetermined number of evidence questions; and a subset of the plurality of evidence questions associated with a first control, included in the determined set of controls, is identical to a subset of the plurality of evidence questions associated with a second control, included in the determined set of controls…generate, using the determined set of controls, an evidence questionnaire specific to the vendor subsequent to the SIG questionnaire populated with the SIG response result set, said evidence questionnaire comprising the predetermined number of evidence questions associated with each of the determined set of controls for the vendor, wherein using the determined set of controls (1) eliminates sending irrelevant evidence questions to the vendor, (2) reduces a turnaround time for receipt of responses from the vendor to the evidence questionnaire…maintain an evidence questionnaire relationship map, said evidence questionnaire relationship map associating each evidence question, included in the predetermined 
More specifically, claims 1 and 9 are directed to “Certain Methods Of Organizing Human Activity”, specifically “commercial or legal interactions (including agreements in the form of contracts; legal obligations; advertising, marketing or sales activities or behaviors; business relations)” and “Mental Processes, specifically “concepts performed in the human mind (including an observation, evaluation, judgment, opinion)” as discussed in MPEP §2106.04(a)(2), and in the 2019-01-08 Revised Patent Subject Matter Eligibility Guidance.  Accordingly, the claim recites an abstract idea. 

Under Prong Two of Step 2A of the Alice/Mayo test, the examiner acknowledges that Claims 1 and 9 recite additional elements yet the additional element does not integrate the abstract idea into a practical application.  In order for the judicial exception to be “integrated into a practical application”, an additional element or a combination of additional elements in the claim “will apply, rely on, or use the judicial exception in a manner that imposes a meaningful limit on the judicial exception, such that the claim is more than a drafting effort designed to monopolize the judicial exception.” PEG, 84 Fed. Reg. 54 (Jan. 7, 2019). The courts have identified examples in which a judicial exception has not been integrated into a practical application when “an additional element does no more than generally link the use of a judicial exception to a particular technological environment or field of use.” PEG, 84 Fed. Reg. 55 (Jan. 7, 2019); MPEP § 2106.05(h). 
In particular, the claims 1 and 9 do recite additional elements “one or more processors”; “an entity information receiving module” comprising one or more sequences of computer program instructions, which when executed by “the one or more processors”, cause “the one or more processors” to, via “a central dashboard”,6 of 22 “a standard information gathering ("SIG") module” comprising one or more sequences of computer program instructions, which when executed by “the one or more processors”, cause “the one or more processors” to, “an evidence questionnaire module” comprising one or more sequences of computer program instructions, which when executed by “the one or more processors”, cause “the one or more processors” to, “an updater module” comprising one or more sequences of computer program instructions, which when executed by “the one or more processors”, cause “the one or more processors” to.    These are the controls module may include a processor. The processor may be configured to process the result set corresponding to the first set of queries. The processing may include using a query/control relationship map to determine a second set of queries; Central dashboard 202 may include a centralized software module for communicating with entities, vendors and/or third parties. Central dashboard 202 may enable communication between entities and vendors, entities and third parties and/or vendors and third parties. Central dashboard 202 may, on behalf of each entity, communicate and manage the entity's vendors and the relationships between each entity and its vendors. Central dashboard 202 may be coupled to a database. The database may store the information received at, and transmitted from, central dashboard 202. Central dashboard 202 may be shown as associated with entity 1 - 8, as shown at 204 – 218” associated with the specification.  Accordingly, these additional elements do not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea.  The claims are directed to an abstract idea.  Further, claims 1 and 9 do not recite any additional elements beyond the abstract idea.  Further, additional elements for storing/receiving/retrieving/obtaining data/information such as “the central dashboard being configured to enable communication between the entity, a plurality of other entities, a vendor, or a third party; the received evidence questionnaire, and the updated evidence questionnaire relationship map; a database for storing” while “reducing an amount of bandwidth usage between the central dashboard and the entity”  do not amount to significantly more than the abstract idea because the elements reflect insignificant extra solution activities to the judicial exception (e.g., 
With respect to step 2B, claims 1 and 9 do not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional elements when considered both individually and as an ordered combination do not amount to significantly more than the abstract idea. The claim recites the additional element “one or more processors”; “an entity information receiving module” comprising one or more sequences of computer program instructions, which when executed by “the one or more processors”, cause “the one or more processors” to, via “a central dashboard”,6 of 22 “a standard information gathering ("SIG") module” comprising one or more sequences of computer program instructions, which when executed by “the one or more processors”, cause “the one or more processors” to, “an evidence questionnaire module” comprising one or more sequences of computer program instructions, which when executed by “the one or more processors”, cause “the one or more processors” to, “an updater module” comprising one or more sequences of computer program instructions, which when executed by “the one or more processors”, cause “the one or more processors” to.  These are generic computer components recited as performing generic computer functions that are mere instructions to apply an exception, because it does no more than merely invoke computers or machinery as a tool to perform an existing process, as evidenced by at least ¶7, 67 disclosed above. Further, additional elements for storing/receiving/retrieving/obtaining data/information such as “the central dashboard being configured to enable communication between the entity, a plurality of other entities, a vendor, or a third party; the received evidence questionnaire, and the updated evidence questionnaire relationship map; a database for storing” while “reducing an amount of bandwidth usage between the central dashboard and the entity” do not amount to significantly 
As a result, claims 1 and 9 do not include additional elements, when recited alone or in combination, that amount to significantly more than the above-identified judicial exception (the abstract idea).  Thus, taken alone, the additional elements do not amount to significantly more than the above-identified judicial exception (the abstract idea). Looking at the limitations as an ordered combination adds nothing that is not already present when looking at the elements taken individually. Further, claims 1 and 9 do not recite any additional elements beyond the abstract idea.
Claims 2-8, 11-18, and 23-25 do not disclose additional elements, further narrowing the abstract ideas of the independent claims and thus not practically integrated under prong 2A as part of a practical application or under 2B not significantly more for the same reasons and rationale as above.   
After considering all claim elements, both individually and in combination, Examiner has determined that the claims are directed to the above abstract ideas and do not amount to significantly more.  Therefore, the claims and dependent claims are rejected under 35 U.S.C. 101 as being directed to non-statutory subject matter.  See Alice Corporation Pty. Ltd. v. CLS Bank International, No. 13–298.

