DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 4/12/2021 has been entered.

Status
This action is in response to the amendment filed on 3/15/2021. Claims 1-20 are pending. Claims 1, 8, 15, are amended. No claims have been added. No claims have been cancelled.

Response to Arguments
Applicant's arguments filed 3/15/2021 have been fully considered but they are not persuasive. The applicant has argued the 101 rejection stating that the claims are not directed to an abstract idea but in view of Enfish are directed to an improvement in computer functionality. The examiner respectfully disagrees. Specifically, In Enfish, the claims “directed to a specific improvement to the way computers operate” to store and retrieve data were not unpatentably abstract. 822 F.3d at 1336. The examiner further points out that with respect to the Enfish LLC v. Microsoft Corp case the courts specifically identified “that certain claims directed to improvements in computer related technology, .

The applicant has argued “As in Enfish, the pending claims recite a specific data structure: ‘auditable entity data records for each auditable entity of each hierarchy, ... a risk factor data record, ... a first association data record indicating an association between the risk factor data record and the fist auditable entity data record, and a second association data record indicating an association between the [same] risk factor data record and the second auditable entity data record.’ Claim 1 further recites how this specific data improves the way the computer stores and retrieves data in memory: ‘calculating ... based on the risk factor data record, the first auditable entity data record, the second auditable entity data record, the first association data record, and the second association data record, respective risk scores for the first auditable entity and the second auditable entity using the received numerical score for the risk factor.’" The examiner respectfully disagrees. The claims differ from those found patent eligible in Enfish, where the claims were “specifically directed to a self referential table for a computer database.” 822 F.3d 1327, 1337 (Fed. Cir. 2016). The claims thus were “directed to a specific improvement to the way computers operate” rather than an abstract idea implemented on a computer. Id. at 1336. Here, by contrast, the claims are not directed to an improvement in the way computers operate. Though the claims purport to define a specific data structure, this data structure stems from the ordinary capabilities of a general purpose computer “do[] not materially alter the patent eligibility of the claimed subject matter.” Bancorp Servs., L.L.C. v. Sun Life Assurance Co. of Can. (U.S.), 687 F.3d 1266, 1278 (Fed. Cir. 2012). 

The applicant has also argued language of the specification in view of the previous 101 rejection. Specifically “In an example, the systems and methods provided by the present application can include generating a first and second data records describing the risk factor, generating a data record describing the first auditable entity, generating a data record describing the second auditable entity, and generating respective data records to indicate an association between the risk factor and each of the 

	The previous 103 rejection has been updated in view of applicant’s amendments and an updated search. 

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter because the claim(s) as a whole, considering all claim elements both individually and in combination, do not amount to significantly more than an abstract idea. The claim(s) is/are directed to the abstract idea of receiving data and calculating risk scores related to auditable entities. The claimed invention is directed to a judicial exception (i.e., a law of nature, a natural 
 
Step 1 
Regarding Step 1 of the Subject Matter Eligibility Test for Products and Processes (from the January 2019 §101 Examination Guidelines), claim(s) (1-7) is/are directed to a method, claim(s) (15-20) is/ are directed to a computer readable medium, and claims(s) (8-14) is/are directed to a system and therefore the claims recites a series of steps and, therefore the claims are viewed as falling in statutory categories.

Step 2A Prong 1

The claimed invention is directed to an abstract idea without significantly more. The claim(s) recite(s) (mathematical relationships/formulas, mental process or certain methods of organizing human activity). Specifically the independent claims recite:

(a) mental process: as drafted, the claim recites the limitations of generating hierarchies, generating data records, receiving data, generating a risk factor, generating risk association data, and calculating risk scores which is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components. That is, other than reciting “by one or more processors,” nothing in the claim precludes the determining step from practically being performed in the human mind. For example, but for the “by one or more processors” language, the claim encompasses a user manually receiving data and calculating a risk. The mere nominal recitation of a generic processor does not take the claim limitation out of the mental processes 

(b) mathematical formula: The claim recites a mathematical concept (which can include a  mathematical relationships, mathematical formulas or equations, and mathematical calculations), and in this case calculating risk scores based on received data. Thus, the claim recites a mathematical relationship and mathematical calculations. “Mathematical Relationships” A mathematical relationship is a relationship between variables or numbers. A mathematical relationship may be expressed in words or using mathematical symbols. For example, pressure (p) can be described as the ratio between the magnitude of the normal force (F) and area of the surface on contact (A), or it can be set forth in the form of an equation such as p = F/A.  Examples of mathematical relationships recited in a claim include: a relationship between reaction rate and temperature, which relationship can be expressed in the form of a formula called the Arrhenius equation, Diamond v. Diehr; a conversion between binary-coded decimal and pure binary numerals, Gottschalk v. Benson; and a mathematical relationship between 

(c) certain methods of organizing human activity: The claim as a whole recites a method of organizing human activity. The claimed invention is a method that allows for users to determine a risk related to a group of humans which is a method of managing interactions between people. Thus, the claim recites an abstract idea. “Fundamental Economic Practices or Principles”; Under the 2019 PEG, “fundamental economic principles or practices,” which describe subject matter relating to the economy and commerce, are considered to be a “certain method of organizing human activity.” According to the 2019 PEG, “fundamental economic principles or practices” include hedging, insurance, and mitigating risk. The term “fundamental” is not used in the sense of necessarily being “old” or “well-known,” 24 although being old or well-known may indicate that the practice is “fundamental.” Managing Personal Behavior or Relationships or Interactions between People”; According to the 2019 PEG, “managing personal behavior or relationships or interactions between people” includes social activities, teaching, and following rules or instructions.

