SYSTEMS AND METHODS FOR RISK VISUALIZATION

§101 §103

DETAILED ACTION The following is a Final Office Action. In response to Examiner’s communication of 2/4/25, Applicant, on 8/4/25, amended claims 1 and 17. Claims 1-24 are pending in this application and have been rejected as indicated below. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Information Disclosure Statement Applicant filed an Information Disclosure Statement (IDS) on 6/10/2025. This filing is in compliance with 37 C.F.R. 1.97. As required by M.P.E.P. 609(C), the applicant's submission of the Information Disclosure Statement is acknowledged by the examiner and the cited references have been considered in the examination of the claims now pending. As required by M.P.E.P. 609(C), a copy of the PTOL -1449 form, initialed and dated by the examiner, is attached to the instant office action. Drawings Applicant’s amendments are acknowledged. The 35 USC 101 rejections of claims 1-24 are still applied in light of Applicant’s amendments and explanations. New 35 USC 103 rejections of claim 1-24 are applied in light of Applicant’s amendments and explanations. Claim Rejections - 35 USC§ 101 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. Claims 1-24 are rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea) without significantly more. Here, under considerations of the broadest reasonable interpretation of the claimed invention, Examiner finds that the Applicant invented a method and system for providing a risk overview for an outsourcing company. Examiner formulates an abstract idea analysis, following the framework described in the MPEP as follows: Step 1: The claims are directed to a statutory category, namely a "method" (claims 1-16) and "system" (claims 17-24). Step 2A - Prong 1: The claims are found to recite limitations that set forth the abstract idea(s), namely, regarding claim 1: obtain outsourcing relationship data of the outsourcing company, the outsourcing relationship data including (i) identification of one or more service provider entities that provide services that directly or indirectly affect the outsourcing company and (ii) identification of relevant outsourcing relationships of each of the one or more service provider entities; track relevant aspects of usage of functionalities of a platform system, conduct data analysis and provide reporting of relevant performance indicators including rates of responsiveness to each category of communications related to risk information: identify one or more areas of interest in the relationship data; generate a visual representation of the relationship data, including flagging the one or more areas of interest. Independent claim 17 recites substantially similar claim language. Dependent claims 2-16, and 18-24 recite the same or similar abstract idea(s) as independent claims 1, and 17 with merely a further narrowing of the abstract idea(s) to particular data characterization and/or additional data analyses performed as part of the abstract idea. The limitations in claims 1-24 above falling well-within the groupings of subject matter identified by the courts as being abstract concepts, specifically the claims are found to correspond to the category of: "Certain methods of organizing human activity- fundamental economic principles or practices (including hedging, insurance, mitigating risk); commercial or legal interactions (including agreements in the form of contracts; legal obligations; advertising, marketing or sales activities or behaviors; business relations); managing personal behavior or relationships or interactions between people (including social activities, teaching, and following rules or instructions)" as the limitations identified above are directed to providing a risk overview for an outsourcing company and thus is a method of organizing human activity including at least commercial or business interactions or relations and/or a management of user personal behavior; and/or "Mental processes - concepts performed in the human mind (including an observation, evaluation, judgement, opinion)" as the limitations identified above include mere data observations, evaluations, judgements, and/or opinions, e.g. including user observation and evaluation of providing a risk overview for an outsourcing company, which is capable of being performed mentally and/or using pen and paper. Step 2A - Prong 2: Claims 1-24 are found to clearly be directed to the abstract idea identified above because the claims, as a whole, fail to integrate the claimed judicial exception into a practical application, specifically the claims recite the additional elements of: " generate a visual representation of the relationship data, including flagging the one or more areas of interest, and automatically update the visual representation based on the tracked relevant aspects of usage and the conducted data analysis." (claim 1, 16, and 17) however the aforementioned elements directed to the receiving of user input/selection of data to view via a dashboard and displaying corresponding data via the dashboard merely amount to generic GUI elements of a general purpose computer used to "apply" the abstract idea (MPEP 2106.05(f)) and/or is merely an attempt at limiting the abstract idea of providing a risk overview for an outsourcing company to a particular field of use/technological environment of a GUI dashboard (MPEP 2106.05(h)) and therefore the GUI dashboard input and display of data fails to integrate the abstract idea into a practical application; " A method of providing a risk overview for an outsourcing company comprising using at least one hardware processor to" (claim 1), “A non-transitory computer-readable medium having instructions stored therein, wherein the instructions, when executed by a processor, cause the processor to,” (claim 17), however the aforementioned elements merely amount to generic components of a general purpose computer used to "apply" the abstract idea (MPEP 2106.0S(f)) and thus fails to