35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the 
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness

Claims 1-10, 12-18, and 23-25 are rejected under 35 U.S.C. 103 as being obvious by the combination of US 20160134654 to Ghent (hereinafter referred to as “Ghent”) in view of US 201120116839 to Akkiraju et al. (hereinafter referred to as “Akkiraju”) and in further view of US 20170091787 to Choudhari (hereinafter referred to as “Choudhari”).


Claims 1 and 9: 
Specifically, Ghent expressly discloses the following:
by a computer system, receiving, via a central dashboard, entity information from an entity, the central dashboard being configured to enable communication between the entity, a plurality of other entities, a vendor, or a third party; (Ghent ¶31, 36, 47 the Third-Party Risk Management  (TPRM) data hub, comprised of dashboards and other GUI/reports, may take the form of a shared services model with a specific focus related to the most inefficient process related to the TPO risk management process, i.e., the third party questionnaire used to gather (receive) third party information used in risk management or analysis.  The bank 104, clients 108, and third parties 110 may include computing devices that are linked in a wired or wireless manner to the TPRM data hub (or a server(s) providing the TPRM data hub) 120 via a digital communication network(s) by using application programming interfaces (APIs), spreadsheet up/downloads, and graphical user interface (GUI) to include dashboard and reports).
by the computer system, transmitting, via the central dashboard, a standard information gathering ("SIG") questionnaire to either one of the entity, the vendor, or the third party, said SIG questionnaire relating to the vendor, the entity, and a relationship between the vendor and the entity, said SIG questionnaire being based in part on the entity information; (Ghent ¶32 the systems and methods taught in this description, such as the due diligence questionnaire solution (DDQS) process, permit a questionnaire workflow and centralized routing of third party-provided responses or third party risk management information. This leverages a “standard” or “protocol” due diligence questionnaire, which may be agreed to by a set of customers).
by the computer system, receiving, via the central dashboard, from the entity, the vendor, or the third party, the SIG questionnaire populated with a SIG response result set; (Ghent ¶55 the third parties 510 can access the third party database 550 to: (1) receive and respond to requests for third party information such by completing third party questionnaires provided by a TPRM data hub; (2) store and upload documentation, answers, and evidence).
wherein: each control, included in the determined set of controls, is associated with a predetermined number of evidence questions; (Ghent ¶38, 45 during operations of the system 100 and the TPRM data hub 120, the TPRM data hub 120 provides third party due diligence questionnaire protocol/standard (predetermined) workflow. The concept of a protocol related to third party questionnaires involves adhering parties (such as the bank 104 or other contracting parties (not shown in FIG. 1)) agreeing on a standard or base questionnaire for each type or level of criticality third party in the system 100 (e.g., a standard third party questionnaire may be created for each of a plurality of criticality levels each with differing sets of questions that need to be answered to populate a third party risk management database(s), which is made available to the bank 104 for third party risk management including risk analysis)). 
a subset of the plurality of evidence questions associated with a first control, included in the determined set of controls, is identical to a subset of the plurality of evidence questions associated with a second control, included in the determined set of controls; (Ghent ¶61 the TPRM data hub engine of the present description is configured to implement, in some embodiments, a due diligence questionnaire solution or “DDQS,” which allows efficient workflow related specifically to due diligence questionnaires that the third parties are asked to answer by their contracting parties/banks.  Third parties operate in a bilateral process with their contracting 
