Parameterization, Analysis, and Risk Management in a Comprehensive Management System with Emphasis on Energy and Performance (ISO 50001: 2018) energies Article Parameterization, Analysis, and Risk Management in a Comprehensive Management System with Emphasis on Energy and Performance (ISO 50001: 2018) P. Pablo Poveda-Orjuela 1,*, J. Carlos García-Díaz 2 , Alexander Pulido-Rojano 3 and Germán Cañón-Zabala 4 1 ASTEQ Technology, 53 Street No. 53-15, Barranquilla 080020, Colombia 2 Centre for Quality and Change Management, Universitat Politècnica de València, Camino de Vera, s/n. 46022 Valencia, Spain; juagardi@eio.upv.es 3 Industrial Engineering Department, Universidad Simón Bolívar, Av. 59 No. 59-92, Barranquilla 080020, Colombia; apulido3@unisimonbolivar.edu.co 4 QUARA Group, 157 Street No. 13 B-20, Bogotá 110121, Colombia; gcanonz@quaragroup.com * Correspondence: pedpoor@doctor.upv.es or ppoveda@asteqtech.com; Tel.: +57-3008897111 Received: 7 September 2020; Accepted: 13 October 2020; Published: 26 October 2020 ���������� ������� Abstract: The future of business development relies on the effective management of risks, opportunities, and energy and water resources. Here, we evaluate the application of best practices to identify, analyze, address, monitor, and control risks and opportunities (R/O) according to ISO 31000 and 50000. Furthermore, we shed light on tools, templates, ISO guides, and international documents that contribute to classifying, identifying, formulating control, and managing R/O parameterization in a comprehensive management system model, namely CMS QHSE3+, which consists of quality (Q), health and safety (HS), environmental management (E), energy efficiency (E2), and other risk components (+) that include comprehensive biosecurity and biosafety. By focusing on the deployment of R/O-based thinking (ROBT) at strategic and operational levels, we show vulnerability reduction in CMS QHSE3+ by managing energy, efficiency, and sustainability. Keywords: risks and opportunities management; comprehensive management system; parameterization; vulnerability; energy efficiency; ISO 31000; sustainable success 1. Introduction. Problem Analysis, Research Objectives, and Study Approach 1.1. Vulnerability and Low Sustainability of Entrepreneurship Efforts In the 1950s, no one could have imagined that the first few decades of the new millennium would give companies a harsh confrontation for survival due to the acute economic situation caused by COVID-19 [1–9]. Statistics between 2000 and 2019 revealed that more than 80% of SMEs declared bankruptcy within 5 years of operation due to issues related to profitability, external environment, and internal decision-making, planning, the execution of good management practices [5–9], or the weight of what Phillipe Kottler called the “marketing war” [10]. The problem is exacerbated by the difficult conditions that entrepreneurs face in a changing market, i.e., increasingly demanding customers, aggressive and unfair competitors, a voracious financial sector, more expensive resources including water and energy, as well as a level of experience and skills that makes them more vulnerable because they do not have the methods or tools to organize themselves and make the right decisions based on information intelligence and good QHSE3+ practices to effectively address the swarm of risks and the context of potential opportunities, for the sustainability of their businesses [2,4–10]. Energies 2020, 13, 5579; doi:10.3390/en13215579 www.mdpi.com/journal/energies http://www.mdpi.com/journal/energies http://www.mdpi.com https://orcid.org/0000-0002-5559-7110 https://orcid.org/0000-0001-5599-7977 http://dx.doi.org/10.3390/en13215579 http://www.mdpi.com/journal/energies https://www.mdpi.com/1996-1073/13/21/5579?type=check_update&version=2 Energies 2020, 13, 5579 2 of 43 Moreover, the failure rate of ICT projects and the implementation of management systems until 2019 was above 60% in countries with the highest vulnerability [4,7–9]. The root causes of failure in these entrepreneurship efforts are directly related to competencies, discipline, culture, and the application of simple and effective tools to facilitate comprehensive risk management (CRM) by identification, immediate response, containment, evaluation, and treatment. This is precisely the question that justifies the research efforts that this work supports: What to do to contribute to the sustainable management of SMEs and entrepreneurs? The authors’ commitment is linked to the configuration of a Reference Framework for Comprehensive Risk Management (CRM), within the Comprehensive Management System CMS-QHSE3+, with tools that facilitate its application to entrepreneurs, supported by Good Practices of related ISO international standards. It is important to note that the research uses the expressions Comprehensive Risk Management Model (CRM), and Comprehensive Management System (CMS), instead of Integrated Risk Management, or Integrated Management System, for the following reasons: In the first place, management in both cases is integral and holistic, since regardless of the scope or level they are managed in, its unit, its principles and strategic focus, as in DNA, are maintained. Furthermore, the integrated expression, in its etymology and definition of the DRAE, would limit the scope of the system to the sum of its parts, or to the sum of the response to the standards used in each component. Finally, it is emphasized that it is possible to have an integral management, even if it works or if it is certified with one, two, or three standards, to the extent that the dynamics around the strategy and all the processes are focused on the characteristics, priorities, interests, risks, and opportunities of the organization [4,7,11]. Previously, our research gave rise to the article entitled “ISO 50001: 2018 and its application in a Comprehensive Management System with an energy performance approach”, in which the CMS Model QHSE3+, the Route, the Task Breakdown Structure and the products to be generated in a CMS QHSE3+ Implementation Project, with emphasis on the E2 energy component, were discussed. This paper focuses on the framework of reference for Comprehensive Risk Management CRM, and on the tools for its identification, analysis, and treatment at a strategic and operational level [11–13]. 