integrate the recited abstract idea into a practical application, furthermore the high-level recitation of receiving data from a generic "hardware processor” is at most an attempt to limit the abstract to a particular field of use (MPEP 2106.0S(h), e.g.: "For instance, a data gathering step that is limited to a particular data source (such as the Internet) or a particular type of data (such as power grid data or XML tags) could be considered to be both insignificant extra-solution activity and a field of use limitation. See, e.g., Ultramercial, 772 F.3d at 716, 112 USPQ2d at 1755 (limiting use of abstract idea to the Internet); Electric Power, 830 F.3d at 1354, 119 USPQ2d at 1742 (limiting application of abstract idea to power grid data); Intellectual Ventures I LLC v. Erie lndem. Co., 850 F.3d 1315, 1328-29, 121 USPQ2d 1928, 1939 (Fed. Cir. 2017) (limiting use of abstract idea to use with XML tags).") and/or merely insignificant extra-solution activity (MPE 2106.05(g)) and thus further fails to integrate the abstract idea into a practical application; Step 2B: Claims 1-24 do not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional elements as described above with respect to Step 2A Prong 2 merely amount to a general purpose computer that attempts to apply the abstract idea in a technological environment (MPEP 2106.0S(f)), including merely limiting the abstract idea to a particular field of use of providing a risk overview for an outsourcing company via a "hardware processor" via a GUI "visual representation", as explained above, and/or performs insignificant extra-solution activity, e.g. data gathering or output, (MPEP 2106.0S(g)), as identified above, which is further found under step 2B to be merely well-understood, routine, and conventional activities as evidenced by MPEP 2106.0S(d)(II) (describing conventional activities that include transmitting and receiving data over a network, electronic recordkeeping, storing and retrieving information from memory, electronically scanning or extracting data from a physical document, and a web browser's back and forward button functionality). Therefore, similarly the combination and arrangement of the above identified additional elements when analyzed under Step 2B also fails to necessitate a conclusion that the claims amount to significantly more than the abstract idea directed to providing a risk overview for an outsourcing company. Claims 1-24 are accordingly rejected under 35 USC§ 101 because the claimed invention is directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea(s)) without significantly more. Note: The analysis above applies to all statutory categories of invention. As such, the presentment of any claim otherwise styled as a machine or manufacture, for example, would be subject to the same analysis For further authority and guidance, see: MPEP § 2106 https://www.uspto.gov/patents/laws/examination-policy/subject-matter-eligibility Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. Claims 1-10, 13-19, and 21-23 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. Patent Application Publication Number 2017/0236079 to Venna et al. (hereafter referred to as Venna) in view of U.S. Patent Number 11620338 to Bullard et al. (hereafter referred to as Bullard). As per claim 1, Venna teaches: A method of providing a risk overview for an outsourcing company comprising using at least one hardware processor to: (Paragraph Number [0007] teaches a processor receives invocations of the displayed controls and causes a corresponding database query to be applied to the graph database without the user having to formulate or edit the database query. The display device graphically displays nodes and edges that are a result of applying the query to the graph database). obtain outsourcing relationship data of the outsourcing company, the outsourcing relationship data including (i) identification of one or more service provider entities that provide services that directly or indirectly affect the outsourcing company (Paragraph Number [0071] teaches a graph or map (which we sometimes call an “entity relationship map” or a “business graph”) illustrating third-party and fourth-party relationships among entities can be generated from the graph database. The entity relationship map can be displayed on a graphical user interface. The existence and direction of dependencies determined during the translation of the collected data, can be displayed as part of the map. For example, the dependencies can be used to determine which entity in a relationship is a service provider. Nodes can be used to represent entities and accumulations of entities on the map. For example, child nodes can represent child entities and parent nodes can represent parent entities that comprise accumulations of child entities. Edges can be used to represent relationships and the directions of dependences (e.g. which entity is dependent in a relationship)). and (ii) identification of relevant outsourcing relationships of each of the one or more service provider entities (Paragraph Number [0072] teaches when a business graph is displayed to a user through a graphical user interface, the user can be provided with controls to enable a wide variety of actions with respect to the business graph. For example, the portion of the entity relationship map that is displayed can be determined by controls displayed to the user, such as filter controls. The user can manipulate the displayed filter controls to alter a database query easily and intuitively without having to formulate or edit the database query in the typical (sometimes cumbersome and formalistic) way. A user can filter the displayed nodes and edges based on one or more characteristics of the nodes or edges in the business graph. For example, multiple child nodes can be condensed into a single parent node based on the relationships of the entities represented by the multiple child nodes with other entities. For example, entities having common third