DETAILED ACTION
This final Office action is responsive to amendments filed April 22nd, 2022. Claims 1-21 are presented for examination.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Priority
Applicant’s claim for the benefit of a prior-filed application under 35 U.S.C. 119(e) or under 35 U.S.C. 120, 121, 365(c), or 386(c) is acknowledged.

Response to Amendments

Applicant’s amendments have been fully considered, and overcome the previously pending specification objections.
Applicant’s amendments have been fully considered, but do not overcome the previously pending 35 USC 103 rejections. 
The 35 USC 101 rejection is maintained based on the Applicant’s claim amendments because the claims do not integrate the judicial exception into a practical application by identifying a problem with the “routine and conventional sequence of events ordinarily triggered” using electronic systems to manage disparate compliance matters for disparate entities and sub-entities (with reference to the PEG 2019). These features do not apply the judicial exception in some other meaningful way beyond generally linking the use of the judicial exception to a particular technological environment, such that the claim as a whole is no more than a drafting effort designed to monopolize the exception (See PEG 2019 and MPEP 2106.05). Therefore, making the claims ineligible under 35 USC 101.
With regard to the limitations of claims 1-21, Applicant argues that the claims are allowable over 35 USC 103 because the claim amendments overcome the current art rejection. The Examiner respectfully disagrees. Please see the updated rejection below since amendments by Applicant require additional reference to the Examiner’s art rejection.

Response to Arguments
Applicant's arguments regarding claim rejections under 35 USC 101 filed 4/22/22 have been fully considered but they are not persuasive. 
On pages 12-20 of the provided remarks, Applicant argues that the claims present statutory subject matter. Beginning on pages 13-14 of the provided remarks, Applicant argues regarding Step 2A analysis, “not every portion of the claims recite a judicial exception, that said portions must therefore be considered under prong 2 of step 2A, and that when appropriately considered at prong 2, the claims are integrated into a practical application.” Examiner respectfully disagrees and asserts that the previous rejection dated 10/22/21 indicates on pages 3-4 per the underlined notation, the limitations that are direction to the judicial exception of Organizing Human Activity. Pages 4-5 of the previous rejection dated 10/22/21, regarding Prong 2 analysis, contain the limitations of the independent claims that were not underlined in prong 1 as being directed to the judicial exception. Therefore, all elements of the independent claims were analyzed in the previous rejection dated 10/22/21. Applicant’s arguments are not persuasive.
On page 14-15 of the provided remarks, Applicant argues “The Office appears either to have improperly conducted the prong 2 (‘directed to’) analysis at step 1 or has inappropriately leapt to the conclusion that the claims are ‘directed to’ an abstract idea without regard as to what portions of the claims are alleged to ‘recite’ the abstract idea and what the putative ‘additional elements’ add to the claims in prong 2.” Examiner respectfully disagrees and first looks to MPEP 2106.04 regarding ‘Eligibility Step 2A: Whether a Claim is Directed to a Judicial Exception. Per MPEP 2016.04(II)(A), “Step 2A is a two-prong inquiry, in which examiners determine in Prong One whether a claim recites a judicial exception, and if so, then determine in Prong Two if the recited judicial exception is integrated into a practical application of that exception. Together, these prongs represent the first part of the Alice/Mayo test, which determines whether a claim is directed to a judicial exception.” As indicated by Examiners’ previous rejection, prong 1 includes the underlined limitations which recite the judicial exception (pages 3-4 of the rejection dated 10/22/21) and prong 2 analysis recites the additional elements that fail to integrate the judicial exception into a practical application (pages 4-5 of the rejection dated 10/22/21). Applicant’s arguments are not persuasive. 
On page 15 of the provided remarks, Applicant argues regarding Prong 2 analysis that the present application is similar to that of DDR. Specifically, Applicant argues, “the claims in DDR were held to be eligible because the specification identified a problem with the "routine and conventional sequence of events ordinarily triggered" by interacting with software (in the case of DDR, a hyperlink), and claimed a solution to the problem. Applicant's as-filed specification similarly identifies a problem with the "routine and conventional sequence of events ordinarily triggered" using electronic systems to manage disparate compliance matters for disparate entities and sub-entities.” Examiner respectfully disagrees and asserts that the present claims are not analogous to DDR. Per MPEP 2106.05(I)(A), DDR presented, “Improvements to the functioning of a computer, e.g., a modification of conventional Internet hyperlink protocol to dynamically produce a dual-source hybrid webpage, as discussed in DDR Holdings, LLC v. Hotels.com, L.P., 773 F.3d 1245, 1258-59, 113 USPQ2d 1097, 1106-07 (Fed. Cir. 2014) (see MPEP § 2106.05(a))”. The present claims do not present improvements to the functioning of a computer through a modification of a conventional hyperlink protocol to dynamically produce a dual-source hybrid webpage. As stated by Applicant, the present claims “manage disparate compliance matter for disparate entities”. There is no improvement to the functioning of a computer through the modification of conventional hyperlinks. Therefore, the present application is not similar to that of DDR. Applicant’s arguments are not persuasive.