1.2. Objectives (1). To present a CRM model using CMS QHSE3+ through the applications of best practices to identify, analyze, address, monitor, and control risks and opportunities (R/O), taking into account the guidelines of the families of ISO 31000 standards and ISO 50000, as well as tools, templates, and references to international ISO guides, documents that contribute to the classification, identification, formulation of controls, and parameterization for the deployment of R/O-based thinking (ROBT) at strategic and operational levels. (2). To present the results obtained on vulnerability reduction at strategic and operational levels through energy efficiency management and business sustainability. These two objectives are directly linked to the purposes of the present research, which seeks to respond to the need among entrepreneurs and SMEs for tools, models, and instruments that facilitate the application of Good Practices of the families of standards related to the QHSE3+ components, and with Risk Management, to contribute to the sustainable development of entrepreneurship projects, and in the comprehensive generation of value for stakeholders. 1.3. Article Outline Section 2 presents the basic elements of the study, including (Section 2.1) the presentation of concepts, principles, and advances for comprehensive R/O management; (Section 2.2) energy efficiency; (Section 2.3) comprehensive biosecurity; and (Section 2.4) the integration of requirements associated with high-level hierarchical structure (HLS). Section 3.1 presents the main objectives and methods of the research, and Section 3.2 the classification matrix of the types of QHSE3+ R/O, including those related to comprehensive biosecurity, Energies 2020, 13, 5579 3 of 43 which can also be applied to health and safety (HS), environment, quality (Q), or the strategic analysis of risks and provisions to ensure business continuity. Section 3.3 describes the R/O integral management model incorporated into CMS QHSE3+, and Section 3.4 shows its flow and parameterization to facilitate its application through computer tools. Section 3.5 includes the achievements and general benefits obtained with the application of the tools and models presented in this study for the implementation/consolidation of CMS. Section 3.6 presents a discussion on the results obtained in terms of energy efficiency and vulnerability reduction for business sustainability. Section 4 includes the conclusions. The Appendices include the logical structure and references to tools, guides, and best practices contained in the families of ISO 31000 (Figure A1), ISO 9000 (Figure A2), ISO 45000 (Figure A3), ISO 14000 (Figure A4), and ISO 50000 (Figure A5). Figure A6 presents the approach taken for the continuity plan to govern the COVID-19 pandemic based on the best practices of the ISO 22300 family of standards in a services company. Figure A7 includes the chronology corresponding to the development of the QHSE3+ Standards in correlation with the milestones of musical, artistic, and transcendental expression of man, under a holistic approach. Figures A8–A14 presents the detail of the classification of internal and external R/O, according to the layers indicated in Sections 2.4 and 3.2. 2. Materials and Inputs for Research 2.1. Concepts and Principles of CRM 2.1.1. Risks, Risk Management, Intelligence, and Decision-Making Based on the definitions of ISO 31000: 2018, the ISO 73: 2009 Guide, the Guide for Comprehensive Risk Management published by the Standardization and Certification Body ICONTEC, from the perspective of the ILO, and the approach given by the US Federal National Security Agency to concepts related to danger, threats and risks, in its “Security Lexicon”, as illustrated in Figure 1, the terms on risk management, the intelligence cycle, and the decision-making cycle can be correlated around the Protection of the Integrity of Resources and the Creation of Value, which is the reason of being of Risk Management [13–18]. In Figure 1, concepts associated with intelligence, risk and security are correlated, in the context of Management Systems, taking into account the vulnerability of organizations generated by various sources of risks, which combine the possibility or severity, and that have an impact or consequences, on the achievement of objectives, on capital, or on the integrity of resources. Oriented from bottom to top of Figure 1, there is an Axis ID which brings together the Intelligence Cycle and the Decision-Making and Actions Cycle, to illustrate the sequence of Knowing (understanding), Reasoning, Deciding, and Acting with Intelligence. In the area to the right of Figure 1, the flow of the Risk Management Process is proposed, in accordance with the ISO 31000: 2018 approach; the Axis RMP with the same name has been established. The process comprises a sequence of the following actions: (i) Establish the strategic, organizational and risk management context, scope and related criteria; (ii) Identify the risks, that is, determine what can happen and how; (iii) Analyze the risks. This implies analyzing the possibility, the consequences, and sometimes the degree of exposure; And (iv) Assess Risks, which involves listing risks according to their priority. Energies 2020, 13, 5579 4 of 43 Energies 2020, 13, x FOR PEER REVIEW 4 of 44  The concept of risk is directly associated with uncertainty and constitutes the conjugation of the possibility of an event that may have a positive or negative impact on the achievement of objectives or the integrity of resources. Chance is the source of risk, and in some contexts, it is associated with the term “risk factor” [14,15,19,20]. Figure 1. Relationship between the concepts of risk, risk management, intelligence, and decision- making, based on ISO 31000, ISO Guide 73: 2009 and DHS USA, 2008 [13,14,19,20].  Uncertainty is the “state generated by the deficiency of information to understand or know an event, its consequences, and probability of occurrence” [16,19,20].  Vulnerability is the condition of design, location, or operation that makes an asset, organism, product, service, process, or system susceptible to an attack [14,15,19,20]; its reduction can be assessed in terms of the proportion or percentage of reduction of the risk level, as indicated by Equation (1) [11], where DismVul denotes the percentage decrease in vulnerability after implementing antirisk measures, Poi and Goi are the initially assessed possibility and gravity, respectively, and Pfi and Gfi are the final possibility and gravity after adopting the planned measures, respectively. %𝐷𝑖𝑠𝑚𝑉𝑢𝑙 = 𝑃𝑜 𝐺𝑜 − 𝑃𝑓 𝐺𝑓 / 𝑃𝑜 𝐺𝑜 (1)  The decisions cycle plays a fundamental role in the activities of any organization. This cycle includes the intelligence cycle, as it considers the phases of capturing information, classifying it, analyzing it, and understanding its context and behavior to guide decision-making [13].  