Step 2A Prong 2

Specifically the determined judicial exception is not integrated into a practical application because the claim is directed to an abstract idea with additional generic computer elements, the generically recited computer elements do not add a meaningful limitation to the abstract idea because they amount to simply implementing the abstract idea on a computer. The claim recites the additional element(s): processors, memories, control, and an interface.  The technology as claimed in the steps is recited at a high level of generality, i.e., as a generic processor performing a generic computer function of processing data (calculating a score from received information). This generic processor limitation is no more than mere instructions to apply the exception using a generic computer component. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea.  The claim is directed to the abstract idea. 

The Examiner has further determined that the claims as a whole does not integrate a judicial exception into a practical application in order to provide an improvement in the functioning of a computer or an improvement to other technology or technical field.  It has been determined that based on the disclosure does not provide sufficient details such that one of ordinary skill in the art would recognize the claimed invention as providing an improvement.  It has not been provided clearly in the disclosure that the alleged improvement would be apparent to one of ordinary skill in the art, but is instead in a conclusory manner (i.e., a bare assertion of an improvement without the detail necessary to be apparent to a person of ordinary skill in the art, and therefore does not improve the technology.  

For further clarification the Examiner points out that the claim(s) recite(s) generating hierarchies, receiving data, and calculating risk scores which are viewed as an abstract idea in the form of applying a mathematical concept to a method of organizing activity using a mental process.  This judicial exception is not integrated into a practical application because the use of a computer for generating, receiving, and calculating which is the abstract idea steps of evaluating risk factors across multiple parts of an organization in the manner of “apply it”. 

Thus the claims recites an abstract idea directed to applying a mathematical concept to a method of organizing activity using a mental process i.e. to generate numerical values indicative of risk 


The specification makes it clear that the claimed invention is directed to applying a mathematical concept to a method of organizing activity using a mental process:

[0001] This application generally relates to database organization and management techniques and, more particularly, organizing data to efficiently generate numerical values indicative of risk factors across multiple dimensions in an organization.

The dependent claims recite elements that narrow the metes and bounds of the abstract idea but do not provide ‘something more’.  
The dependent claims do not remedy these deficiencies.

Claims 2, 9, 16 recite limitations which further define the data dimensions.

Claims 3, 4, 10, 11, 17, 18 recite limitations which further limit the data relationships.

Claims 5, 6, 7, 12, 13, 14, 19, 20 recite limitations which further limit the claimed analysis of data.

Using a computer to perform the data processing as claimed is merely implementing the abstract idea in the manner of “apply it” and does not provide significantly more. 




Step 2B

The claim(s) does/do not include additional elements that are sufficient to amount to significantly more than the judicial exception because as discussed with respect to Step 2A Prong Two, the additional element in the claim amounts to no more than mere instructions to apply the exception using a generic computer component. 
The same analysis applies here in 2B, i.e., mere instructions to apply an exception using a generic computer component cannot integrate a judicial exception into a practical application at Step 2A or provide an inventive concept in Step 2B.  This is the case because in order for the claims to be viewed as significantly more the claims must incorporate the integral use of a machine to achieve performance of a method, in contrast to where the machine is merely an object on which the method operates, which does not provide significantly more in order for a machine to add significantly more, it must play a significant part in permitting the claimed method to be performed, rather than function solely as an obvious mechanism for permitting a solution to be achieved more quickly.  Whether its involvement is extra-solution activity or a field-of-use, i.e., the extent to which (or how) the machine or apparatus imposes meaningful limits on the claim. Use of a machine that contributes only nominally or insignificantly to the execution of the claimed method (e.g., in a data gathering step or in a field-of-use limitation) would not provide significantly more.  Additionally, another consideration when determining whether a claim recites significantly more is whether the claim effects a transformation or reduction of a particular article to a different state or thing. "[T]ransformation and reduction of an article ‘to a different state or thing’ is the clue to patentability of a process claim that does not include particular machines.  All together the above analysis shows there is not improvement in computer functionality, or improvement to any other technology or technical field.  The claim is ineligible. 	

With respect to the Berkheimer as noted above the same analysis applies to the 2B where the claims are viewed as applying it and as such no further analysis is required.  However with respect to the claims that are viewed as extra solution or post solution activity the Examiner notes that the claims are viewed as well-understood, routine, and conventional because:

(a) A citation to an express statement in the specification or to a statement made by an applicant during prosecution that demonstrates the well-understood, routine, conventional nature of the additional element(s). A specification demonstrates the well-understood, routine, conventional nature of additional elements when it describes the additional elements as well-understood or routine or conventional (or an equivalent term), as a commercially available product, or in a manner that indicates that the additional elements are sufficiently well-known that the specification does not need to describe the particulars of such additional elements to satisfy 35 U.S.C. § 112(a).
[0054] Additionally, certain embodiments are described herein as including logic or a number of functions, components, modules, blocks, or mechanisms. Functions may constitute either software 

(c) A citation to a publication that demonstrates the well-understood, routine, conventional nature of the additional element(s). An appropriate publication could include a book, manual, review article, or other source that describes the state of the art and discusses what is well-known and in common use in the relevant industry. 


The prior art references Reddy et al. (US 20170262751 A1), Agee (US 20120259752 A10), Treacey et al. (US 20120053982 A1) disclose a computer system, a processor, medium, a control, and an interface in at least Reddy paragraphs 3, 4, 37-47, 51, Fig. 11, Agee paragraphs 8, 9, 63, 172-174, Treacey paragraphs 5-10, 27, 32, 36-50, Fig. 2. The dependent claims recite elements that narrow the metes and bounds of the abstract idea but do not provide ‘something more’.  Specifically, the dependent claims do not remedy these deficiencies of the independent claims.

Therefore based on the above analysis as conducted based on the January 2019 Guidance from the United States Patent and Trademark Office the claims are viewed as a court recognized abstract idea, are viewed as a judicial exception, does not integrate the claims into a practical application, and does not provide an inventive concept, therefore the claims are ineligible.


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:


Claims 1-5, 8-12, 15-19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Reddy et al (US 20170262751 A1) in view of Vashistha (US 20170193411 A1) in view of Treacey et al. (US 20120053982 A1) in view of Ron McFadyen “Relational Databases and Microsoft Access”, published 2017 (cited as reference 1-U; referred to hereinafter as ‘McFadyen’).