Continuing on page 16 of the provided remarks, Applicant argues regarding DDR that “the claimed solution (specifically, the execution of the default display modification element) specifies how interactions with a computer are manipulated to yield a desired result.” Applicant continues on to state that within the present claims, “the user is presented with a risk plot that indicates the frequency count of compliance subjects having a particular risk-consequence score combination. In sum, the claims and holdings of DDR are controlling on the present case and, for at least this reason, the claims are directed to eligible subject matter.” Examiner respectfully disagrees and asserts that while DDR specified how interactions with a computer are manipulated to yield a desired result through the selection of a hyperlink, the present claims simply recite, “at least partially in response to the determining of the risk score and the determining of the consequence score, causing a rendering, within the graphical user interface, of at least one graphical indicator in a specific location within the risk plot region.” There is no recitation of how the risk plot is rendered based on interactions with a computer. As stated by Applicant, “the user is presented with a risk plot”. This “presentation” does not account for additional elements that integrate the judicial exception (e.g. abstract idea) into a practical application because receiving/storing data and displaying data merely add insignificant extra-solution activity. Therefore, the claims are not directed to patent eligible subject matter. Applicant’s arguments are not persuasive.
Continuing on page 17 of the provided remarks, Applicant argues that the present claims are similar to that of Example 37 regarding the rearrangement of icons in a graphical user interface. Specifically, Applicant argues, “Like the background section of example 37, paragraph [0072] of the as-filed specification in the present case discusses a problem with the status quo (that conventional risk management GUIs require drilling down of information to realize a usable level of situational awareness), identifies a desired result (consolidating compliance subject frequency counts based on risk and consequence score), and lays out how interactions with the computer are manipulated to yield the desired (creating the specifically claimed risk plot on the GUI). In other words, every meaningful element of the background section of example 37 has direct corollaries to the as-filed specification in the present case.” Examiner respectfully disagrees and asserts that the “creating the specifically claimed risk plot on the GUI” is not analogous to “changing the layout of icons on the desktop based on usage” of example 37. The present claims do not contain language referencing the “rearrangement” of the display of a GUI. Additionally, regarding the “specifically claimed risk plot”, the claims recite, “causing a rendering” of the risk plot. There is no claimed “creation” of a risk plot in a specific display but simply the display of the risk plot to a user. As argued above, this display does not account for additional elements that integrate the judicial exception (e.g. abstract idea) into a practical application because receiving/storing data and displaying data merely add insignificant extra-solution activity. Therefore, the claims are not directed to patent eligible subject matter. Applicant’s arguments are not persuasive.
Continuing on page 18 of the provided remarks, Applicant argues “in the analysis of example 37, the Office does not simply cast aside steps of the claim that relate to displaying the allegedly-abstract determined information as “extra-solution” activity.” Examiner asserts that Example 37 recites the following limitation, “automatically moving the most used icons to a position on the GUI closest to the start icon of the computer system based on the determined amount of use.” The Office continues on to state that “The claim as a whole integrates the mental process into a practical application. Specifically, the additional elements recite a specific manner of automatically displaying icons to the user based on usage which provides a specific improvement over prior systems, resulting in an improved user interface for electronic devices.” While the limitation concerns the display of icons in a GUI, the specific recitation of the “automatic moving of icons” within the GUI presents a specific improvement over prior systems. The present claims recite at a high-level the “causing a rendering, within the graphical user interface, of at least one graphical indicator in a specific location within the risk plot region.” There is no recitation of automatic movement/modification/altering of the display itself but simply the display of the risk plot region for the user. The claim functions are not analogous to example 37 and do not present an integration into a practical application and/or improvement. Applicant’s arguments are not persuasive. 