party relationships can be condensed into a parent node. Entities having fourth-party relationships with a given entity can be kept and displayed as distinct nodes). track relevant aspects of usage of functionalities of a platform system (Paragraph Number [0088] teaches any transaction on these protocols can be collected passively or actively. Also, for any protocol the collection can happen both actively and passively, providing a feed of actively collected data and a feed of passively collected data. The part of the system that interprets the transactions may treat records within these feeds as the same and ignore the fact that one was collected actively or collected passively. Paragraph Numbers [0119]-[0123] teach whether the collection source is active or passive, the aggregation of data from the remote data sources to a local database or data repository of the system can be performed in a variety of ways, including: 1. Streaming the data to a collector that may perform de-duplication depending on volume and needs of the original data sets. 3. The collector pushing the data directly into a common data store used by the processing pipeline of the system. 4. Collecting data from legal documents, public disclosures, press releases, resumes, and other publicly available documents. (See also Paragraph Number [0159])). conduct data analysis and provide reporting of relevant performance indicators (Paragraph Number [0045] teaches information about relationships among technology assets and services and the entities responsible for them can be collected, stored, and analyzed in a wide variety of ways as a basis for understanding the relationships, the assets, the services, and the entities, and for creating graphical representations of them, such as graphs or maps. Paragraph Number [0222] teaches Natural Language Processing (NLP) can be used to process the press releases, public disclosures, court records, press releases, resumes, and financial filings to identify potential entity relationships, acquisitions, and partnerships. Maps for entities that are included in the graph database can be connected to each other through relationships, such as ownership, with start and end dates and percentage. For other entity relationships and partnerships it may be possible identify the type and include a confidence value as attributes of the edge between the related entity nodes. The original document could also be stored with a link to the source). including rates of responsiveness to each category of communications related to risk information (Paragraph Number [0065] teaches data indicative of relationships are collected using so-called active collection. Active collection applies, for example, when the client conducting a transaction is controlled by the party collecting the data. In active collection, the party collecting the data may intentionally control or modify actions that the client performs and in that way be able to collect more data, more accurate data, more useful data, and data that achieves other purposes. The response from the server can vary based on factors such as the request sent by the client, the timing of the client request, the number of requests sent by the client, or any combination of such factors. Paragraph Number [0068] teaches passive data collection and active data collection can be used together to enhance the performances of each collection approach. For example, passive data collection can reveal additional server response types or resources on the server that were inaccessible by the controlled client during active data collection. Paragraph Number [0092] teaches the response of the server to the two different client behaviors may be different to ensure compatibility with older technologies. Changing the timing of individual requests can put more control around the change in client behavior. [0243] In addition, the system can alert the insurer of changes to the aggregation risk profile of a portfolio either when portfolio composition changes (e.g., new companies are insured or some companies are not renewed) or when the system discovers changes in supplier relationships within the existing portfolio. (See also Paragraph Numbers [0222] and [0253])). identify one or more areas of interest in the relationship data (Paragraph Number [0074] teaches the display of nodes and edges that are the result of an applied query can change dynamically as the user invokes the displayed controls. For example, selecting a node representing a fourth-party entity can cause the display to show a table of all impacted third-party entities, regardless of their connections to other fourth-party entities. In some cases, selecting an edge representing a relationship can cause the display of metadata related to the relationship. (See also Paragraph Number [0076])). generate a visual representation of the relationship data, including flagging the one or more areas of interest. (Paragraph Number [0043] teaches the term “graphical representation” broadly to include, for example, one or more graphical elements that represent information; the graphical elements can be any visual elements such as points, lines, shapes, regions or any other geometric constructs, icons, symbols, controls, windows, or lists; in some cases the graphical representation can comprise a graph, a map, a block diagram, a flow diagram, chart, or a matrix, to name a few. Paragraph Number [0046] teaches a graphical representation can take the form of an entity map (which we sometimes also call a business graph). We use the phrase “entity map” or “business graph” broadly to include, for example, any graphical representation of relationships among entities or assets or both. An entity map can provide a visualization of entities, relationships, and assets using a graphical user interface and a graph database that stores nodes and edges. A business graph can illustrate all of the third-party and fourth-party relationships of a populations of entities). Venna