Regarding claim 1, Reddy teaches 
A computer-implemented method for generating numerical values indicative of risk factors across multiple dimensions in an organization, the method comprising (¶ 19-21, 37): 

generating, by one or more processors, a first hierarchy of “auditable” entities in an organization using a first parameter and second hierarchy of “auditable” entities in the same organization using a second parameter (Fig. 2, 6, 8, 11, abstract, ¶ 3, 4, 19-21, 23, 24, 26, financial industries), the first hierarchy and the second hierarchy corresponding to a first dimension of the organization and a second dimension of the organization (Fig. 2, 6, 8, 11, abstract, ¶ 3, 4, 19-21, 23, 24, 26);

receiving, by the one or more processors via a user interface, an indication of a risk factor and a numerical score for the risk factor (¶ 27);

receiving, by the one or more processors via a user interface, selections of a first “auditable” entity in the first hierarchy and a second “auditable” entity in the second hierarchy, with which the risk factor is to be associated (Fig. 2, 6, 8, 11, abstract, ¶ 3, 4, 19-21, 23, 24, 26).

Reddy does not specifically teach generating entity data records for each entity of each hierarchy.

However, Vashistha teaches generating, by the one or more processors, “auditable” entity data records for each “auditable” entity of each hierarchy, including at least a first “auditable” entity data record 

receiving, by the one or more processors via a user interface, an indication of a risk factor and a numerical score for the risk factor (¶ 24, 29, 31, 53-58, Fig. 1, 3-6);

generating, by the one or more processors, a risk factor data record based on the indication of the risk factor and the numerical score for the risk factor (¶ 28, Fig. 2-6);

receiving, by the one or more processors via a user interface, selections of the first “auditable” entity in the first hierarchy and the second “auditable” entity in the second hierarchy, with which the risk factor is to be associated (¶ 61, 42, 25, 26, 45, 50, 52, claim 4);

generating, by the one or more processors, a first association data record indicating an association between the risk factor data record and the first “auditable” entity data record, and a second association data record indicating an association between the risk factor data record and the second “auditable” entity data record (Fig. 1, 4-6, ¶ 25-27, disclose risk categories, (1) "Financial Risk"; (2) "Service Maturity Risk"; (3) "Governance Risk"; (4) "People Risk"; (5) "Infrastructure Risk"; (6) "Client Risk"; (7) "Partner/Alliances Risk"; and (8) "Thought Leadership Risk." ¶ 44-46, Exemplary risk categories (105) may include (1) "Macro-Economic Risk"; (2) "Financial Risk"; (3) "Geo-Political Risk"; (4) "Infrastructure Risk"; (5) "Business Risk"; (6) "Legal Risk"; (7) "Scalability Risk"; and (8) "Quality of Life Risk." ¶ 29, 30, 19);

and automatically calculating, by the one or more processors (¶ 34, 37, 40), based on the risk factor data record (Fig. 1, 3-6, ¶ 25-27, 44-46, 29, 30), the first “auditable” entity data record (Fig. 1, 3-6, ¶ 25-27, 29, 30, 19), the second “auditable” entity data record (Fig. 1, 3-6, ¶ 44-46, 29, 30, 19), the first association data record (Fig. 1, 3-6, ¶ 25-27, 29, 30, 19), and the second association data record (Fig. 1, 

It would have been obvious to one of ordinary skill in the art at the time of Applicant’s invention to modify Reddy to include/perform generating auditable entity data records for each auditable entity of each hierarchy, as taught/suggested by Vashistha. This known technique is applicable to the system of Reddy as they both share characteristics and capabilities, namely, they are directed to data modeling systems and methods for risk profiling. One of ordinary skill in the art would have recognized that applying the known technique of Vashistha would have yielded predictable results and resulted in an improved system. It would have been recognized that applying the technique of Vashistha to the teachings of Reddy would have yielded predictable results because the level of ordinary skill in the art demonstrated by the references applied shows the ability to incorporate such generation of information into similar systems. Further, applying generating auditable entity data records for each auditable entity of each hierarchy would have been recognized by those of ordinary skill in the art as resulting in an improved system that would allow for the acquiring of a comprehensive understanding of the risks face by companies.

The combination of Reddy and Vashistha does not specifically teach the term auditable entities. 

However, Treacey teaches a first hierarchy of auditable entities in an organization (¶ 32, 67, 126, 129). 

It would have been obvious to one of ordinary skill in the art at the time of Applicant’s invention to modify Reddy to include/perform the term auditable entities, as taught/suggested by Treacey. This known technique is applicable to the system of Reddy as they both share characteristics and capabilities, namely, they are directed to mapping known risk items into a standard, universally recognized risk framework. One of ordinary skill in the art would have recognized that applying the known technique of Treacey would have yielded predictable results and resulted in an improved system. It would have been recognized that applying the technique of Treacey to the teachings of Reddy would have yielded predictable results because the level of ordinary skill in the art demonstrated by the references applied shows the ability to incorporate such the term auditable entities terminology/features into similar 

Reddy does not specifically teach providing an interactive control for specifying a plurality of entities in two or more hierarchies.

However, McFadyen teaches providing an interactive control for specifying a plurality of entities in two or more hierarchies (pg. 14, 30-31, 44-49, 76-78, 172, 205-208, see forms, 212-220, see hierarchies). 

receiving, by the one or more processors via a user interface, selections of the first entity in the first hierarchy and the second entity in the second hierarchy, with which the factor is to be associated 
(pg. 14, 44-46, 172-175, 212-220); 

automatically calculate, respective values for the first entity of the first hierarchy and the second entity of the second hierarchy using the received numerical score for the factor, in response to the received selections and a single instance of the interactive control being actuated (pg. 22, 39-43, the selection of primary keys, 48-49, calculated values, 97-99, 114).