by the computer system, creating, using the determined set of controls, an evidence questionnaire for the vendor subsequent to the SIG questionnaire populated with the SIG response result set, said evidence questionnaire comprising the predetermined number of evidence questions associated with each of the determined set of controls, wherein using the determined set of controls (1) eliminates sending irrelevant evidence questions to the vendor, (2) reduces a turnaround time for receipt of responses from the vendor to the evidence questionnaire…; (Ghent ¶45, 59 the core engine 224 may act to manage creation and serving (and, in response, populating a third party risk management information database (the “golden” database)) questionnaires (e.g., a protocol/standard questionnaire for each criticality level/tier). Further, the core engine 224 may act to provide mapping of the questionnaires provided by the bank/clients 204 (or their functional entities 108) to the protocol questionnaire).  There are numerous benefits to third parties in using the TPRM data hub to provide their third party risk management information including: a centralized and efficient means to perform customer requests for information related to third party oversight; reduced due diligence burden and pressures; decreased cost and turnaround time; enhanced ability to properly document and archive responses to third party questionnaires; and ability to gain an additional competitive advantage by being one of the third parties included in the TPRM data hub (or list of participating third parties in the third party risk management system).
by the computer system, transmitting, via the central dashboard, the evidence questionnaire to the vendor; (Ghent ¶68, 72 the use of 3PINs is useful for creating a unique dataset, for providing strong data governance by utilizing IDs and forming processes around 
by the computer system, receiving, via the central dashboard, from the vendor, the evidence questionnaire populated with an evidence response set, said evidence response set comprising one or more of: one or more data elements; one or more pieces of evidence; or one or more documents; (Ghent ¶42, 70 the data hub collects, store, update, maintain, and provide access to vendor information (e.g., company name, financial profile, and stability) and external audit reports. The data hub also provides significant event notification and tracking. Also, as shown, the data hub 120 may be adapted to provide a due diligence questionnaire solution module or suite that builds and serves a protocol and delta questionnaire that may be served to third and fourth parties 110, 112 and answers received may be stored in the data).
by the computer system, updating an evidence questionnaire relationship map to include the received evidence response set, wherein updating the evidence questionnaire relationship map comprises: (Ghent ¶29, 32, 47 The third party risk management data hub further may function to provide customers access to the third party risk management information or to serve input information to the customers with a mapping of responses to questions/data requests provided by each of these customers.  The systems and methods taught in this description, such as the due diligence questionnaire solution (DDQS) process, permit a questionnaire workflow and centralized routing of third party-provided responses or third party risk management information. This leverages a “standard” or “protocol” due diligence questionnaire, which may be agreed to by 
deleting the predetermined number of evidence questions associated with each of the determined set of controls from the evidence questionnaire relationship map; (Ghent ¶50 the method or TPRM work flow 300 may be initiated at 312 with the TPRM data hub 310 notifying banks of the availability of a standard or protocol questionnaire for a type, tier, or criticality level of third party.  At 314, the banks (or other contracting entities) and/or SENT committee agree on and/or approve the questionnaire and its questions for each type/tier/criticality level of third parties (determined set of controls). Step 314 typically will be an iterative process where questions are modified, added, and/or deleted from an initial protocol third party questionnaire until a standard one is defined for use by the TPRM data hub 310).
mapping each response included in the evidence response set to one or more controls of the determined set of controls; (Ghent ¶42, 55 The TPRM data hub 120 may create and manage a centralized third party database, which can be a “golden” source for licenses, approved, and shared information (among two or more banks or contracting entities 104) related to the third parties 110 (and/or fourth parties 112) including questionnaires and responses and validated information. As shown, the data hub 120 may collect, store, update, maintain, and provide access to vendor information (e.g., company name, financial profile, and stability) and external audit reports. The data hub 120 may also provide significant event notification and tracking (or a “SENT” service)).