In the intelligence cycle, identification, analysis, and evaluation must be integrated into risk assessments. The union of the two cycles brings together know (understand), reason, decide, and act with intelligence, linking “intelligence” with decision-making and the orientation of actions with reliable information and the criteria for analyses of the matter to be decided. Thus, with the intelligence of the information, it is possible to reduce the uncertainty linked to decisions.  The result or impact of R/O is the effect an event can have on the integrity of the resources and objectives. As the impact or consequences can be economic, personal, or missionary, R/O management brings together “the coordinated actions to direct and control the organization concerning its risks and opportunities” [14,17], which focus on reducing their possibility of occurrence and impact, or enhancing opportunities, thereby leading to the creation or protection of value. Figure 1. Relationship between the concepts of risk, risk management, intelligence, and decision-making, based on ISO 31000, ISO Guide 73: 2009 and DHS USA, 2008 [13,14,19,20]. So far, the steps mentioned in the Intelligence and Risks Cycle correspond to Knowing, Reasoning, and initiating the actions to Decide, based on priorities. Next, there is the stage of Acting with Intelligence. In the process, this corresponds to Treating Risk and Control, i.e., planning and implementing measures to eliminate, reduce, mitigate, or take contingency actions. Next comes the action of Monitoring the control system, and the status of the risk, to close the cycle with the action of Communicating and Consulting, which involves interacting with various parties to obtain a maximum of information about each risk and its context. Finally, all actions and risk treatment consider the Report and Record. In this approach, the following points stand out: � The concept of risk is directly associated with uncertainty and constitutes the conjugation of the possibility of an event that may have a positive or negative impact on the achievement of objectives or the integrity of resources. Chance is the source of risk, and in some contexts, it is associated with the term “risk factor” [14,15,19,20]. � Uncertainty is the “state generated by the deficiency of information to understand or know an event, its consequences, and probability of occurrence” [16,19,20]. � Vulnerability is the condition of design, location, or operation that makes an asset, organism, product, service, process, or system susceptible to an attack [14,15,19,20]; its reduction can be assessed in terms of the proportion or percentage of reduction of the risk level, as indicated by Equation (1) [11], where DismVul denotes the percentage decrease in vulnerability after implementing antirisk measures, Poi and Goi are the initially assessed possibility and gravity, respectively, and Pfi and Gfi are the final possibility and gravity after adopting the planned measures, respectively. %DismVul =  n∑ i=1 (Poi)(Goi)− n∑ i=1 (P fi)(G fi) /  n∑ i=1 (Poi)(Goi)  (1) � The decisions cycle plays a fundamental role in the activities of any organization. This cycle includes the intelligence cycle, as it considers the phases of capturing information, classifying it, analyzing it, and understanding its context and behavior to guide decision-making [13]. Energies 2020, 13, 5579 5 of 43 � In the intelligence cycle, identification, analysis, and evaluation must be integrated into risk assessments. The union of the two cycles brings together know (understand), reason, decide, and act with intelligence, linking “intelligence” with decision-making and the orientation of actions with reliable information and the criteria for analyses of the matter to be decided. Thus, with the intelligence of the information, it is possible to reduce the uncertainty linked to decisions. � The result or impact of R/O is the effect an event can have on the integrity of the resources and objectives. As the impact or consequences can be economic, personal, or missionary, R/O management brings together “the coordinated actions to direct and control the organization concerning its risks and opportunities” [14,17], which focus on reducing their possibility of occurrence and impact, or enhancing opportunities, thereby leading to the creation or protection of value. � Resilience is the adaptive capacity of an organization in a complex and changing environment [14,15,18]. The US Department of Homeland Security [19], expands this definition as a “systems’ capacity, infrastructures, government, companies, and citizens to resist, absorb, recover from, or adapt to an adverse event that may cause harm, destruction, or loss of national importance,” or the “capacity of an organization to recognize threats and dangers and make adjustments that improve future protection efforts and risk reduction measures.” � Threat [19] is a natural or man-made phenomenon generated by people, entities, or an action that has or projects potential damage to life, information, operations, the environment, or property. It considers the conditions of intent or unintentionality of the threat. � The scenario corresponds to a hypothetical situation composed of hazards, an entity affected, and the associated conditions, including consequences when appropriate [19]. An incident is a natural or man-made phenomenon, or an action that has or projects potential harm to damage life, information, operations, the environment, and/or property. 