It would have been obvious to one of ordinary skill in the art at the time of Applicant’s invention to modify Reddy to include/perform providing an interactive control for specifying a plurality of entities in two or more hierarchies, as taught/suggested by McFadyen. This known technique is applicable to the system of Reddy as they both share characteristics and capabilities, namely, they are directed to they are directed to generating one or more dimensional data structures. One of ordinary skill in the art would have recognized that applying the known technique of McFadyen would have yielded predictable results and resulted in an improved system. It would have been recognized that applying the technique of McFadyen to the teachings of Reddy would have yielded predictable results because the level of ordinary skill in the art demonstrated by the references applied shows the ability to incorporate such hierarchy features into similar systems. Further, applying providing an interactive control for specifying a plurality of entities in two or more hierarchies would have been recognized by those of ordinary skill in the art as resulting in an improved system that would allow the ability to analyze and compare the various layers and levels of the organization.



However, Treacey teaches receiving, by the one or more processors, an indication of a risk factor and a numerical score for the risk factor (Fig. 3-5, ¶ 9, 52, 64, 67, 68);

receiving selections of a first auditable entity in the first with which the risk factor is to be associated (Fig. 3-5, 11-14, ¶ 9, 52, 64, 67, 68, 119-123).

The combination of Reddy and Treacey teaches automatically calculating, by the one or more processors, respective risk scores for the first auditable entity and the second auditable entity using the received numerical score for the risk factor, in response to the received selections (Reddy: Fig. 2, 6, 8, 11, abstract, ¶ 3, 4, 19-21, 23, 24, 26, Treacey: Fig. 3-5, 11-14, ¶ 9, 52, 64, 68-71, 73, 119-123).

It would have been obvious to one of ordinary skill in the art at the time of Applicant’s invention to modify Reddy to include/perform automatically calculating selected risk scores, as taught/suggested by Treacey. This known technique is applicable to the system of Reddy as they both share characteristics and capabilities, namely, they are directed to mapping known risk items into a standard, universally recognized risk framework. One of ordinary skill in the art would have recognized that applying the known technique of Treacey would have yielded predictable results and resulted in an improved system. It would have been recognized that applying the technique of Treacey to the teachings of Reddy would have yielded predictable results because the level of ordinary skill in the art demonstrated by the references applied shows the ability to incorporate such automatically calculating selected risk scores features into similar systems. Further, applying automatically calculating selected risk scores would have been recognized by those of ordinary skill in the art as resulting in an improved system that would allow the ability to select and calculate the risk score values for the various entities.

Regarding claims 2, 9, Reddy teaches wherein the first dimension is one of: (i) a legal entities dimension in which the organization is made up of a plurality of legal entities, (ii) a geographic dimension in which the organization is made up of a plurality of geographic locations, (iii) an organization process dimension in which the organization is made up of a plurality of organizational processes, (iv) a business unit dimension in which the organization is made up of a plurality of business units, (v) an information technology (IT) systems dimension in which the organization is made (vi) an enterprise risk management risk register dimension, or  1731790/52468 (vii) a dimension corresponding to standards set by one or more of a professional association, a committee, and/or a standards body; and the second dimension is a different one of the dimensions (i) - (vii) (Fig. 2, 3, 6, 7, ¶ 21, 23, 31, 36). 
Also taught by Vashistha (¶ 25-27, 44-46), Treacey including IT risk (¶ 67, 28, 7, 27). 

Regarding claims 3, 10, 17, the combination of Reddy, Vashistha, and Treacey teaches automatically calculating a risk score for an auditable entity in a parent relationship with the first auditable entity in the first hierarchy, based on the received risk factor and the numerical score (Reddy: Fig. 5, 9, abstract, ¶ 3, 4, 19-26, 29, 30, 35, Treacey: Fig. 3-5, 11-14, ¶ 9, 52, 64, 68-71, 73, 119-123).

Reddy teaches calculating a risk score for an entity in a parent relationship with the first entity in the first hierarchy, based on the received risk factor and the numerical score (Reddy: Fig. 5, 9, abstract, ¶ 3, 4, 19-26, 29, 30, 35).

Reddy does not specifically teach automatically calculating selected risk scores for an auditable entity, which is taught by Treacey (Treacey: Fig. 3-5, 11-14, ¶ 9, 52, 64, 68-71, 73, 119-123).

It would have been obvious to one of ordinary skill in the art at the time of Applicant’s invention to modify Reddy to include/perform automatically calculating selected risk scores for an auditable entity, as taught/suggested by Treacey. This known technique is applicable to the system of Reddy as they both share characteristics and capabilities, namely, they are directed to mapping known risk items into a standard, universally recognized risk framework. One of ordinary skill in the art would have recognized that applying the known technique of Treacey would have yielded predictable results and resulted in an improved system. It would have been recognized that applying the technique of Treacey to the teachings of Reddy would have yielded predictable results because the level of ordinary skill in the art demonstrated by the references applied shows the ability to incorporate such automatically calculating selected risk scores features into similar systems. Further, applying automatically calculating selected risk scores would have been recognized by those of ordinary skill in the art as resulting in an improved system that would allow the ability to select and calculate the risk score values for the various entities. Also taught by (Vashistha, Fig. 1, 4-6, ¶ 25-27, 44-46, 29, 30).

Regarding claims 4, 11, 18,  the combination of Reddy, Vashistha, and Treacey teaches automatically calculating a risk score for an auditable entity in a parent relationship with the second auditable entity in the second hierarchy, based on the received risk factor and the numerical score

Reddy teaches calculating a risk score for an “auditable” entity in a parent relationship with the second “auditable” entity in the second hierarchy, based on the received risk factor and the numerical score (Reddy: Fig. 5, 9, abstract, ¶ 3, 4, 19-26, 29, 30, 35).
Vashistha teaches automatically calculating a risk score for an “auditable” entity in a parent relationship with the second auditable entity in the second hierarchy, based on the received risk factor and the numerical score (Vashistha, Fig. 1, 4-6, ¶ 25-27, 44-46,  29, 30).