On page 19 of the provided remarks, Applicant argues, “even if other portions of the claim, such as the determination of risk and consequence scores, recite an abstract idea under prong 1, which is not conceded, the additional elements of the claim (specifically, the particular manner of displaying a risk plot) integrate the claim into a practical application at least because the additional elements recite a specific manner of conveying information that provides a specific improvement over prior systems.” Examiner respectfully disagrees and asserts as stated above, the specific recitation of the “automatic moving of icons” of example 37 within the GUI presents a specific improvement over prior systems. The present claims recite at a high-level the “causing a rendering, within the graphical user interface, of at least one graphical indicator in a specific location within the risk plot region.” There is no recitation of automatic movement/modification/altering of the display itself but simply the display of the risk plot region for the user. The claim functions are not analogous to example 37 and do not present an integration into a practical application and/or improvement. Therefore, the 35 USC 101 rejection is maintained. Applicant’s arguments are not persuasive.
Applicant's arguments regarding claim rejections under 35 USC 103 filed 4/22/22 have been fully considered but they are not persuasive. 
On pages 20-23 of the provided remarks, Applicant argues that the cited prior art does not disclose the claimed subject matter. Specifically, on page 21, Applicant argues, “Whereas Hoover displays a two-factor display that indicates the frequency of occurrence of a single variable, the present claims display a three-factor display that indicates the frequency of occurrence of a combination of two variables.” Examiner respectfully disagrees and asserts that both Cogliandro and Hoover were cited to disclose the risk plot region. While Cogliandro does not disclose the frequency count, it does disclose per cited Figure 4 for reference to the Risk Assessment Guide which displays the consequence score on the x-axis and the risk item likelihood score on the y-axis. Therefore, Cogliandro discloses a display based on a combination of two variables. Additionally, while Applicant’s argument focuses on Figure 12A, Figures 12B and 12C were additionally cited to disclose the ability of Hoover of a three-factor display based on price risk scores, supplier risk scores, and item risk scores on a scoring scale. Therefore, the combination of Cogliandro and Hoover discloses the three-factor display based on two-variables. Applicant’s arguments are not persuasive.
Continuing on page 21, Applicant argues, “Hoover’s frequency count of “price risk scores” is not the same or equivalent to a “frequency count of compliance subjects having an associated risk score and corresponding consequence score”. Examiner respectfully disagrees and asserts that while Applicant argues the definition of “compliance subjects”, the present claim language does not contain the level of specificity argued. Under broadest reasonable interpretation, the term “compliance subject” is analogous to the price, supplier, and item scoring scale utilized by Hoover. Additionally, as cited by Examiner, Cogliandro discloses in Paragraph 0065 the risk management method being sensitized to the firm’s strategic intent including a firm’s objectives and goals such as political, regulatory, or geographical issues. The objectives stated above are analogous to the claimed “compliance subjects”. Therefore, the combination of Cogliandro and Hoover discloses the present claims. The 35 USC 103 rejection is maintained. Applicant’s arguments are not persuasive. 

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-21 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter;
When considering subject matter eligibility under 35 U.S.C. 101, it must be determined whether the claim is directed to one of the four statutory categories of invention, i.e., process, machine, manufacture, or composition of matter.  If the claim does fall within one of the statutory categories, it must then be determined whether the claim is directed to a judicial exception (i.e., law of nature, natural phenomenon, and abstract idea), and if so, it must additionally be determined whether the claim is a patent-eligible application of the exception.  If an abstract idea is present in the claim, any element or combination of elements in the claim must be sufficient to ensure that the claim amounts to significantly more than the abstract idea itself.
Step 1: Independent claims 1 (method), 8 (system), and 15 (medium) and dependent claims 2-7, 9-14, and 16-21, respectively, fall within at least one of the four statutory categories of 35 U.S.C. 101: (i) process; (ii) machine; (iii) manufacture; or (iv) composition of matter. Claim 1 is directed to a method (i.e. process), claim 8 is directed to a system (i.e. machine), and claim 15 is directed to a memory (i.e. manufacture).