2.1.2. Scope of Risk Management in Society and Companies Many companies today face the difficulties of the market, competition, and sustainability, and see problems related to water, air, soil, energy, natural resources, global warming, and biosecurity. There are also multiple financial, social, and macroeconomic dangers related to the increase in interest rates, tax burdens, and the strengthening of the prevailing currencies. Thus, doing business is an increasingly difficult mission [12–15]. Changes in customs, habits, ways of doing business, and technological developments and restrictions on access to ICT also generate vulnerability. With this spectrum of adversities, the future of entrepreneurs and project leaders is marked by the need to make intelligent decisions that allow them to respond appropriately to adverse situations, opportunities, and contingencies. Therefore, it is essential to apply risk management and foresight in strategy and operational dynamics [12–14,21–24]. Thus, it is necessary to determine the tools and guides necessary for the application of the good management practices that underlie each component of CMS QHSE3+: � For Component Q, associated with the strategic and quality risks, the best practices of ISO 9001: 2015 and ISO 9000 family of standards, support this approach [25]. � For the HS component linked to occupational health and safety risks, the best practices of ISO 45001: 2018 and the ISO 45000 family of standards, also support this approach [26]. � For Component E of the environment related to risks due to contamination and deficiencies in environmental performance, ISO 14001: 2015 and the ISO 14000 family of standards, support the planning and application of best practices [27]. � For the energy efficiency component (E2), the best practices of ISO 50001: 2018 and the ISO 50000 family of standards, support a management approach which reduces the vulnerability associated with the use, consumption, and performance of energy [28]. Energies 2020, 13, 5579 6 of 43 � The sign (+) at the end of the abbreviation corresponds to any other reference that may be applicable to, or required by the organization, such as ISO 22000: 2018. “Food safety management systems”, or ISO 27001: 2013 “Information Security Management Systems” [29,30]. � At this point, the risks related to corporate social responsibility can be considered part of the additional risks “plus (+)”, as well as the risk of not taking actions that contribute to sustainable development [31]. From the integral perspective of risk management, the approach of ISO 31000: 2018 risk management is applied, and the terms and definitions for risk management and QHSE3+ components are adopted from ISO 73 GUIDE, ISO 9000: 2015, ISO 45001: 2018, ISO 14001: 2015, ISO 14050: 2009, ISO 50001: 2018, and ISO/IEC 13273: 2015 [16,25–28,30–33] (See Figures A1–A5, and Figures A8–A14) Although there are no specific developments in Risk Management from a comprehensive QHSE3+ perspective, the work carried out by Aven T., Labodová A., the ISO Committee TC 262, ANDI, and ILO, among others, is highlighted [34–48]. See also Figure A1. 2.1.3. Principles of Risk Management Risk Management must be based on the application of several principles that support its application in the processes and functions of the organization in the context of a business culture that focuses on continuous improvement, the integral generation of value, and sustainable success. Figure 2 presents the principles of ISO 31000: 2018 [14] within a model in which its perspective is broadened, taking into account the critical factors that underlie the approaches of the previous paragraph regarding the scope and importance of the Management of Risks in companies and in society. For this reason, the illustration uses three versions of “La Danse”, a famous work by Henri Matisse [49], to highlight the holistic and social nature of Comprehensive Risk Management and its principles. Six basic perspectives are considered for its classification: Management and Leadership, Talent and Culture, Processes, Stakeholders, Decisions and Improvement. Energies 2020, 13, x FOR PEER REVIEW 6 of 44 Risk Management must be based on the application of several principles that support its application in the processes and functions of the organization in the context of a business culture that focuses on continuous improvement, the integral generation of value, and sustainable success. Figure 2 presents the principles of ISO 31000: 2018 [14] within a model in which its perspective is broadened, taking into account the critical factors that underlie the approaches of the previous paragraph regarding the scope and importance of the Management of Risks in companies and in society. For this reason, the illustration uses three versions of “La Danse”, a famous work by Henri Matisse [49], to highlight the holistic and social nature of Comprehensive Risk Management and its principles. Six basic perspectives are considered for its classification: Management and Leadership, Talent and Culture, Processes, Stakeholders, Decisions and Improvement. In a similar way to dashboards or strategy maps, Figure 2 is structured in terms of its perspectives, from the bottom up, in such a way that the foundations of the management of principles and values are based on Leadership and the example of the Management Team, which are reflected in Human Talent, Culture and capacities, to develop Processes, in interaction with Stakeholders, and are projected in the Decisions of the entire organization, to ensure Improvement, and Comprehensive Management of Risks on the factors associated with the dynamics of change. Figure 2. Principles of risk management based on ISO 31001 and ISO 22301 [13,14,50,51]. 2.2. Basic Principles and Management Approach for E2 Given that organizations require energy resources for the operation of their processes and interactions with stakeholders, continuous and systematic improvement of energy performance is imperative from strategic and operational standpoints, based on the best practices of the ISO 50000 family of standards, considering (See Figure 3, and Figure A5): 2.2.1. Aspects Related to Planning in Energy Management Systems (EnMS) Aspects related to planning in Energy Management Systems include the planning, design, and development of businesses, products, services, processes, and projects, according to parameters and technology, with specific objectives, plans, and challenges to improve savings, energy performance, the registration of energy data, analyses, and associated risk management. Figure 2. Principles of risk management based on ISO 31001 and ISO 22301 [13,14,50,51]. Energies 2020, 13, 5579 7 of 43 In a similar way to dashboards or strategy maps, Figure 2 is structured in terms of its perspectives, from the bottom up, in such a way that the foundations of the management of principles and values are based on Leadership and the example of the Management Team, which are reflected in Human Talent, Culture and capacities, to develop Processes, in interaction with Stakeholders, and are projected in the Decisions of the entire organization, to ensure Improvement, and Comprehensive Management of Risks on the factors associated with the dynamics of change. 