by the computer system, storing the received evidence response set from the vendor and the updated evidence questionnaire relationship map in a database for access by the entity, wherein the received evidence response set from the vendor is sharable by the entity, via the central dashboard, with a subset of the plurality of other entities associated with the same vendor; (Ghent ¶29, 55 the third party risk management data hub further may function to provide customers access to the third party risk management information or to serve input information to the customers with a mapping of responses (questionnaire relationship map) to questions/data requests provided by each of these customers (e.g., map base and delta questions and their answers to questions provided by each customer).  The banks 504 can access the third party database 550 to: (1) search for third party financial profile and risk information/documentation; (2) initiate a questionnaire, such as a due diligence questionnaire, for new third parties; (3) request access to third party information on the platform (managed by the TPRM data hub); (4) review third party risk documentation and alerts, and, in response, initiate and track remediation; and (5) request services from consultants and service providers. The third parties 510 can access the third party database 550 to: (1) receive and respond to requests for third party information such by completing third party questionnaires provided by a TPRM data hub; (2) store and upload documentation, answers, and evidence; (3) provide and/or confirm permission to select ones of the banks 504 or other clients (e.g., banks, custodians, buyside entities, and other financial institutions); and (4) update remediation status and/or perform remediation. The consultants and service providers 516 may access the third party database 550 to: (1) review and complete third party documentation; (2) provide independent risk scores; and (3) respond to requests for service (e.g., to provide various service offerings)).
by the computer system, using the updated evidence questionnaire relationship map to verify compliance of the vendor with the one or more controls of the determined set of controls; (Ghent ¶37, 40, 43 the TPRM data hub 120 provides a one-stop lifecycle shop that provides third party risk management data from the third parties 110, compliance and risk 
 Although Ghent teaches third party risk management data hub (TPRM) where the core engine acts to manage creation and serving questionnaires (e.g., a protocol/standard questionnaire for each criticality level/tier), it doesn’t expressly disclose determining a set of controls applicable to both parties before processing the populated SIG and Akkiraju teaches: 
by the computer system, determining a set of controls applicable to both the entity and the vendor by processing the SIG questionnaire populated with the SIG response result set(Akkiraju ¶49 This output along with a generic ERM capability assessment survey questionnaire is inputted into the ERM capability assessment survey and analysis module 710, 711, which generates a tailored ERM capability 
It would be obvious to one of ordinary skill in the art at the time of the claimed invention was filed to have modified Ghent’s TPRM data hub including the SENT module and staff and have this output along with a generic ERM capability assessment survey questionnaire inputted into the ERM capability assessment survey and analysis module 710, 711 of Akkiraju as both are analogous art which teach solutions increasing efficiencies in the due diligence questionnaire process by ensuring that the questionnaires are sent and responded to for the correct product/service as taught in Ghent ¶68, 72 and generate a tailored ERM capability assessment survey questionnaire that is distributed to the survey participants associated with the scoped business components within the client enterprise as taught in Akkiraju ¶49.
Although Ghent in view of Akkiraju teaches third party risk management data hub (TPRM) where the core engine acts to manage creation and serving questionnaires (e.g., a protocol/standard questionnaire for each criticality level/tier), it doesn’t expressly disclose reduces an amount of bandwidth usage between the central dashboard and the entity and Choudhari teaches: 
…(3) reduces an amount of bandwidth usage between the central dashboard and the entity; (Choudhari ¶22 the technical advantages of determining optimal responsiveness for accurate surveying may include, among others, an increased efficiency in application management. Additionally, processing and network bandwidth usage may be reduced and participant interaction may be improved by allowing the participants to receive fewer and more focused surveys)
It would be obvious to one of ordinary skill in the art at the time of the claimed invention was filed to have modified Ghent in view of Akkiraju’s TPRM data hub including the SENT module and have the technical advantages of determining optimal responsiveness for accurate 