Step 2A Prong 1: The independent claims are directed toward monitoring status of compliance subjects using a graphical user interface, the method comprising: determining a risk score for an entity in an organization, wherein the risk score indicates a likelihood of misconduct associated with a compliance subject by an employee within the entity, wherein the compliance subject is indicative of a category of rules or regulations with which the organization is required to comply; determining a consequence score associated with the compliance subject; generating a graphical user interface comprising a risk plot region; and at least partially in response to the determining of the risk score and the determining of the consequence score, causing a rendering, within the graphical user interface, of at least one graphical indicator in a specific location within the risk plot region, wherein the at least one graphical indicator comprises a frequency count of compliance subjects having the associated risk score and corresponding consequence score (Organizing Human Activity), which are considered to be abstract ideas (See PEG 2019 and MPEP 2106.05). The steps/functions disclosed above and in the independent claims are directed toward the abstract idea of Organizing Human Activity because the claimed limitations are determining a risk score for an entity in an organization in which that score indicates a likelihood of misconduct, which is mitigation of risk. The claimed limitations also determine a risk score of an entity based on compliance subjects which is indicative of a category of rules or regulations with which the organization is required to comply, which is managing of personal behavior. The Applicant’s claimed limitations are determining a risk score for an entity or organization, which is directed towards the abstract idea of Organizing Human Activity.
Step 2A Prong 2: In this application, even if not directed toward the abstract idea, the above “using a graphical user interface; generating a graphical user interface; causing a rendering, of at least one graphical indicator in a specific location within the risk plot region” steps/functions of the independent claims would not account for additional elements that integrate the judicial exception (e.g. abstract idea) into a practical application because receiving/storing data and displaying data merely add insignificant extra-solution activity and merely adds the words to apply it with the judicial exception. Also, the claimed “a graphical user interface; A system for monitoring status of compliance subjects using a graphical user interface, the system comprising: a display device; and a processor configured to; A non-transitory computer readable medium comprising computer executable instructions for monitoring status of compliance subjects using a graphical user interface” would not account for additional elements that integrate the judicial exception (e.g. abstract idea) into a practical application because the claimed structure merely adds the words to apply it with the judicial exception and mere instructions to implement an abstract idea on a computer (See PEG 2019 and MPEP 2106.05). 
In addition, dependent claims 2-7, 9-14, and 16-21 further narrow the abstract idea and dependent claims 4, 7, 11, 14, 18, and 21 additionally recite “generating a second graphical user interface associated with a risk mitigation plan for a first compliance subject of the compliance subjects”, “receiving a user selection of the frequency count of compliance subjects having the associated risk score and the corresponding consequence score”, and “generating, in response to receiving the user selection of the frequency count, a second graphical user interface comprising a listing of the compliance subjects having the associated risk score and the corresponding consequence score” which do not account for additional elements that integrate the judicial exception (e.g. abstract idea) into a practical application because receiving/storing data and displaying data merely add insignificant extra-solution activity and the claimed “graphical user interface” which do not account for additional elements that integrate the judicial exception (e.g. abstract idea) into a practical application because the claimed structure merely adds the words to apply it with the judicial exception and mere instructions to implement an abstract idea on a computer (See PEG 2019 and MPEP 2106.05). 
The claimed “a graphical user interface; A system for monitoring status of compliance subjects using a graphical user interface, the system comprising: a display device; and a processor configured to; A non-transitory computer readable medium comprising computer executable instructions for monitoring status of compliance subjects using a graphical user interface” are recited so generically (no details whatsoever are provided other than that they are general purpose computing components and regular office supplies) that they represent no more than mere instructions to apply the judicial exception on a computer. These limitations can also be viewed as nothing more than an attempt to generally link the use of the judicial exception to the technological environment of a computer. Even when viewed in combination, the additional elements in the claims do no more than use the computer components as a tool. There is no change to the computers and other technology that is recited in the claim, and thus the claims do not improve computer functionality or other technology (See PEG 2019).
Step 2B: When analyzing the additional element(s) and/or combination of elements in the claim(s) other than the abstract idea per se the claim limitations amount(s) to no more than: a general link of the use of an abstract idea to a particular technological environment and merely amounts to the application or instructions to apply the abstract idea on a computer (See MPEP 2106.05 and PEG 2019). Further, method claims 1-7; system claims 8-14; and non-transitory computer-readable medium claims 15-21 recite “a graphical user interface; A system for monitoring status of compliance subjects using a graphical user interface, the system comprising: a display device; and a processor configured to; A non-transitory computer readable medium comprising computer executable instructions for monitoring status of compliance subjects using a graphical user interface”; however, these elements merely facilitate the claimed functions at a high level of generality and they perform conventional functions and are considered to be general purpose computer components which is supported by Applicant’s specification in Paragraphs 0066 and 0069 and Figures 1 and 15. The Applicant’s claimed additional elements are mere instructions to implement the abstract idea on a general purpose computer and generally link of the use of an abstract idea to a particular technological environment. Also, the above “using a graphical user interface; generating a graphical user interface; causing a rendering, of at least one graphical indicator in a specific location within the risk plot region” steps/functions of the independent claims would not account for significantly more than the abstract idea because receiving data and displaying/presenting data (See MPEP 2106.05) have been identified as well-known, routine, and conventional steps/functions to one of ordinary skill in the art. When viewed as a whole, these additional claim element(s) do not provide meaningful limitation(s) to transform the abstract idea into a patent eligible application of the abstract idea such that the claim(s) amounts to significantly more than the abstract idea itself. 