2.2. Basic Principles and Management Approach for E2 Given that organizations require energy resources for the operation of their processes and interactions with stakeholders, continuous and systematic improvement of energy performance is imperative from strategic and operational standpoints, based on the best practices of the ISO 50000 family of standards, considering (See Figures 3 and A5): Energies 2020, 13, x FOR PEER REVIEW 7 of 44 This stage also includes an analytical part called the “energy review”, in which readings, consumption, trends in parameters, flows, and losses are analyzed, and areas of significant use are determined. This is the starting point to register, prioritize, and formalize the possible fronts for improvement with relevant strategic impact [52]. 2.2.2. Aspects Related to the Execution of the Plans and the Operation of the EnMS Aspects Related to the execution of the plans and the operation of the EnMS include the execution of plans and provisions, and the implementation of established best practices, which also include the promotion of culture for energy management and the application of operational control (i.e., the management of the components of processes) through which it is possible to control parameters and address risks associated with energy efficiency (i.e., methods, competencies, maintenance, tuning, control of purchases, materials and contracts, and energy supply, among others). 2.2.3. Aspects Related to EnMS Feedback Aspects related to EnMS feedback include articulated feedback from the management of energy performance indicators (EnPI), the LBEn energy baseline, understood as the “quantitative reference that provides the basis for the comparison of performance in a given period,” the measurement with “energy models” to summarize and analyze the energy consumed by the system, monitoring, and other feedback and auditing mechanisms. Figure 3. Management approach to energy efficiency [28,52]. 2.2.4. Aspects Related to the Maintenance, Adjustment, and Improvement Actions of the EnMS Aspects related to the maintenance, adjustment, and improvement actions of the EnMS include actions for the adjustment, correction, maintenance, or improvement in energy performance, which also include lessons learned and the projection of decisions and challenges resulting from management reviews and determining the future of the organization in terms of energy efficiency management. 2.2.5. Developments Related to the Optimization and Improvement of EnMS Although there has been a fairly broad spectrum of technological developments and advances in the optimization and improvement of the rational and efficient consumption of energy, works related to awareness raising and EnMS are highlighted, e.g., works carried out by J. Wu, B. Cheng, M. Wang and J. Chen, as well as those related to ISO TC 301, and those of other researchers such as R. Uriarte and J. Cosgrove [52–59]. See also Figure A5. Figure 3. Management approach to energy efficiency [28,52]. 2.2.1. Aspects Related to Planning in Energy Management Systems (EnMS) Aspects related to planning in Energy Management Systems include the planning, design, and development of businesses, products, services, processes, and projects, according to parameters and technology, with specific objectives, plans, and challenges to improve savings, energy performance, the registration of energy data, analyses, and associated risk management. This stage also includes an analytical part called the “energy review”, in which readings, consumption, trends in parameters, flows, and losses are analyzed, and areas of significant use are determined. This is the starting point to register, prioritize, and formalize the possible fronts for improvement with relevant strategic impact [52]. 2.2.2. Aspects Related to the Execution of the Plans and the Operation of the EnMS Aspects Related to the execution of the plans and the operation of the EnMS include the execution of plans and provisions, and the implementation of established best practices, which also include the promotion of culture for energy management and the application of operational control (i.e., the management of the components of processes) through which it is possible to control parameters and address risks associated with energy efficiency (i.e., methods, competencies, maintenance, tuning, control of purchases, materials and contracts, and energy supply, among others). 2.2.3. Aspects Related to EnMS Feedback Aspects related to EnMS feedback include articulated feedback from the management of energy performance indicators (EnPI), the LBEn energy baseline, understood as the “quantitative reference that provides the basis for the comparison of performance in a given period,” the measurement with Energies 2020, 13, 5579 8 of 43 “energy models” to summarize and analyze the energy consumed by the system, monitoring, and other feedback and auditing mechanisms. 2.2.4. Aspects Related to the Maintenance, Adjustment, and Improvement Actions of the EnMS Aspects related to the maintenance, adjustment, and improvement actions of the EnMS include actions for the adjustment, correction, maintenance, or improvement in energy performance, which also include lessons learned and the projection of decisions and challenges resulting from management reviews and determining the future of the organization in terms of energy efficiency management. 2.2.5. Developments Related to the Optimization and Improvement of EnMS Although there has been a fairly broad spectrum of technological developments and advances in the optimization and improvement of the rational and efficient consumption of energy, works related to awareness raising and EnMS are highlighted, e.g., works carried out by J. Wu, B. Cheng, M. Wang and J. Chen, as well as those related to ISO TC 301, and those of other researchers such as R. Uriarte and J. Cosgrove [52–59]. See also Figure A5. 2.3. Basic Principles and Management Approach for Biosecurity and Biosafety 2.3.1. Biosecurity and Biosafety In this section, the concepts of and approach to comprehensive management for biosafety and biosecurity are raised as an additional input element from the perspective of the WHO, ILO, and CDC [60–64]. According to the WHO [61], biosecurity, is “the set of principles, standards, protocols, technologies, and practices that are implemented to avoid the risk to health and the environment that comes from exposure to biological agents, causes of infectious, toxic or allergic diseases, such as COVID-2019”. According to the CDC and the BMBL [62], biosafety, “is the discipline that addresses safety against microbiological agents and toxins and threats they pose to human and animal health, the environment, and the economy; the misuse, exposure, or deliberate or intentional release of these biological agents”. 