Treacey teaches automatically calculating a risk score for an auditable entity in a parent relationship with the second auditable entity in the second hierarchy, based on the received risk factor and the numerical score (Treacey: Fig. 3-5, 11-14, ¶ 9, 52, 64, 68-71, 73, 119-123).

Reddy does not specifically teach automatically calculating selected risk scores for auditable entities, which is taught by Treacey.

It would have been obvious to one of ordinary skill in the art at the time of Applicant’s invention to modify Reddy to include/perform automatically calculating selected risk scores for an auditable entity, as taught/suggested by Treacey. This known technique is applicable to the system of Reddy as they both share characteristics and capabilities, namely, they are directed to mapping known risk items into a standard, universally recognized risk framework. One of ordinary skill in the art would have recognized that applying the known technique of Treacey would have yielded predictable results and resulted in an improved system. It would have been recognized that applying the technique of Treacey to the teachings of Reddy would have yielded predictable results because the level of ordinary skill in the art demonstrated by the references applied shows the ability to incorporate such automatically calculating selected risk scores features into similar systems. Further, applying automatically calculating selected risk scores would have been recognized by those of ordinary skill in the art as resulting in an improved system that would allow the ability to select and calculate the risk score values for the various entities.

Regarding claims 5, 12, 19, Reddy teaches 

wherein the risk factor is a first risk factor, the method further comprising: receiving, by the one or more processors, an indication of a second risk factor and a numerical score for the second risk factor (Fig. 2, 6, 8, 11, abstract, ¶ 3, 4, 19-21, 31-33);

receiving, by the one or more processors via a user interface, a selection of the first “auditable” entity in the first hierarchy, with which the second risk factor is to be associated and a selection of the second “auditable” entity in the second hierarchy, with which the second risk factor is not to be associated (Fig. 2, 6, 8, 11, abstract, ¶ 3, 4, 19-21, 26, 31-33).

Reddy does not specifically teach the term auditable entities. 

However, Treacey teaches a first hierarchy of auditable entities in an organization (¶ 32, 67, 126, 129). 

It would have been obvious to one of ordinary skill in the art at the time of Applicant’s invention to modify Reddy to include/perform the term auditable entities, as taught/suggested by Treacey. This known technique is applicable to the system of Reddy as they both share characteristics and capabilities, namely, they are directed to mapping known risk items into a standard, universally recognized risk framework. One of ordinary skill in the art would have recognized that applying the known technique of Treacey would have yielded predictable results and resulted in an improved system. It would have been recognized that applying the technique of Treacey to the teachings of Reddy would have yielded predictable results because the level of ordinary skill in the art demonstrated by the references applied shows the ability to incorporate such the term auditable entities terminology/features into similar systems. Further, applying the term auditable entities would have been recognized by those of ordinary skill in the art as resulting in an improved system that would specifically classify the type of organization. 

Reddy does not specifically teach automatically calculating selected risk scores. 

However, Treacey teaches receiving, by the one or more processors, an indication of a second risk factor and a numerical score for the second risk factor (Fig. 3-5, ¶ 9, 52, 64, 67, 68);



The combination of Reddy and Treacey teaches automatically calculating, by the one or more processors, respective risk scores for the first auditable entity and the second auditable entity using the received numerical scores for the first risk factor and the second risk factor, in response to the received selections (Reddy: Fig. 2, 6, 8, 11, abstract, ¶ 3, 4, 19-21, 23, 24, 26, Treacey: Fig. 3-5, 11-14, ¶ 9, 52, 64, 68-71, 73, 119-123).

It would have been obvious to one of ordinary skill in the art at the time of Applicant’s invention to modify Reddy to include/perform automatically calculating selected risk scores, as taught/suggested by Treacey. This known technique is applicable to the system of Reddy as they both share characteristics and capabilities, namely, they are directed to mapping known risk items into a standard, universally recognized risk framework. One of ordinary skill in the art would have recognized that applying the known technique of Treacey would have yielded predictable results and resulted in an improved system. It would have been recognized that applying the technique of Treacey to the teachings of Reddy would have yielded predictable results because the level of ordinary skill in the art demonstrated by the references applied shows the ability to incorporate such automatically calculating selected risk scores features into similar systems. Further, applying automatically calculating selected risk scores would have been recognized by those of ordinary skill in the art as resulting in an improved system that would allow the ability to select and calculate the risk score values for the various entities.

Regarding claim 8, Reddy teaches 
A computer system for generating numerical values indicative of risk factors across multiple dimensions in an organization comprising: one or more processors; and one or more memories storing instructions that, when executed by the one or more processors, cause the computer system to (¶ 19-21, 37, 43, 44, 51): generate a first hierarchy of “auditable” entities in an organization using a first parameter and second hierarchy of “auditable”  entities in the same organization using a second parameter (Fig. 2, 6, 8, 11, abstract, ¶ 3, 4, 19-21, 23, 24, 26, financial industries), the first hierarchy and the second hierarchy corresponding to a first dimension of the organization and a second dimension of the organization (Fig. 2, 6, 8, 11, abstract, ¶ 3, 4, 19-21, 23, 24, 26);



receive, via a user interface, selections of a first “auditable” entity in the first hierarchy and a second “auditable” entity in the second hierarchy, with which the risk factor is to be associated (Fig. 2, 6, 8, 11, abstract, ¶ 3, 4, 19-21, 23, 24, 26).

Reddy does not specifically teach generating entity data records for each entity of each hierarchy.