In addition, claims 2-7, 9-14, and 16-21 further narrow the abstract idea identified in the independent claims.  The Examiner notes that the dependent claims merely further define the data being analyzed and how the data is being analyzed. Similarly, claims 4, 7, 11, 14, 18, and 21 additionally recite “generating a second graphical user interface associated with a risk mitigation plan for a first compliance subject of the compliance subjects”, “receiving a user selection of the frequency count of compliance subjects having the associated risk score and the corresponding consequence score”, and “generating, in response to receiving the user selection of the frequency count, a second graphical user interface comprising a listing of the compliance subjects having the associated risk score and the corresponding consequence score” which do not account for additional elements that amount to significantly more than the abstract idea because receiving data and displaying/presenting data (See MPEP 2106.05) have been identified as well-known, routine, and conventional steps/functions to one of ordinary skill in the art and the claimed “graphical user interface” which do not account for additional elements that amount to significantly more than the abstract idea because the claimed structure merely amounts to the application or instructions to apply the abstract idea on a computer and does not move beyond a general link of the use of an abstract idea to a particular technological environment (See MPEP 2106.05). The additional limitations of the independent and dependent claim(s) when considered individually and as an ordered combination do not amount to significantly more than the abstract idea.  The examiner has considered the dependent claims in a full analysis including the additional limitations individually and in combination as analyzed in the independent claim(s). Therefore, the claim(s) are rejected under 35 U.S.C. 101 as being directed to non-statutory subject matter.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 4, 7-8, 10-11, 14-15, 18, and 21 is/are rejected under 35 U.S.C. 103 as being unpatentable over Cogliandro (U.S 2004/0015375 A1) in view of Hoover (U.S 2017/0286870 A1).
Claims 1, 8, and 15
Regarding Claim 1, Cogliandro discloses the following:
A method for monitoring status of compliance subjects using a graphical user interface, the method comprising [see at least Paragraph 0002 for reference to the invention relating to a method for reducing risk to a firm and a firm program, and more particularly, reducing risk and improving yield or performance by considering firm strategic intent, program phase, and integrated visuals; Paragraph 0118 for reference to the user interface comprising an inputer for monitoring and directing and/or controlling processor and a displayer for displaying processor prompts and results]
determining a risk score for an entity in an organization, wherein the risk score indicates a likelihood of misconduct associated with a compliance subject by an employee within the entity, wherein the compliance subject is indicative of a category of rules or regulations with which the organization is required to comply [see at least Paragraph 0051 for reference to the risk score for an identified risk element which is graded based on two factors: likelihood and consequence; likelihood which is measured on five levels is the likelihood or probability that the risk will happen; Figure 2 for reference to the likelihood quantification chart in which employees are performing tasks to meet milestones] 
determining a consequence score associated with the compliance subject [see at least Paragraph 0052 for reference to the second grading factor used to quantify the risk associated with a risk element being consequence, which measures, by levels, the magnitude of the impact of the risk, against cost, schedule, and technical performance; Figure 3 for reference to the Consequence Chart that displays the level of consequences from 1-5 and corresponding schedule, cost, and technical performance factors] 
generating a graphical user interface comprising a risk plot region [see at least Paragraph 0056 for reference to stop light chart comprises a y-axis, which corresponds to likelihood levels and an x-axis, which corresponds to consequence levels; Paragraph 0118 for reference to the user interface including artificial intelligence or simple input queries to obtain risk management input to predefined questions; Figure 4 for reference to the Risk Assessment Guide which displays the consequence score on the x-axis and the risk item likelihood score on the y-axis; Figure 10 and related text regarding item 1030 ‘user interface’]
at least partially in response to the determining of the risk score and the determining of the consequence score, causing a rendering, within the graphical user interface, of at least one graphical indicator in a specific location within the risk plot region [see at least Paragraph 0077 for reference to the risk management method utilizing a visual stop-light chart to assist in the transformation from risk score to risk assessment value; Paragraph 0118 for reference to the user interface including artificial intelligence or simple input queries to obtain risk management input to predefined questions; Figure 4 for reference to the Risk Assessment Guide which displays the consequence score on the x-axis and the risk item likelihood score on the y-axis; Figure 10 and related text regarding item 1030 ‘user interface’]
While Cogliandro discloses the limitations above, it does not disclose the at least one graphical indicator comprising a frequency count of compliance subjects having the associated risk score and corresponding consequence score. 