2.3.2. Comprehensive Biosecurity Management Comprehensive biosecurity management (CBM) considers the synergy between biosafety and biosecurity, that is, it considers intentional and unintentional cases. For everything related to intentional cases or terrorism, the measures understood as Bioprotection Plans will be adopted. For the case in which companies are part of the food chain, as suppliers, processors, transporters, or distributors, the Food Defense Plans will be applied [60–64]. In line with the approaches described above, under the approaches of the CDC, BMBL, INSST, ILO, and WHO, Table 1 illustrates, as a conclusion, the three logical blocks corresponding to the What, What for, and Where, of the concept of Comprehensive Biosafety. With this perspective, it is proposed as a conclusion that Comprehensive Biosafety Management comprises the planning, application, feedback, and control required to ensure the vertical and transversal integration of the principles, norms, protocols, technologies, and practices required for the identification, prevention, containment, and response through good practices and infrastructure to the risks to health and the environment that come from exposure to biological agents that cause infectious, toxic, or allergic diseases, from or to the processes of an organization in their interaction with interest groups [60–64]. Energies 2020, 13, 5579 9 of 43 Table 1. Characteristics of comprehensive management for biosecurity based on CDC, BMBL, INSST, ILO, and WHO [60–64]. COMPONENT KEY SENTENCE SUMMARY DESCRIPTION What? Thought, awareness, and action: PDCA with full awareness BE, DO, and MAKE IT DO Everything we do with full awareness in our work: Think, Know and PHVA of Principles, Norms, Protocols, Technologies, and Practices. This is: The planning, application, feedback, and control required to ensure the vertical and transversal integration of the required principles, standards, protocols, technologies, and practices... For What? Self-care, care and protect: TO EFFECTIVELY IDENTIFY, PREVENT, CONTAIN, RESPOND, AND REDUCE VULNERABILITY AGAINST RISKS TO HEALTH AND THE ENVIRONMENT ... For the identification, prevention, containment, and effective response, through good practices, technology, and infrastructure, to risks to health and the environment... Where? In the face of biological, chemical, physical, or mechanical risks: Due to EXPOSURE TO AGENTS GENERATING INFECTIOUS, TOXIC OR ALLERGIC DISEASES, FROM OR TOWARDS THE ORGANIZATION’S PROCESSES In exposure to biological, chemical, physical and/or mechanical agents, from or to our activities and processes. In the interaction with areas, things, products, people, and internal and external environment; They can cause infectious, toxic, or allergic diseases. 2.3.3. Comprehensive Biosecurity and Biosafety Management: Risks, Strategy, and Business Continuity In this section, advances, and developments in four areas which are associated with governance and the need for a comprehensive management model, i.e., risks, biosecurity and biosafety, business continuity, and strategic prospective, are provided. In recent decades, the development of knowledge in risk management and biosecurity + biosafety has become vital for various fields and for technological development. This is reflected in the proliferation of management standards, such as the developments of the ISO TC 292 Technical Committee, that lead International Standards on Security and Resilience, including incident management, emergencies, contingency plans, and business continuity, e.g., ISO 22301: 2019, ISO 22313: 2020, and ISO 22317: 2015 [51,65,66]. Management for biosecurity and biosafety is a factor of mandatory consideration within CRM, for not only companies, but also for laboratories and the food chain, given the current context associated with COVID-19. The scope of biosecurity and biosafety management covers all processes, facilities, and products, and applies to workers or third parties who perform activities on behalf of companies and users who interact with them. The ILO, WHO, and other researchers have developed guides, standards, and resolutions of mandatory applications. These developments in technology, regulation, and knowledge are associated with the multiplication of potential risk factors determined by acute moments of economic depression and geopolitical crisis, terrorist attacks, biological weapons, and other critical events, such as COVID-19. With technological developments and regulations in the field of health, work, and well-being, management systems point toward integrality to support businesses; they require global management of intelligence in interactions with relevant parties and comprehensive management protection, which includes biosecurity and biosafety, with a transversal scope that covers ICT and generational change [67–75]. Figure A6 provides further information on www.sra.org (Society for Risk Analysis) and www.eird.org/americas/indexeng.html (UN Office for Disaster Risk Reduction) as sources that contribute to safety, care, and protection in operations and projects through developments, tools, and information at the service of stakeholders. These references are complemented with articles, www.sra.org www.eird.org/americas/indexeng.html Energies 2020, 13, 5579 10 of 43 publications, and developments in the foundations and strategic and operational dimensions of risk management, resilience, and reliability [35,37,38,40,76,77]. It is a challenge for companies to choose the right tools to address the transformation of their processes and businesses under a CRM umbrella. This implies ensuring the relevance of services and processes and in a transversal way, self-care, care, protection, containment, and creative forms of response to the conjugation of contingencies which are maintained in crises under the premise of sustainability, health, and well-being [78–81]. In terms of strategic foresight, the developments have been led by French schools since 1990 by generating manuals, computer applications, and tools at the service of the community [82–85]. Despite these improvements and those mentioned in the preceding paragraphs, SMEs do not have simple and comprehensive tools that are grouped under the umbrella of strategic management, risk management, energy efficiency, business continuity plans, and response to potential and real crises such as COVID-19. In addition, they are mostly unaware of the best practices of the recognized international standards and guides [44–48,50,51] to respond