teaches updating a visualization on a graphical user interface based on received data from a user, but does not explicitly teach automatically updating a visualization based on received data which is taught by the following citations from Bullard: automatically update the visual representation based on the tracked relevant aspects of usage and the conducted data analysis (Col. 6 lines 10-25 teach applications 112 can also include GUI generator 116. GUI generator 116 may build and update a graphical user interface for user display 128. GUI generator 116 may receive data from other components of applications 112 to be displayed to a user. GUI generator 116 may use and/or store settings and parameters of display 128 to generate a GUI. In some embodiments, GUI generator 116 may generate a dashboard in which the data and relationship graph can be presented. Such a dashboard may include panels (used interchangeably with panes) which organize the display of data. The relationship graph may or may not be presented within a panel. Data panels may be dedicated to a particular type of data, entity, or association. GUI generator 116 may automatically update data displayed in the GUI as new data becomes available or as user selections are detected). Both Venna and Bullard are directed to risk overviews for connected entities. Venna discloses updating a visualization on a graphical user interface based on received data from a user. Bullard improves upon Venna by disclosing automatically updating a visualization based on received data. One of ordinary skill in the art would be motivated to further include automatically updating a visualization based on received data, to efficiently provide a visualization that contains the most up to date information to perform further analysis. Accordingly, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system and method of updating a visualization on a graphical user interface based on received data from a user in Venna to further utilize automatically updating a visualization based on received data as disclosed in Bullard, since the claimed invention is merely a combination of old elements, and in combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable. As per claim 2, the combination of Venna and Bullard teaches each of the limitations of claim 1. In addition, Venna teaches: wherein obtaining the outsourcing relationship data comprises: obtaining at least partially multi-directionally validated data (Paragraph Number [0042] teaches we use the phrase fourth-party ecosystem broadly to include, for example, a given entity's fourth-party relationships that exist through all of the third-party relationships that the given entity has with other entities. Information about relationships may include not only the existence of the relationship but also the direction of the relationship, for example, not only that entity A has a service relationship with entity B, but also that the relationship is in the direction in which B provides the service to A. Paragraph Number [0208] teaches the figure illustrates nodes that represent SSL certificates 96, nodes that represent SSL certificate issuing authorities 92, and a node 94 that is an entity that served 102 the connected SSL certificate. In the graph database, SSL certificate nodes include attributes such as the subject name, the serial number, valid after and before dates, the signing algorithm, the key algorithm, and the key length). As per claim 3, the combination of Venna and Bullard teaches each of the limitations of claims 1 and 2. In addition, Venna teaches: wherein the at least partially multi-directionally validated data comprises relationship information that has been confirmed by at least two parties. (Paragraph Number [0042] teaches we use the phrase fourth-party ecosystem broadly to include, for example, a given entity's fourth-party relationships that exist through all of the third-party relationships that the given entity has with other entities. Information about relationships may include not only the existence of the relationship but also the direction of the relationship, for example, not only that entity A has a service relationship with entity B, but also that the relationship is in the direction in which B provides the service to A. Paragraph Number [0208] teaches the figure illustrates nodes that represent SSL certificates 96, nodes that represent SSL certificate issuing authorities 92, and a node 94 that is an entity that served 102 the connected SSL certificate. In the graph database, SSL certificate nodes include attributes such as the subject name, the serial number, valid after and before dates, the signing algorithm, the key algorithm, and the key length). As per claim 4, the combination of Venna and Bullard teaches each of the limitations of claim 1. In addition, Venna teaches: wherein identifying the one or more areas of interest comprises identifying critical relationships of the relevant outsourcing relationships (Paragraph Number [0010] teaches information is received that is indicative of service relationships between (a) each business entity that belongs to a portfolio of business entities, and (b) other business entities. The service relationships are identified based on the received information. Based on the identified service relationships, information is displayed that is indicative of a business risk to an entity that is associated with the portfolio. The business risk is related to the identified service relationships. Paragraph Number [0051] teaches a relationship can be characterized by the entities that are parties to the relationship. In some cases, a relationship can be a parent-child relationship such that one entity (the parent) contains or owns one or more other entities (the child or children). In some examples, the relationship is a service relationship such that one entity provides a service directly to another entity which is being served). As per claim 5, the combination of Venna and Bullard