However, Vashistha teaches generate “auditable” entity data records for each “auditable” entity of each hierarchy, including at least a first “auditable” entity data record associated with a first “auditable” entity of the first hierarchy and a second “auditable” entity data record associated with a second “auditable” entity of the second hierarchy (Fig. 1, 4-6, ¶ 25, 26, disclose risk categories, (1) "Financial Risk"; (2) "Service Maturity Risk"; (3) "Governance Risk"; (4) "People Risk"; (5) "Infrastructure Risk"; (6) "Client Risk"; (7) "Partner/Alliances Risk"; and (8) "Thought Leadership Risk." ¶ 44, 45, Exemplary risk categories (105) may include (1) "Macro-Economic Risk"; (2) "Financial Risk"; (3) "Geo-Political Risk"; (4) "Infrastructure Risk"; (5) "Business Risk"; (6) "Legal Risk"; (7) "Scalability Risk"; and (8) "Quality of Life Risk." ¶ 29, 30); 

receive, via a user interface, an indication of a risk factor and a numerical score for the risk factor (¶ 24, 29, 31, 53-58, Fig. 1, 3-6);

generate a risk factor data record based on the indication of the risk factor and the numerical score for the risk factor (¶ 28, Fig. 2-6);

receive via a user interface, selections of the first “auditable” entity in the first hierarchy and the second “auditable” entity in the second hierarchy, with which the risk factor is to be associated (¶ 61, 42, 25, 26, 45, 50, 52, claim 4);

generate a first association data record indicating an association between the risk factor data record and the first “auditable” entity data record, and a second association data record indicating an association between the risk factor data record and the second “auditable” entity data record (Fig. 1, 4-6, ¶ 25-27, disclose risk categories, (1) "Financial Risk"; (2) "Service Maturity Risk"; (3) "Governance Risk"; (4) 

and automatically calculate (¶ 34, 37, 40), based on the risk factor data record (Fig. 1, 3-6, ¶ 25-27, 44-46, 29, 30), the first “auditable” entity data record (Fig. 1, 3-6, ¶ 25-27, 29, 30, 19), the second “auditable” entity data record (Fig. 1, 3-6, ¶ 44-46, 29, 30, 19), the first association data record (Fig. 1, 3-6, ¶ 25-27, 29, 30, 19), and the second association data record (Fig. 1, 3-6, ¶ 44-46, 29, 30, 19), respective risk scores for the first “auditable” entity and the second “auditable” entity using the received numerical score for the risk factor, in response to the received selections (Fig. 1, 3-6, ¶ 25-27, 44-46, 29, 30).

It would have been obvious to one of ordinary skill in the art at the time of Applicant’s invention to modify Reddy to include/perform generating auditable entity data records for each auditable entity of each hierarchy, as taught/suggested by Vashistha. This known technique is applicable to the system of Reddy as they both share characteristics and capabilities, namely, they are directed to data modeling systems and methods for risk profiling. One of ordinary skill in the art would have recognized that applying the known technique of Vashistha would have yielded predictable results and resulted in an improved system. It would have been recognized that applying the technique of Vashistha to the teachings of Reddy would have yielded predictable results because the level of ordinary skill in the art demonstrated by the references applied shows the ability to incorporate such generation of information into similar systems. Further, applying generating auditable entity data records for each auditable entity of each hierarchy would have been recognized by those of ordinary skill in the art as resulting in an improved system that would allow for the acquiring of a comprehensive understanding of the risks face by companies.

Reddy does not specifically teach the term auditable entities. 

However, Treacey teaches a hierarchy of auditable entities in an organization (¶ 32, 67, 126, 129). 



Reddy does not specifically teach providing an interactive control for specifying a plurality of entities in two or more hierarchies. 

However, McFadyen teaches providing an interactive control for specifying a plurality of entities in two or more hierarchies (pg. 14, 30-31, 44-49, 76-78, 172, 205-208, see forms, 212-220, see hierarchies). 

receive, via a user interface, selections of the first entity in the first hierarchy and the second entity in the second hierarchy, with which the factor is to be associated (pg. 14, 44-46, 172-175, 212-220); 

automatically calculate, respective values for the first entity of the first hierarchy and the second entity of the second hierarchy using the received numerical score for the factor, in response to the received selections and a single instance of the interactive control being actuated (pg. 22, 39-43, the selection of primary keys, 48-49, calculated values, 97-99, 114).

It would have been obvious to one of ordinary skill in the art at the time of Applicant’s invention to modify Reddy to include/perform providing an interactive control for specifying a plurality of entities in two or more hierarchies, as taught/suggested by McFadyen. This known technique is applicable to the system of Reddy as they both share characteristics and capabilities, namely, they are directed to they are directed to generating one or more dimensional data structures. One of ordinary skill in the art would have recognized that applying the known technique of McFadyen would have yielded predictable 

Reddy does not specifically teach automatically calculating selected risk scores. 

However, Treacey teaches receiving an indication of a risk factor and a numerical score for the risk factor (Fig. 3-5, ¶ 9, 52, 64, 67, 68);

receive, via a user interface, selections of a first auditable entity in the first hierarchy and a second auditable entity in the second hierarchy, with which the risk factor is to be associated (Fig. 3-5, 11-14, ¶ 9, 52, 64, 67, 68, 119-123).

The combination of Reddy and Treacey teaches automatically calculate respective risk scores for the first auditable entity and the second auditable entity using the received numerical score for the risk factor, in response to the received selections (Reddy: Fig. 2, 6, 8, 11, abstract, ¶ 3, 4, 19-21, 23, 24, 26, Treacey: Fig. 3-5, 11-14, ¶ 9, 52, 64, 68-71, 73, 119-123).