to the basic needs that, for a CMS, and with regards to energy efficiency and biosafety, must apply to a company. Figure 4 illustrates that under contingency conditions, companies must attend to a systematic plan for different types of incidents, which may be associated with a business strategy, quality, safety and regulatory requirements of products and services, aspects of health, safety, and impact on the environment, energy efficiency, information security, networks, and communications, or any other types of combined or independent risks [44,47,48,50,65,66]. The materialization of risks translates into incidents with potential implications in terms of vulnerability due to the interruption of operations, the supply chain, or business continuity. Then, business continuity plans [50,65,66] must address incidents by prioritizing their impact and potentiality. Incidents, regarding their occurrence and association with QHSE3+ components, generate crises and situations associated with their implications and the collateral implications of the measures adopted to respond to them. The governance of these crises should be included in the organization’s management through the crisis management command bridge from where particular scenarios located in the “red” zone with the greatest probability, and their consequences, should be prioritized, and contingency plans should be formulated. Importantly, within the QHSE3+ framework, the objectives of comprehensive biosafety management with its business continuity and contingency plans for crisis scenarios include: Protecting the health and well-being of people and the organization with an emphasis on self-care; Adapting the promise of value and the product/service to the conditions of the situation, and complying with excellence; and Guaranteeing the continuity and sustainability of the business, supply, and supply chain (See also Figure A6). Energies 2020, 13, 5579 11 of 43 Energies 2020, 13, x FOR PEER REVIEW 10 of 44 Incidents, regarding their occurrence and association with QHSE3+ components, generate crises and situations associated with their implications and the collateral implications of the measures adopted to respond to them. The governance of these crises should be included in the organization’s management through the crisis management command bridge from where particular scenarios located in the “red” zone with the greatest probability, and their consequences, should be prioritized, and contingency plans should be formulated. Figure 4. Crisis and Incident Management, and Business Continuity [65,66]. Importantly, within the QHSE3+ framework, the objectives of comprehensive biosafety management with its business continuity and contingency plans for crisis scenarios include: Protecting the health and well-being of people and the organization with an emphasis on self-care; Adapting the promise of value and the product/service to the conditions of the situation, and complying with excellence; and Guaranteeing the continuity and sustainability of the business, supply, and supply chain (See also Figure A6). 2.4. Integration of CMS QHSE3+ Requirements and HLS CMS QHSE3+ is a harmonious integration of the elements required to develop a management model that focuses on complying with agreements, requirements, and applicable legislation, preventing failures and risks, and having a proactive approach that shows the causes of failures and leads to continuous improvement in business performance. Since the end of the last century, a common structure has been envisioned in the required standards on management systems led by several standardization secretariats, such as BSI-England and AENOR-Spain, which generated UNE 66177:2005 and PAS 99:2012 [86,87], respectively. CRISIS QHSE3+ INCIDENTES QHSE3+ Continuity Plan Business and Continuity Plan in Supply chain SITUATIONS (Associated with crises determined by the Incidents Implications) Interruption Incidents CONTINUITY Command Bridge for the Crisis Government. Incidents Management Crisis management Priority in incidents that interrupt the operation Responding to the implications of incidents and the measures taken to address them Goals: 1. Care and Protect Health and Well-being. 2. Guarantee Continuity and Sustainability. 3. Fulfill with Excellence the Promise of Value and Adapt the Product / Service to the Context. Analysis and prioritization of crisis scenarios Contingency Plan for Particular Scenarios Figure 4. Crisis and Incident Management, and Business Continuity [65,66]. 2.4. Integration of CMS QHSE3+ Requirements and HLS CMS QHSE3+ is a harmonious integration of the elements required to develop a management model that focuses on complying with agreements, requirements, and applicable legislation, preventing failures and risks, and having a proactive approach that shows the causes of failures and leads to continuous improvement in business performance. Since the end of the last century, a common structure has been envisioned in the required standards on management systems led by several standardization secretariats, such as BSI-England and AENOR-Spain, which generated UNE 66177:2005 and PAS 99:2012 [86,87], respectively. See also, in Figure A7, under a holistic approach, the chronology corresponding to the historic development of the QHSE3+ Standards in correlation with the milestones of technology and the expression of man, throughout the ages. In 2013, HLS was defined to guide these standards since 2015. This reference became the “Appendix SL” of the Supplement to the ISO/IEC Directives on the hierarchical structure of management systems standards [86–90]. Figure 5 summarizes the HLS approach under the PDCA cycle with which the requirements and mandatory basic structure of the management systems standards are defined and integrated; this approach meets the requirements from Chapters 4 to 10, given that initials 1 to 3 are intended for Scope (1), Normative References (2), and Terms and Definitions (3). Chapters 4 to 7 with a yellow background belong to the P for Planning and include 4. Context of the Organization, 5. Leadership, 6. Planning, and 7. Support. In the H of Doing with a green background, Chapter 8. Operation; In V of Verify with a light red background, the feedback topics under Chapter 9. Performance Evaluation; and in A of Act with a light blue background, Chapter 10. Improvements are outlined. Energies 2020, 13, 5579 12 of 43 Energies 2020, 13, x FOR PEER REVIEW 11 of 44 See also, in Figure A7, under a holistic approach, the chronology corresponding to the historic development