However, Hoover discloses the following:
the at least one graphical indicator comprises a frequency count of compliance subjects having the associated risk score and corresponding consequence score [see at least Paragraph 0130 for reference to Figure 12A displaying the frequency of price risk scores, Figure 12B displaying the frequency of the supplier risk scores, and Figure 12C displaying the frequency of item risk scores; Figures 12A-C and related text regarding the examples of price risk scores, supplier risk scores, and item risk scores on a scoring scale]
Before the effective filing date, it would have been obvious to one of ordinary skill in the art to modify the monitoring method of Cogliandro to include the graphical indication of frequency count of Hoover. Doing so would facilitate quickly identifying which bids are high risk, as stated by Hoover (Paragraph 0096).
Claims 4, 11, and 18
While the combination of Cogliandro and Hoover discloses the limitations above, regarding Claim 4, Cogliandro discloses the following:
generating a second graphical user interface associated with a risk mitigation plan for a first compliance subject of the compliance subjects [see at least Paragraph 0057 for reference to a mitigation plan being developed for an associated risk element after the risk assessment value is identified for the primary driver; Paragraph 0117 for reference to the processor containing a mitigator to develop possible mitigation plans for the assessed risk; Paragraph 0118 for reference to the user interface including artificial intelligence or simple input queries to obtain risk management input to predefined questions as well as a displayer for displaying processor prompts and results; Figures 6-8 and related text regarding the modification of consequence factors and the corresponding second graphical user interface which displays the modification definition table and sample modified consequence chart]
the second user interface comprises a first portion for receiving input specifying one or more activities to be completed to reduce a risk level of the first compliance subject [see at least Paragraph 0058 for reference to the project risk rating which is determined by plotting all the project primary drivers and analyzing them determining that the risk assessment value for the majority of the primary drivers is the program risk assessment value which are then given mitigation plans to focus on mitigating risk to the individual risk element; Paragraph 0117 for reference to the processor containing a mitigator to develop possible mitigation plans for the assessed risk; Paragraph 0118 for reference to the user interface including artificial intelligence or simple input queries to obtain risk management input to predefined questions as well as a displayer for displaying processor prompts and results; Figure 6 and related text regarding item 620 ‘Identify phase expectations’]
a second portion for receiving input specifying a risk mitigation point that represents a future risk assessment for the first compliance subject after the risk mitigation plan has been completed [see at least Paragraph 0059 for reference to the managing of the mitigation plan once completed including monitoring the risk items and potentially recalculating due to a significant event in the project occurring or a change in the risk item; Paragraph 0086 for reference to management of the mitigation plan including monitoring the risk items for example adding resources, re-training personnel, looking for an alternate vendor, etc.; Paragraph 0117 for reference to the processor containing a mitigator to develop possible mitigation plans for the assessed risk; Paragraph 0118 for reference to the user interface including artificial intelligence or simple input queries to obtain risk management input to predefined questions as well as a displayer for displaying processor prompts and results; Figure 10 and related text regarding item 1030 ‘user interface’]
Claims 7, 14, and 21
While the combination of Cogliandro and Hoover disclose the limitations above, Cogliandro does not disclose receiving a user selection of the frequency count of compliance subjects having the associated risk score and the corresponding consequence score; generating, in response to receiving the user selection of the frequency count, a second graphical user interface comprising a listing of the compliance subjects having the associated risk score and the corresponding consequence score. 