It would have been obvious to one of ordinary skill in the art at the time of Applicant’s invention to modify Reddy to include/perform automatically calculating selected risk scores, as taught/suggested by Treacey. This known technique is applicable to the system of Reddy as they both share characteristics and capabilities, namely, they are directed to mapping known risk items into a standard, universally recognized risk framework. One of ordinary skill in the art would have recognized that applying the known technique of Treacey would have yielded predictable results and resulted in an improved system. It would have been recognized that applying the technique of Treacey to the teachings of Reddy would have yielded predictable results because the level of ordinary skill in the art demonstrated by the references applied shows the ability to incorporate such automatically calculating selected risk scores features into similar systems. Further, applying automatically calculating selected risk scores would have 

Regarding claim 15, Reddy teaches 
A non-transitory computer-readable medium storing instructions for generating numerical values indicative of risk factors across multiple dimensions in an organization that, when executed by one or more processors, cause the one or more processors to (¶ 19-21, 37, 43, 44, 51): generate a first hierarchy of “auditable” entities in an organization using a first parameter and second hierarchy of “auditable”  entities in the same organization using a second parameter (Fig. 2, 6, 8, 11, abstract, ¶ 3, 4, 19-21, 23, 24, 26, financial industries), the first hierarchy and the second hierarchy corresponding to a first dimension of the organization and a second dimension of the organization (Fig. 2, 6, 8, 11, abstract, ¶ 3, 4, 19-21, 23, 24, 26);

receive an indication of a risk factor and a numerical score for the risk factor (¶ 27);

receive, via a user interface, selections of a first “auditable”  entity in the first hierarchy and a second “auditable”  entity in the second hierarchy, with which the risk factor is to be associated (Fig. 2, 6, 8, 11, abstract, ¶ 3, 4, 19-21, 23, 24, 26).

Reddy does not specifically teach generating entity data records for each entity of each hierarchy.

However, Vashistha teaches generate “auditable” entity data records for each “auditable” entity of each hierarchy, including at least a first “auditable” entity data record associated with a first “auditable” entity of the first hierarchy and a second “auditable” entity data record associated with a second “auditable” entity of the second hierarchy (Fig. 1, 4-6, ¶ 25, 26, disclose risk categories, (1) "Financial Risk"; (2) "Service Maturity Risk"; (3) "Governance Risk"; (4) "People Risk"; (5) "Infrastructure Risk"; (6) "Client Risk"; (7) "Partner/Alliances Risk"; and (8) "Thought Leadership Risk." ¶ 44, 45, Exemplary risk categories (105) may include (1) "Macro-Economic Risk"; (2) "Financial Risk"; (3) "Geo-Political Risk"; (4) "Infrastructure Risk"; (5) "Business Risk"; (6) "Legal Risk"; (7) "Scalability Risk"; and (8) "Quality of Life Risk." ¶ 29, 30); 



generate, a risk factor data record based on the indication of the risk factor and the numerical score for the risk factor (¶ 28, Fig. 2-6);

receive via a user interface, selections of the first “auditable” entity in the first hierarchy and the second “auditable” entity in the second hierarchy, with which the risk factor is to be associated (¶ 61, 42, 25, 26, 45, 50, 52, claim 4);

generate a first association data record indicating an association between the risk factor data record and the first “auditable” entity data record, and a second association data record indicating an association between the risk factor data record and the second “auditable” entity data record (Fig. 1, 4-6, ¶ 25-27, disclose risk categories, (1) "Financial Risk"; (2) "Service Maturity Risk"; (3) "Governance Risk"; (4) "People Risk"; (5) "Infrastructure Risk"; (6) "Client Risk"; (7) "Partner/Alliances Risk"; and (8) "Thought Leadership Risk." ¶ 44-46, Exemplary risk categories (105) may include (1) "Macro-Economic Risk"; (2) "Financial Risk"; (3) "Geo-Political Risk"; (4) "Infrastructure Risk"; (5) "Business Risk"; (6) "Legal Risk"; (7) "Scalability Risk"; and (8) "Quality of Life Risk." ¶ 29, 30, 19);

and automatically calculate (¶ 34, 37, 40), based on the risk factor data record (Fig. 1, 3-6, ¶ 25-27, 44-46, 29, 30), the first “auditable” entity data record (Fig. 1, 3-6, ¶ 25-27, 29, 30, 19), the second “auditable” entity data record (Fig. 1, 3-6, ¶ 44-46, 29, 30, 19), the first association data record (Fig. 1, 3-6, ¶ 25-27, 29, 30, 19), and the second association data record (Fig. 1, 3-6, ¶ 44-46, 29, 30, 19), respective risk scores for the first “auditable” entity and the second “auditable” entity using the received numerical score for the risk factor, in response to the received selections (Fig. 1, 3-6, ¶ 25-27, 44-46, 29, 30).

It would have been obvious to one of ordinary skill in the art at the time of Applicant’s invention to modify Reddy to include/perform generating auditable entity data records for each auditable entity of each hierarchy, as taught/suggested by Vashistha. This known technique is applicable to the system of Reddy as they both share characteristics and capabilities, namely, they are directed to data modeling systems and methods for risk profiling. One of ordinary skill in the art would have recognized that 

Reddy does not specifically teach the term auditable entities. 

However, Treacey teaches a hierarchy of auditable entities in an organization (¶ 32, 67, 126, 129). 

It would have been obvious to one of ordinary skill in the art at the time of Applicant’s invention to modify Reddy to include/perform the term auditable entities, as taught/suggested by Treacey. This known technique is applicable to the system of Reddy as they both share characteristics and capabilities, namely, they are directed to mapping known risk items into a standard, universally recognized risk framework. One of ordinary skill in the art would have recognized that applying the known technique of Treacey would have yielded predictable results and resulted in an improved system. It would have been recognized that applying the technique of Treacey to the teachings of Reddy would have yielded predictable results because the level of ordinary skill in the art demonstrated by the references applied shows the ability to incorporate such the term auditable entities terminology/features into similar systems. Further, applying the term auditable entities would have been recognized by those of ordinary skill in the art as resulting in an improved system that would specifically classify the type of organization. 

Reddy does not specifically teach providing an interactive control for specifying a plurality of entities in two or more hierarchies. 