teaches each of the limitations of claim 1. In addition, Venna teaches: wherein identifying the one or more areas of interest comprises identifying sub-contracting entities of the one or more service provider entities, wherein the sub-contracting entities (i) do not provide services directly to the outsourcing company and (ii) do provide a service to at least one other of the one or more service providers that is relevant to the outsourcing company (Paragraph Number [0175] teaches as shown in FIG. 7, in the graph database, information can be stored that captures relationships among domains including the relationships of super domains 80 to their subdomains 82 and to entities 84 that operate (are responsible for) them. Paragraph Number [0177] teaches entities can have technical assets mapped to them, such as IP addresses/CIDR blocks (groups of IP address that are assigned by regional registrars) and domains. In the graph database, entities that are related to each other, such as in a parent-child (subsidiary) relationship or an investment relationship, are connected by edges to represent those relationships. Both parent-child and investment relationships have attributes that can include start and end dates, and investment relationships can have percentage of ownership as an attribute. The GUID allows lookup in the graph database or in an entity database of all details of the events that impact an entity's rating). As per claim 6, the combination of Venna and Bullard teaches each of the limitations of claim 1. In addition, Venna teaches: wherein identifying the one or more areas of interest comprises identifying one or more potential concentrations of risk within the outsourcing relationship data (Paragraph Number [0203] teaches we might discover that a user from “Organization B” visited a website belonging to “Organization A”, but that website is insecurely configured and opens up risks to users of “Organization B”, and more importantly to all organizations (or nodes) accessing the website of “Organization A” whose content is now at risk from “Organization A” poor configuration of their systems. Thus, if the node of the website is viewed and then all edges representing visitors are viewed, the results would show the organizations at risk by using this website maintained by “Organization A”. Alternatively, all edges of a certain type can be returned for a node (“Organization B”), so one could view the combination of edges that represent viewing high-risk websites connected to “Organization B” and thus be returned with a data set that shows all websites viewed by users of “Organization B” and appropriate mitigation can take place. (See also Paragraph Number [0259])). As per claim 7, the combination of Venna and Bullard teaches each of the limitations of claims 1 and 6. In addition, Venna teaches: wherein the one or more potential concentrations of risk comprises: one or more sub-contractors of the one or more service provider entities that provides services to two or more of the one or more service provider entities. (Paragraph Number [0203] teaches we might discover that a user from “Organization B” visited a website belonging to “Organization A”, but that website is insecurely configured and opens up risks to users of “Organization B”, and more importantly to all organizations (or nodes) accessing the website of “Organization A” whose content is now at risk from “Organization A” poor configuration of their systems. Thus, if the node of the website is viewed and then all edges representing visitors are viewed, the results would show the organizations at risk by using this website maintained by “Organization A”. Alternatively, all edges of a certain type can be returned for a node (“Organization B”), so one could view the combination of edges that represent viewing high-risk websites connected to “Organization B” and thus be returned with a data set that shows all websites viewed by users of “Organization B” and appropriate mitigation can take place. (See also Paragraph Number [0259])). As per claim 8, the combination of Venna and Bullard teaches each of the limitations of claims 1 and 6. In addition, Venna teaches: wherein the one or more potential concentrations of risk comprises: a multiply-used entity of the one or more service provider entities, wherein the multiply-used entity provides relevant services (i) directly to two or more others of the one or more service provider entities or (ii) directly to one other of the one or more service provider entities and the outsourcing company (Paragraph Number [0203] teaches we might discover that a user from “Organization B” visited a website belonging to “Organization A”, but that website is insecurely configured and opens up risks to users of “Organization B”, and more importantly to all organizations (or nodes) accessing the website of “Organization A” whose content is now at risk from “Organization A” poor configuration of their systems. Thus, if the node of the website is viewed and then all edges representing visitors are viewed, the results would show the organizations at risk by using this website maintained by “Organization A”. Alternatively, all edges of a certain type can be returned for a node (“Organization B”), so one could view the combination of edges that represent viewing high-risk websites connected to “Organization B” and thus be returned with a data set that shows all websites viewed by users of “Organization B” and appropriate mitigation can take place. (See also Paragraph Number [0259])). As per claim 9, the combination of Venna and Bullard teaches each of the limitations of claim 1. In addition, Venna teaches: wherein identifying the one or more areas of interest comprises identifying security-critical relationships of the relevant outsourcing relationships, wherein the security-critical relationships comprise at least storage or transfer of sensitive information (Paragraph Number [0247] teaches information security managers are typically