(B)	As per Claims 2 and 12: 
Specifically, Ghent expressly discloses the following:
wherein the evidence questionnaire is agnostic to which questions, included in the evidence questionnaire, is associated with which controls; (Ghent ¶62 The TPRM data hub is typically configured to be platform agnostic so as to provide data to any and all existing Governance, Risk, and Compliance (GRC) platforms via APIs and feeds).

(C)	As per Claims 3 and 13: 
Specifically, Ghent expressly discloses the following:
wherein the one or more data elements, the one or more pieces of evidence, or the one or more documents are mapped to the determined set of controls; (Ghent ¶40 additionally, the TPRM data hub 120 may be configured to offer mapping of questions in the TPRM data hub's standard questionnaire(s) to a present set of questions defined by a bank 104 or one of its sub-entities/functional client elements 108 (e.g., a bank 104 may have a set of third party questionnaires for each tier of its third parties (each level of criticality of its third parties)).

Claims 4 and 14: 
Specifically, Ghent expressly discloses the following:
wherein the received entity information is static over a predetermined time for a predetermined entity; (Ghent ¶56, 72 the TPRM data hub may operate to automatically generate and transmit periodic (e.g., annual) refresh data requests to the third parties to update their 3PIN registrations (or data in the 3PIN database)).

(E)	As per Claims 5 and 15: 
Specifically, Ghent expressly discloses the following:
transmitting a plurality of SIG questionnaires, each of the SIG questionnaires being associated with one of a plurality of vendors, one of a plurality of entities, or one of a plurality of third parties; (Ghent ¶29, 32 the third party risk management data hub provides a central repository or database (e.g., via a central server(s)) that is used to store standard (or base) third party questionnaires as well as modified questionnaires that include additional delta question sets, to serve the questionnaires to gather third party risk management information, and to store responses to these questionnaires by third parties (e.g., to store third party risk management information or to populate the third party information database with third party-provided responses) and  the due diligence questionnaire solution (DDQS) process, permit a questionnaire workflow and centralized routing of third party-provided responses or third party risk management information. This leverages a “standard” or “protocol” due diligence questionnaire, which may be agreed to by a set of customers).
receiving the SIG questionnaires, each of the SIG questionnaires being populated with a SIG response result set; (Ghent ¶55 the third parties 510 can access the third party database 
processing each of the SIG questionnaires; for each SIG questionnaire, determining a set of controls applicable to both the entity and the vendor; (Ghent ¶40 the TPRM data hub 120 may be configured to offer mapping of questions in the TPRM data hub's standard questionnaire(s) to a present set of questions defined by a bank 104 or one of its sub-entities/functional client elements 108 (e.g., a bank 104 may have a set of third party questionnaires for each tier of its third parties (each level of criticality of its third parties)).
in response to determining a set of controls, creating an entity-specific and vendor- specific evidence questionnaire for each vendor of the plurality of vendors; (Ghent ¶79 As long as the standard questionnaire is completed by third parties, efficiencies (e.g., time and cost for questionnaire completion) will then only be driven by completion of delta questions presented by one or more of the banks/contracting entities. Bank-specific questionnaires can be created from the standard questionnaire and continued workflow functionality can be built upon third party answers).
for each vendor of the plurality of vendors, transmitting the entity-specific and vendor-specific questionnaire to the vendor that is specified on the entity-specific and vendor-specific questionnaire; (Ghent ¶56 a bank may determine it has a need for a third party or need for a third party relationship to obtain a service or product. The bank may then search at 614 for an existing third party such as by service type.  At 634, the third party communicates with the TPRM data hub to upload their new information (e.g., complete a new third party questionnaire 