Regarding Claim 7, Hoover discloses the following:
receiving a user selection of the frequency count of compliance subjects having the associated risk score and the corresponding consequence score [see at least Paragraph 131 for reference to scores being selected to provide drill downs to display additional information related to the scores] 
generating, in response to receiving the user selection of the frequency count, a second graphical user interface comprising a listing of the compliance subjects having the associated risk score and the corresponding consequence score [see at least Paragraph 131 for reference to scores being selected to provide drill downs to display additional information related to the scores; Paragraph 0134 for reference to the supplier risk drill down displaying the values for the variables for each company; Paragraph 0135 for reference to the item risk drill down showing key flags which are variables in the item risk down model; Figures 15A-B, 16A-B, 17 and related text regarding drill down methods for price risk and supplier risk] 
Before the effective filing date, it would have been obvious to one of ordinary skill in the art to modify the monitoring method of Cogliandro to include the user selection of frequency count and graphical user interface listing of Hoover. Doing so would facilitate quickly identifying which bids are high risk, as stated by Hoover (Paragraph 0096). 
Claim 10
While the combination of Cogliandro and Hoover discloses the limitations above, regarding Claim 10, Cogliandro discloses the following:
the compliance subjects include categories or types of rules or regulations with which the organization is required to comply [see at least Paragraph 0065 for reference to the risk management method being sensitized to the firm’s strategic intent including a firm’s objectives and goals such as political, regulatory, or geographical issues]

Claims 2-3, 9, and 16-17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Cogliandro (U.S 2004/0015375 A1) in view of Hoover (U.S 2017/0286870 A1), as applied in claims 1, 8, and 15, in view of Fujisawa (U.S 2017/0251007 A1).
Claims 2, 9, and 16
While the combination of Cogliandro and Hoover discloses the limitations above, Cogliandro does not disclose determining the risk score further comprises: determining a rationalization component score representing an ability of the employee to justify an act of misconduct; determining an opportunity component score representing a difficulty with which the employee can commit the act of misconduct; determining a pressure component score representing a motive for the employee to commit the act of misconduct; and determining the risk score based on the rationalization component score, the opportunity component score, and the pressure component score. 
Regarding Claim 2, Fujisawa discloses the following:
determining the risk score further comprises: determining a rationalization component score representing an ability of the employee to justify an act of misconduct [see at least Paragraph 0037 for reference to the scoring engine being configured to determine risk scores for users based on the monitoring of events which represents an overall measure of risk of the user; Paragraph 0078 for reference to once the IoBs has been indicated an rationalization score is calculated; Figure 3 and related text regarding item 320 ‘Determine a security risk score for the user based on the opportunity score, pressure score, and rationalization score’ and item 312 ‘Determine based on the event log a rationalization IoB for the user’ and item 318 ‘Determine, based on the rationalization IoB, a rationalization score’; Figure 10 and related text regarding ‘Indicators of Behavior: Rationalization’]
determining an opportunity component score representing a difficulty with which the employee can commit the act of misconduct [see at least Paragraph 0037 for reference to the rationalization score providing a measure of a probability or likelihood of fraudulent activity based on the rationalization factors determining an opportunity component score representing a difficulty with which the employee can commit the act of misconduct; Paragraph 0078 for reference to once the IoBs has been indicated an opportunity score is calculated; Figure 3 and related text regarding item 314 ‘Determine, based on the opportunity loB, an opportunity score’; Figure 8 and related text regarding ‘Indicators of Behavior: Opportunity’] 
determining a pressure component score representing a motive for the employee to commit the act of misconduct [see at least Paragraph 0037 for reference to pressure score providing a measure of a probability or likelihood of fraudulent activity based on the pressure factors; Paragraph 0078 for reference to once the IoBs has been indicated a pressure score is calculated; Figure 3 and related text regarding item 316 ‘Determine, based on the pressure loB, a pressure score’; Figure 9 and related text regarding ‘Indicators of Behavior: Pressure/Incentive’]
determining the risk score based on the rationalization component score, the opportunity component score, and the pressure component score [see at least Paragraph 0037 for reference to the overall security risk score for the user may then be determined based on an algorithmic transformation of the opportunity, pressure, and rationalization scores; Paragraph 0070 for reference to the scoring engine being configured to determine a security risk score for the user based on the opportunity score, pressure score, and rationalization score based on a combination and/or (e.g., weighted) average of the O, P, and R scores associated with the user; Figure 3 and related text regarding item 320 ‘Determine a security risk score for the user based on the opportunity score, pressure score, and rationalization score’]
Before the effective filing date, it would have been obvious to one of ordinary skill in the art to modify the status monitoring method of Cogliandro to include the risk score calculation of Fujisawa. Calculating the risk score in such a way would allow distinction for detecting different types of attacks, as stated by Fujisawa (Paragraph 0036).