in charge of creating, maintaining, and enforcing network security policies, as well as managing and documenting compliance with regulatory policies regarding sensitive data (like personal or financial records). The information available in the graph database and presented as an entity map through the graphical user interface can be used for a variety of purposes by information security managers, including the following examples. Paragraph Number [0259] teaches a user interface presented in a web browser for viewing aspects of aggregated risks, a navigation bar 350 is presented on the left side of a webpage 348. The navigation bar allows the user to search for an entity by entering a URL in a search box 352. By invoking a portfolio button 354, the user can view risk associated with all entities that belong to a portfolio, for example, a portfolio of entities with which the user's company has third-party relationships, or a portfolio of entities chosen in some other way. By invoking a 4.sup.th parties button, the user is able to view information about risks associated with fourth-party entities. (See also Paragraph Number [0260])). As per claim 10, the combination of Venna and Bullard teaches each of the limitations of claims 1 and 9. In addition, Venna teaches: wherein the sensitive information comprises one or more of: personally identifiable information or financial data (Paragraph Number [0247] teaches information security managers are typically in charge of creating, maintaining, and enforcing network security policies, as well as managing and documenting compliance with regulatory policies regarding sensitive data (like personal or financial records). The information available in the graph database and presented as an entity map through the graphical user interface can be used for a variety of purposes by information security managers, including the following examples). As per claim 13, the combination of Venna and Bullard teaches each of the limitations of claim 1. In addition, Venna teaches: wherein identifying the one or more areas of interest comprises identifying one or more entities of the one or more service provider entities that least partially operate in a regulatory jurisdiction that is different from a regulatory jurisdiction of the outsourcing company (Paragraph Number [0168] teaches physical locations can be collected automatically from natural language processing of website responses or as part of the registration information for CIDRs and domains, manually collected as part of the creation of the entity maps, or aggregated from official and unofficial business databases provided by government entities or private organizations. These physical locations can be used similar to the other asset types when considering risk, particularly of importance for determining if there are a number of third or fourth parties with common locations, or if a particular location is impacted by a natural or unnatural disaster or event. Thus, in some cases business risks can be associated with geographical considerations, including risks of a supply chain interruption associated with a particular geography). As per claim 14, the combination of Venna and Bullard teaches each of the limitations of claim 1. In addition, Venna teaches: further comprising using the at least one hardware processor to: periodically update the outsourcing relationship data; and generate new visual representations of the relationship data (Paragraph Number [0048] teaches a database engine associated with a graph database can manage, update, query, and perform other operations with respect to the graph database and nodes and edges stored within the graph database. The database engine also can respond to controls displayed on the graphical user interface and invoked by the user. In that way, the user can partially or completely control the information represented by elements of the map and visual characteristics of the display of the map and its elements to the user through the graphical user interface. Paragraph Number [0049] teaches a user can use displayed controls of a graphical user interface, to formulate, update, alter, or apply a database query to the graph database. In some cases, the displayed controls can include elements that can be invoked by the user in such a way that the user need not formulate or edit a formal database query in the usual way. The graph database can respond to the controls invoked by the user and display graphically nodes and edges that are a result of applying the query to the graph). As per claim 15, the combination of Venna and Bullard teaches each of the limitations of claims 1 and 14. In addition, Venna teaches: wherein periodically updating comprises at least one of: monitoring one or more databases, periodically querying the one or more entities, or periodically querying the outsourcing company (Paragraph Number [0048] teaches a database engine associated with a graph database can manage, update, query, and perform other operations with respect to the graph database and nodes and edges stored within the graph database. The database engine also can respond to controls displayed on the graphical user interface and invoked by the user. In that way, the user can partially or completely control the information represented by elements of the map and visual characteristics of the display of the map and its elements to the user through the graphical user interface. Paragraph Number [0049] teaches a user can use displayed controls of a graphical user interface, to formulate, update, alter, or apply a database query to the graph database. In some cases, the displayed controls can include elements that can be invoked by the user in such a way that the user need not formulate or edit a formal database query in the usual way. The graph database can respond to the controls invoked by the user and display graphically nodes and edges that are a result of applying the query to the graph). As per claim 16, the combination