receiving at least one of the vendor-specific evidence questionnaires populated with an evidence response set, said evidence response set comprising one or more of: one or more data elements; one or more pieces of evidence; or one or more documents; (Ghent ¶42, the data collected from the third party by the TPRM data hub may vary but often will include: a link to the third party (or portion of the third party) providing the product/service; a product/service name; a product location (e.g., global or regional/country); service category; product description; product URL; and linkages to hierarch of products/org structure).
storing the at least one received evidence response set; (Ghent ¶55 the third parties 510 can access the third party database 550 to: (1) receive and respond to requests for third party information such by completing third party questionnaires provided by a TPRM data hub; (2) store and upload documentation, answers, and evidence; (3) provide and/or confirm permission to select ones of the banks 504 or other clients (e.g., banks, custodians, buyside entities, and other financial institutions); and (4) update remediation status and/or perform remediation. The consultants and service providers 516 may access the third party database 550 to: (1) review and complete third party documentation; (2) provide independent risk scores; and (3) respond to requests for service (e.g., to provide various service offerings).
mapping each data element, each piece of evidence, or each document in the at least one evidence response set to the set of controls applicable to both the entity and the vendor; (Ghent ¶40 the TPRM data hub 120 may be configured to offer mapping of questions in the TPRM data hub's standard questionnaire(s) to a present set of questions defined by a bank 104 or one of 

(F)	As per Claims 6 and 16: 
Specifically, Ghent expressly discloses the following:
wherein the determined set of controls comprises an acceptable use policy information security and infrastructure risk governance control; (Ghent ¶62-63 the TPRM data hub is typically configured to be platform agnostic so as to provide data to any and all existing Governance, Risk, and Compliance (GRC) platforms via APIs and feeds.  The questions of a questionnaire may also vary to suit third party location (e.g., United States, Canada, South America, Europe, Asia Pacific, and so on) at least because this will define which sets of regulations and laws need to be complied with during third party risk management). 

(G)	As per Claims 7 and 17: 
Specifically, Ghent expressly discloses the following:
wherein the evidence questions associated with the acceptable use policy information security and infrastructure risk governance control comprise requesting documents associated with a risk assessment program; (Ghent ¶51-54 the RFS marketplace offering via the TPRM data hub 420 may include, as shown in FIG. 4: (1) ability for banks 404 and third parties 410 to request services from a service provider(s) 416 for all or any aspects of the TPRM data hub life cycle and (2) complete artifact, communications, and audit workflow capability.  The database management aspect of the TPRM data hub provides the database 550 and may also add value by: providing the RFS and RFSS marketplace whereby various other forms of third party 

(H)	As per Claims 8 and 18: 
Specifically, Ghent expressly discloses the following:
wherein the evidence questions associated with the acceptable use policy information security and infrastructure risk governance control requests one or more of: services organization controls 2 (SOC2); risk governance plan; acceptable use policy; business continuity policy; disaster recovery policy; risk policy and procedures; range of business assets to be evaluated; risk training plan; risk scenarios; risk evaluation criteria; or periodic review of program documentation; (Ghent ¶62-63 the TPRM data hub is typically configured to be platform agnostic so as to provide data to any and all existing Governance, Risk, and Compliance (GRC) platforms via APIs and feeds.  The questions of a questionnaire may also vary to suit third party location (e.g., United States, Canada, South America, Europe, Asia Pacific, and so on) at least because this will define which sets of regulations and laws need to be complied with during third party risk management). 