However, McFadyen teaches providing an interactive control for specifying a plurality of entities in two or more hierarchies (pg. 14, 30-31, 44-49, 76-78, 172, 205-208, see forms, 212-220, see hierarchies). 



automatically calculate, respective values for the first entity of the first hierarchy and the second entity of the second hierarchy using the received numerical score for the factor, in response to the received selections and a single instance of the interactive control being actuated (pg. 22, 39-43, the selection of primary keys, 48-49, calculated values, 97-99, 114).

It would have been obvious to one of ordinary skill in the art at the time of Applicant’s invention to modify Reddy to include/perform providing an interactive control for specifying a plurality of entities in two or more hierarchies, as taught/suggested by McFadyen. This known technique is applicable to the system of Reddy as they both share characteristics and capabilities, namely, they are directed to they are directed to generating one or more dimensional data structures. One of ordinary skill in the art would have recognized that applying the known technique of McFadyen would have yielded predictable results and resulted in an improved system. It would have been recognized that applying the technique of McFadyen to the teachings of Reddy would have yielded predictable results because the level of ordinary skill in the art demonstrated by the references applied shows the ability to incorporate such hierarchy features into similar systems. Further, applying providing an interactive control for specifying a plurality of entities in two or more hierarchies would have been recognized by those of ordinary skill in the art as resulting in an improved system that would allow the ability to analyze and compare the various layers and levels of the organization.

Reddy does not specifically teach automatically calculating selected risk scores. 

However, Treacey teaches receive an indication of a risk factor and a numerical score for the risk factor (Fig. 3-5, ¶ 9, 52, 64, 67, 68);

receive, via a user interface, selections of a first auditable entity in the first hierarchy and a second auditable entity in the second hierarchy, with which the risk factor is to be associated (Fig. 3-5, 11-14, ¶ 9, 52, 64, 67, 68, 119-123).



It would have been obvious to one of ordinary skill in the art at the time of Applicant’s invention to modify Reddy to include/perform automatically calculating selected risk scores, as taught/suggested by Treacey. This known technique is applicable to the system of Reddy as they both share characteristics and capabilities, namely, they are directed to mapping known risk items into a standard, universally recognized risk framework. One of ordinary skill in the art would have recognized that applying the known technique of Treacey would have yielded predictable results and resulted in an improved system. It would have been recognized that applying the technique of Treacey to the teachings of Reddy would have yielded predictable results because the level of ordinary skill in the art demonstrated by the references applied shows the ability to incorporate such automatically calculating selected risk scores features into similar systems. Further, applying automatically calculating selected risk scores would have been recognized by those of ordinary skill in the art as resulting in an improved system that would allow the ability to select and calculate the risk score values for the various entities.


Regarding claim 16, Reddy teaches wherein the first dimension is one of a (i) a legal entities dimension in which the organization is made up of a plurality of legal entities, (ii) a geographic dimension in which the organization is made up of a plurality of geographic locations, or (iii) an organization process dimension in which the organization is made up of a plurality of organizational processes, and the second dimension is a different one of the dimensions (i) - (iii). (Fig. 2, 3, 6, 7, ¶ 21, 23, 31, 36). 
Also taught by Vashistha (¶ 25-27, 44-46), Treacey (¶ 67, 28, 7, 27). 

Claims 6, 7, 13, 14, and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Reddy et al (US 20170262751 A1) in view of Vashistha (US 20170193411 A1) in view of Treacey et al. (US 20120053982 A1) in view of McFadyen (2017) in further view of Agee (US 20120259752 A1).  

Regarding claims 6, 13, 20, Reddy teaches the concept of inherent risk but does not apply a numerical score to it. 

However, Agee teaches wherein the numerical score for the risk factor includes a numerical score for the inherent risk of the risk factor and a numerical score for the residual risk of the risk factor (¶ 9, 12, 192-195, 264, 419, 695, 696, 774-779, 865-869, 882-894, 901-924, 944, Table 11). 

It would have been obvious to one of ordinary skill in the art at the time of Applicant’s invention to modify Reddy to include/perform a numerical score for the inherent risk of the risk factor and a numerical score for the residual risk of the risk factor, as taught/suggested by Agee. This known technique is applicable to the system of Reddy as they both share characteristics and capabilities, namely, they are directed to risk tracking systems. One of ordinary skill in the art would have recognized that applying the known technique of Agee would have yielded predictable results and resulted in an improved system. It would have been recognized that applying the technique of Agee to the teachings of Reddy would have yielded predictable results because the level of ordinary skill in the art demonstrated by the references applied shows the ability to incorporate such residual and inherent features into similar systems. Further, applying residual and inherent features would have been recognized by those of ordinary skill in the art as resulting in an improved system that would allow the ability to determine a raw risk that has no mitigation factors or treatments applied to it as well as the level of risk remaining after controls have been applied. The additional information and factors have an added benefit for the user. 

Regarding claims 7, 14, Reddy teaches the concept of weighting but does not teach a scaled rating of the risk factor. 

However, Agee teaches wherein the numerical score for the risk factor is a scaled rating of the risk factor (¶ 865-881, 884--887, 930-933, Table 11). 

It would have been obvious to one of ordinary skill in the art at the time of Applicant’s invention to modify Reddy to include/perform a scaled rating of the risk factor, as taught/suggested by Agee. This known technique is applicable to the system of Reddy as they both share characteristics and capabilities, namely, they are directed to risk tracking systems. One of ordinary skill in the art would have recognized 

Other pertinent prior art includes Davidson (US 20160163186 A1) an integrated hazard risk management and mitigation system and Zhu (US 20040015376 A1) the economic analysis of projects or investments which takes into account risks associated with political uncertainties. 

Conclusion


Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAMIE H AUSTIN whose telephone number is (571)272-7363.  The examiner can normally be reached on Monday, Wednesday 7am-3pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Brian Epstein can be reached on (571)270-5389.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact 


JAMIE H. AUSTIN
Examiner
Art Unit 3683



/JAMIE H AUSTIN/Primary Examiner, Art Unit 3683