of Venna and Bullard teaches each of the limitations of claim 1. In addition, Venna teaches: further comprising using the at least one hardware processor to: display the visual representation of the relationship data via a graphic user interface connected to the at least one hardware processor; detect user inputs via the graphic user interface; and in response to the user inputs, modify the visual representation (Paragraph Number [0071] teaches a graph or map (which we sometimes call an “entity relationship map” or a “business graph”) illustrating third-party and fourth-party relationships among entities can be generated from the graph database. The entity relationship map can be displayed on a graphical user interface. The existence and direction of dependencies determined during the translation of the collected data, can be displayed as part of the map. For example, the dependencies can be used to determine which entity in a relationship is a service provider. Nodes can be used to represent entities and accumulations of entities on the map. For example, child nodes can represent child entities and parent nodes can represent parent entities that comprise accumulations of child entities. Edges can be used to represent relationships and the directions of dependences (e.g. which entity is dependent in a relationship). (See Paragraph Numbers [0048]-[0049] in regard to inputs and updates that result in modification of the visual display)). As per claim 17, the combination of Venna and Bullard teaches: A non-transitory computer-readable medium having instructions stored therein, wherein the instructions, when executed by a processor, cause the processor to (Paragraph Number [0007] teaches a processor receives invocations of the displayed controls and causes a corresponding database query to be applied to the graph database without the user having to formulate or edit the database query. The display device graphically displays nodes and edges that are a result of applying the query to the graph database). obtain outsourcing relationship data including identification relationships between two or more of a plurality of connected entities (Paragraph Number [0071] teaches a graph or map (which we sometimes call an “entity relationship map” or a “business graph”) illustrating third-party and fourth-party relationships among entities can be generated from the graph database. The entity relationship map can be displayed on a graphical user interface. The existence and direction of dependencies determined during the translation of the collected data, can be displayed as part of the map. For example, the dependencies can be used to determine which entity in a relationship is a service provider. Nodes can be used to represent entities and accumulations of entities on the map. For example, child nodes can represent child entities and parent nodes can represent parent entities that comprise accumulations of child entities. Edges can be used to represent relationships and the directions of dependences (e.g. which entity is dependent in a relationship)). wherein at least a portion of the relationships are multi-directionally validated (Paragraph Number [0042] teaches we use the phrase fourth-party ecosystem broadly to include, for example, a given entity's fourth-party relationships that exist through all of the third-party relationships that the given entity has with other entities. Information about relationships may include not only the existence of the relationship but also the direction of the relationship, for example, not only that entity A has a service relationship with entity B, but also that the relationship is in the direction in which B provides the service to A. Paragraph Number [0208] teaches the figure illustrates nodes that represent SSL certificates 96, nodes that represent SSL certificate issuing authorities 92, and a node 94 that is an entity that served 102 the connected SSL certificate. In the graph database, SSL certificate nodes include attributes such as the subject name, the serial number, valid after and before dates, the signing algorithm, the key algorithm, and the key length). obtain a selection of at least one of (i) a type of risk evaluation, (ii) an entity of the plurality of connected entities, and (iii) an area of interest (Paragraph Number [0073] teaches for some nodes that are the result of applying a database query, the entity relationship map can display information about the nodes as text instead of graphically. For example, the contents and related metadata of a selected parent node can be displayed in a table when the parent node is selected by the user. The table can include text associated with one or more nodes. For example, the table can include text related to entities associated with child nodes). based on the selection, generate a visual representation of the outsourcing relationship data (Paragraph Number [0043] teaches the term “graphical representation” broadly to include, for example, one or more graphical elements that represent information; the graphical elements can be any visual elements such as points, lines, shapes, regions or any other geometric constructs, icons, symbols, controls, windows, or lists; in some cases the graphical representation can comprise a graph, a map, a block diagram, a flow diagram, chart, or a matrix, to name a few. Paragraph Number [0046] teaches a graphical representation can take the form of an entity map (which we sometimes also call a business graph). We use the phrase “entity map” or “business graph” broadly to include, for example, any graphical representation of relationships among entities or assets or both. An entity map can provide a visualization of entities, relationships, and assets using a graphical user interface and a graph database that stores nodes and edges. A business graph can illustrate all of the third-party and fourth-party relationships of a populations of entities). As per claim 18, the combination of Venna and Bullard