(I)	As per Claim 10: 
Specifically, Ghent expressly discloses the following:
wherein a subset of the determined set of controls is one or more entity-defined controls; (Ghent ¶33 The third party may provide full access permission to all customers or may identify a subset of the customers (e.g., particular banks) that may view and/or use the third party-

(J)	As per Claims 23 and 25: 
Specifically, Ghent expressly discloses the following:
wherein creating the evidence questionnaire comprises discarding duplicate evidence questions while maintaining a relationship between each evidence question remaining following the discarding, included in the evidence questionnaire, and each control associated with each evidence question; (Ghent ¶45-47 the TPRM data hub 220 may be configured with a core or first portion/engine 224 and a supplemental or second portion/engine 228.  The core engine 224 may act to collect and store, for each third party 110, a set of third party risk management information that may include the third party's company and financial profiles. Further, the core engine 224 may act to manage creation and serving (and, in response, populating a third party risk management information database (the “golden” database)) questionnaires (e.g., a protocol/standard questionnaire for each criticality level/tier, a delta questionnaire (or a modified version of the protocol questionnaire), and the like). Further, the core engine 224 may act to provide mapping of the questionnaires provided by the bank/clients 204 (or their functional entities 108) to the protocol and delta questionnaires. The TPRM data hub 220 including the SENT module provides a value proposition due to: (a) risk reduction from standardization of information, shorter turnaround times, and timely information; (b) elimination of duplicative due diligence and assessments).

Claim 24: 
Specifically, Ghent expressly discloses the following:
wherein using the control- questionnaire relationship map and discarding duplicate evidence questions reduce an amount of data of the evidence questionnaire to be transmitted to the vendor;  (Ghent ¶37, 48 The TPRM data hub 220 including the SENT module provides a value proposition due to: (a) risk reduction from standardization of information, shorter turnaround times, and timely information; (b) elimination of duplicative due diligence and assessments; (c) reduction of resource stress associated with unplanned events at both the banks/contracting entities and third parties; (d) allowing banks and third parties to focus on solving for events rather than on information gathering; and (e) serving as a proactive and efficient means for third parties to provide third party risk management information to facilitate third party management.  The fatigue is immensely reduced as the third parties 110 only have to complete questions provided in a protocol or standard questionnaire created, stored, and served by the TPRM data hub 120 once (and then periodically as part of a “refresh” process) rather than for each contracting party or bank they service or supply).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure.
US 20200134227 A1
PRIVACY RISK INFORMATION DISPLAY
Joseph; Gabi Bar et al.
US 20190266529 A1
DATA PROCESSING SYSTEMS FOR IDENTIFYING, ASSESSING, AND REMEDIATING DATA PROCESSING RISKS USING DATA MODELING TECHNIQUES
Barday; Kabir A. et al.