Claims 3 and 17
While the combination of Cogliandro, Hoover, and Fujisawa disclose the limitations above, Cogliandro does not disclose determining the risk score as a summation of numerical values of the rationalization component score, the opportunity component score, and the pressure component score. 
Regarding Claim 3, Fujisawa discloses the following:
determining the risk score as a summation of numerical values of the rationalization component score, the opportunity component score, and the pressure component score [see at least Paragraph 0070 for reference to the scoring engine being configured to determine a security risk score for the user based on the opportunity score, pressure score, and rationalization score based on a combination and/or (e.g., weighted) average of the O, P, and R scores associated with the user; Figure 3 and related text regarding item 320 ‘Determine a security risk score for the user based on the opportunity score, pressure score, and rationalization score’]
Before the effective filing date, it would have been obvious to one of ordinary skill in the art to modify the status monitoring method of Cogliandro to include the risk score summation of Fujisawa. Calculating the risk score in such a way would allow distinction for detecting different types of attacks, as stated by Fujisawa (Paragraph 0036).

Claims 5, 12, and 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Cogliandro (U.S 2004/0015375 A1) in view of Hoover (U.S 2017/0286870 A1), as applied in claims 1, 8, and 15, in view of Dawson (U.S 2008/0033775 A1).
Claims 5, 12, and 19
While the combination of Cogliandro and Hoover discloses the limitations above, Cogliandro does not disclose the graphical user interface further comprises a training summary region indicating a first proportion of employees having completed training related to the compliance subject and a second proportion of remaining employees to complete the training.
Regarding Claim 5, Dawson discloses the following:
the graphical user interface further comprises a training summary region indicating a first proportion of employees having completed training related to the compliance subject and a second proportion of remaining employees to complete the training [see at least Paragraph 0188 for reference to the Training functional area which shows summary information of training courses completed by employees; Paragraph 0188 for reference to the summary information including ID numbers and the start date of the training course; Figure 24-26 for reference to the Training list page]
Before the effective filing date, it would have been obvious to one of ordinary skill in the art to modify the status monitoring method of Cogliandro to include the training summary of Dawson. Doing so would capture information about training programs completed by the employees of entities monitored by compliance professionals which increases employees’ awareness and understanding of their organization’s compliance obligations, as stated by Dawson (Paragraph 0186).


Claims 6, 13, and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Cogliandro (U.S 2004/0015375 A1) in view of Hoover (U.S 2017/0286870 A1), as applied in claims 1, 8, and 15, in view of Perkins (U.S 2010/0058114 A1).
Claims 6, 13, and 20
While the combination of Cogliandro and Hoover discloses the limitations above, Cogliandro does not disclose the graphical user interface further comprises a mitigation status region indicating a first proportion of open mitigation plans for reducing risk of misconduct, a second proportion of completed mitigation plans, and a third proportion of past due mitigation plans.
Regarding Claim 6, Perkins discloses the following:
the graphical user interface further comprises a mitigation status region indicating a first proportion of open mitigation plans for reducing risk of misconduct, a second proportion of completed mitigation plans, and a third proportion of past due mitigation plans [see at least Paragraph 0113 for reference to the program management created by the Test Event Manager including the mitigation response to the milestone and the status of the plan of action such as open; Paragraph 0206 for reference to the input/out interfaces including communications interfaces such as a graphical user interfaces; Figure 8 item 338 for reference to the mitigation region of the model]
Before the effective filing date, it would have been obvious to one of ordinary skill in the art to modify the status monitoring method of Cogliandro to include the mitigation status of Perkins. Doing so would display the findings for all the systems in which the user is a member, as stated in Perkins (Paragraph 0099). This display would allow users to view the status of the mitigation plans that focus on mitigating risk of to the individual risk element, as stated in Cogliandro (Paragraph 0058).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
DOCUMENT ID
INVENTOR(S)
TITLE
US 20180018602 A1
DiMaggio et al.
DETERMINING RISK LEVEL AND MATURITY OF COMPLIANCE ACTIVITIES


THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KRISTIN ELIZABETH GAVIN whose telephone number is (571)270-7019. The examiner can normally be reached M-F 7:30-4:30 PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Brian Epstein can be reached on 571-270-5389. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/K.E.G./Examiner, Art Unit 3683                                                                                                                                                                                                        

/BRIAN M EPSTEIN/Supervisory Patent Examiner, Art Unit 3683