teaches each of the limitations of claim 17. In addition, Venna teaches: wherein at least one of the plurality of connected entities comprises a first service provider, the selection comprises a selection of the first service provider, and the visual representation comprises one of (i) an overview of all outsourcing relationships of the first service provider and (ii) an overview of all subcontractor relationships of the first service provider (Paragraph Number [0042] teaches we use the phrase fourth-party ecosystem broadly to include, for example, a given entity's fourth-party relationships that exist through all of the third-party relationships that the given entity has with other entities. Information about relationships may include not only the existence of the relationship but also the direction of the relationship, for example, not only that entity A has a service relationship with entity B, but also that the relationship is in the direction in which B provides the service to A. Paragraph Number [0175] teaches as shown in FIG. 7, in the graph database, information can be stored that captures relationships among domains including the relationships of super domains 80 to their subdomains 82 and to entities 84 that operate (are responsible for) them. Paragraph Number [0177] teaches entities can have technical assets mapped to them, such as IP addresses/CIDR blocks (groups of IP address that are assigned by regional registrars) and domains. In the graph database, entities that are related to each other, such as in a parent-child (subsidiary) relationship or an investment relationship, are connected by edges to represent those relationships. Both parent-child and investment relationships have attributes that can include start and end dates, and investment relationships can have percentage of ownership as an attribute. The GUID allows lookup in the graph database or in an entity database of all details of the events that impact an entity's rating). As per claim 19, the combination of Venna and Bullard teaches each of the limitations of claim 17. In addition, Venna teaches: wherein the selection comprises a selection of an area of interest, the area of interest comprising potential crossjurisdictional relationships of any of the plurality of connected entities (Paragraph Number [0168] teaches physical locations can be collected automatically from natural language processing of website responses or as part of the registration information for CIDRs and domains, manually collected as part of the creation of the entity maps, or aggregated from official and unofficial business databases provided by government entities or private organizations. These physical locations can be used similar to the other asset types when considering risk, particularly of importance for determining if there are a number of third or fourth parties with common locations, or if a particular location is impacted by a natural or unnatural disaster or event. Thus, in some cases business risks can be associated with geographical considerations, including risks of a supply chain interruption associated with a particular geography). As per claim 21, the combination of Venna and Bullard teaches each of the limitations of claim 17. In addition, Venna teaches: wherein the instructions, when executed by the processor, further cause the processor to: periodically update the outsourcing relationship data (Paragraph Number [0048] teaches a database engine associated with a graph database can manage, update, query, and perform other operations with respect to the graph database and nodes and edges stored within the graph database. The database engine also can respond to controls displayed on the graphical user interface and invoked by the user. In that way, the user can partially or completely control the information represented by elements of the map and visual characteristics of the display of the map and its elements to the user through the graphical user interface. Paragraph Number [0049] teaches a user can use displayed controls of a graphical user interface, to formulate, update, alter, or apply a database query to the graph database. In some cases, the displayed controls can include elements that can be invoked by the user in such a way that the user need not formulate or edit a formal database query in the usual way. The graph database can respond to the controls invoked by the user and display graphically nodes and edges that are a result of applying the query to the graph). As per claim 22, the combination of Venna and Bullard teaches each of the limitations of claim 17. In addition, Venna teaches: further comprising a communications and risk management system connected to the processor, wherein obtaining the outsourcing relationship data comprises using at least the communications and risk management system to (i) communicate with each of the connected entities (Paragraph Number [0015] teaches the determined risks are reported through the communication network for use in displaying the potential risks to a user. The determined risk is based on the providing of a category of the technology services by a particular one of the third-party entities to more than one of the portfolio business entities. The determined risks are indicative of possible steps that could balance the risks across the portfolio business entities and reduce the risks to the principal business entity. The principal business entity includes a carrier of insurance risk. Paragraph Number [0203] teaches an active or passive collector might discover a login form on another page, but also detect that it's insecurely configured, and could reveal the user's password to local adversaries if they attempted to login). (ii) evaluate each of the connected entities, individually and with respect to others of the connected entities (Paragraph Number [0015] teaches the determined risks are reported through the communication network for use in displaying the potential risks to a user. The de