Cloud Computing Governance, Cyber Security, Risk, and Compliance Business Rules System and Method
Bhagat; Bhavesh C.
US 20110289588 A1
Unification of security monitoring and IT-GRC
Sahai; Anupam et al.
US 20090119141 A1
MONITORING AND MANAGING REGULATORY COMPLIANCE AMONG ORGANIZATIONS
McCalmont; Stephen A. et al.
US 20130104236 A1
PERVASIVE, DOMAIN AND SITUATIONAL-AWARE, ADAPTIVE, AUTOMATED, AND COORDINATED ANALYSIS AND CONTROL OF ENTERPRISE-WIDE COMPUTERS, NETWORKS, AND APPLICATIONS FOR MITIGATION OF BUSINESS AND OPERATIONAL RISKS AND ENHANCEMENT OF CYBER SECURITY
RAY; Partha Datta et al.
US 20180322292 A1
CYBERSECURITY MATURITY FORECASTING TOOL/DASHBOARD
Tedeschi; Michael Vincent
US 20160080422 A1
TRANSFORMING BUSINESS POLICIES TO INFORMATION TECHNOLOGY SECURITY CONTROL TERMS FOR IMPROVED SYSTEM COMPLIANCE
Belgodere; Brian M. et al.
US 20120053981 A1
Risk Governance Model for an Operation or an Information Technology System
Lipps; Margaret et al.
US 10540493 B1
System and methods for minimizing organization risk from users associated with a password breach
Kras; Greg
US 10546135 B1
Inquiry response mapping for determining a cybersecurity risk level of an entity
Kassoumeh; Samuel et al.
US 20200090197 A1
SYSTEMS AND METHODS FOR PROACTIVELY RESPONDING TO VENDOR SECURITY ASSESSMENTS
Rodriguez; Juan C. et al.
US 20190050595 A1
DATA PROCESSING SYSTEMS FOR USE IN AUTOMATICALLY GENERATING, POPULATING, AND SUBMITTING DATA SUBJECT ACCESS REQUESTS
Barday; Kabir A. et al.
US 20190384899 A1
DATA PROCESSING AND SCANNING SYSTEMS FOR ASSESSING VENDOR RISK
Brannon; Jonathan Blake
US 20190197444 A1
Multi-dimensional Situational Awareness and Risk Mitigation Apparatuses, Methods and Systems
Smith; John Martin
US 20080319971 A1
Phrase-based personalization of searches in an information retrieval system
Patterson; Anna Lynn

QUERY CLASSIFICATION BASED ON QUERY CLICK LOGS
ACHAN; KANNAN et al.
US 20120116839 A1
ENTERPRISE RISK ANALYSIS SYSTEM
Akkiraju; Rama K.T. et al.
US 20190156256 A1
GENERATING RISK ASSESSMENT SOFTWARE
Argyros; Kelly A et al.
US 20160134654 A1
THIRD PARTY CENTRALIZED DATA HUB SYSTEM PROVIDING SHARED ACCESS TO THIRD PARTY QUESTIONNAIRES, THIRD PARTY RESPONSES, AND OTHER THIRD PARTY DATA
GHENT; GINA S.
US 20180137305 A1
DATA PROCESSING SYSTEMS AND COMMUNICATIONS SYSTEMS AND METHODS FOR INTEGRATING PRIVACY COMPLIANCE SYSTEMS WITH SOFTWARE DEVELOPMENT AND AGILE TOOLS FOR PRIVACY DESIGN
Barday; Kabir A.
US 20210004740 A1
PRIVACY MANAGEMENT SYSTEMS AND METHODS
Brannon; Jonathan Blake et al.
US 20060121434 A1
CONFIDENCE BASED SELECTION FOR SURVEY SAMPLING
Azar; James R.
US 6999987 B1
Screening and survey selection system and method of operating the same
Billingsley; Michael David et al.
US 20120004946 A1
Integrated Operational Risk Management
Blackwood; Kristen B. et al.
US 10410228 B2
System for automatic responses to predicted tail event outcomes
Boyer; Carol Ann et al.
US 20050197988 A1
Adaptive survey and assessment administration using Bayesian belief networks
Bublitz, Scott Thomas
US 20180357282 A1
SYSTEM AND METHOD FOR EFFICIENTLY HANDLING QUERIES
AMBARTSUMOV; Stanislav et al.
US 20050256727 A1
Method and system for validating a client
Bennett, Brett R. et al.



If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Rutao Wu can be reached on (571)272-6045. The fax phone number for the organization where this application or proceeding is assigned is 571-273-1822.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).  If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/M.S./Examiner, Art Unit 3623                                                                                                                                                                                                        4/7/2021

/WILLIAM S BROCKINGTON III/Primary Examiner, Art Unit 3623