of the QHSE3+ Standards in correlation with the milestones of technology and the expression of man, throughout the ages. In 2013, HLS was defined to guide these standards since 2015. This reference became the “Appendix SL” of the Supplement to the ISO/IEC Directives on the hierarchical structure of management systems standards [86–90]. Figure 5 summarizes the HLS approach under the PDCA cycle with which the requirements and mandatory basic structure of the management systems standards are defined and integrated; this approach meets the requirements from Chapters 4 to 10, given that initials 1 to 3 are intended for Scope (1), Normative References (2), and Terms and Definitions (3). Chapters 4 to 7 with a yellow background belong to the P for Planning and include 4. Context of the Organization, 5. Leadership, 6. Planning, and 7. Support. In the H of Doing with a green background, Chapter 8. Operation; In V of Verify with a light red background, the feedback topics under Chapter 9. Performance Evaluation; and in A of Act with a light blue background, Chapter 10. Improvements are outlined. As a convention, the requirements in purple italics have the same title for the standards of the QHSE3+ components, and are given in the extension of Chapters 4, 7, and 10. ISO 45001:2018 includes several additional exclusive numerals for this reference identified in red (HS): accountability (Numeral 5.3 partial), participation and consultation (Numeral 5.4), change management (Item 8.1.3), and emergency preparedness and response (Numeral 8.2) are also included by ISO 14001:2015 (E), in the same paragraph (Numeral 8.2). In Figure 5, under the criteria of affinity with risks and planning, numeral 8.2 Plans to Respond to Emergencies has been placed as part of the planning in numeral 6.1, i.e., Actions to address R/O. In its application, best practices for business continuity are considered both from a global strategic point of view, as well as for each service line and the supply chain. ISO 9001:2015 has requirements specific to this component identified with a blue letter (Q): planning of changes (Numeral 6.3) requirements for products and services (Numeral 8.2), design and development (Numeral 8.3), control of externally supplied processes, products and services (Numeral 8.4), production and service provision (Numeral 8.5), release of products and services (Numeral 8.6), and control of nonconforming outputs (Numeral 8.7). 5. LEADERSHIP 6. PLANNING 10. IMPROVEMENT 9. EVALUATION 8. OPERATION 5.1 Leadership and commitment 5.2 Comprehensive Police 5.3 Organization Roles, Responsibilities and Accountability. 6.1 Actions to address R/O + 8.2 y 8.2 Emergency preparedness and reponse (HSE). 7.1 Resource 7.2 Competence 7.3 Awareness 7.4 Communication 7.5 Documented Information 8.1 Operational Planning and Control9.1 Monitoring, Measurement, Analysis and Evaluation MMAE 9.2 Internal Audit 9.3 Management Review 10.1 Nonconformity and Corrective Action 10.2 Continual Improvement 4.1 Context of the organization 4.2 Needs of stakeholders 4.3 Scope of CMS 6.2 Objectives and Planning 6.3 Planning of Changes 8.3 Design and Development of Products and Services. (QE2) 8.4 Control of Externally Provided Processes, Products and Services (Acquisitions) (QE2) 8.5 Production and Service Provition 8.6 Release of Products and Services 8.7 Control of Nonconforming Output QHSE3+ Management 5.4 Consultation and participation. 6.3 a 6.6 Energy Review, KPI, Basline, y Planning for Data (APPROACH E2) 8.2 Change management (8.1.3) 8.2 Requirements for Products and Services 7. SUPPORT 4. CONTEXT 4.4 Comprehensive Management System Figure 5. Integration of the logical structure of the requirements of CMS QHSE3+. Perspective of Application to Comprehensive Biosafety Management [25–31,86–90]. As a convention, the requirements in purple italics have the same title for the standards of the QHSE3+ components, and are given in the extension of Chapters 4, 7, and 10. ISO 45001:2018 includes several additional exclusive numerals for this reference identified in red (HS): accountability (Numeral 5.3 partial), participation and consultation (Numeral 5.4), change management (Item 8.1.3), and emergency preparedness and response (Numeral 8.2) are also included by ISO 14001:2015 (E), in the same paragraph (Numeral 8.2). In Figure 5, under the criteria of affinity with risks and planning, numeral 8.2 Plans to Respond to Emergencies has been placed as part of the planning in numeral 6.1, i.e., Actions to address R/O. In its application, best practices for business continuity are considered both from a global strategic point of view, as well as for each service line and the supply chain. ISO 9001:2015 has requirements specific to this component identified with a blue letter (Q): planning of changes (Numeral 6.3) requirements for products and services (Numeral 8.2), design and development (Numeral 8.3), control of externally supplied processes, products and services (Numeral 8.4), production and service provision (Numeral 8.5), release of products and services (Numeral 8.6), and control of nonconforming outputs (Numeral 8.7). The ISO 50001: 2018 standard also includes particular requirements identified with the green letter petroleum (E2), the numerals: 6.3 energy review, 6.4 energy performance, 6.5 energy baseline, and 6.6 planning for the collection of energy data, as well as design (Numeral 8.2) and acquisitions (Numeral 8.3). To facilitate the comprehensive application of these requirements and additional ones such as ISO 27001: 2013, the authors provided reference [13], an excel application that is included in the approach of the structure of Figure 6, a checklist of common and uncommon requirements of the QHSE3+ standards in the support portal. Energies 2020, 13, 5579 13 of 43 Energies 2020, 13, x FOR PEER REVIEW 12 of 44 Figure 5. Integration of the logical structure of the requirements of CMS QHSE3+. Perspective of Application to Comprehensive Biosafety Management [25–31,86–90]. The ISO 50001: 2018 standard also includes particular requirements identified with the green letter petroleum (E2), the numerals: 6.3 energy review, 6.4 energy performance, 6.5 energy baseline, and 6.6 planning for the collection of energy data, as well as design (Numeral 8.2) and acquisitions (Numeral 8.3). To facilitate the comprehensive application of these requirements and additional ones such as ISO 27001: 2013, the authors provided reference [13], an excel application that is included in the approach of the structure of Figure 6, a checklist of common and uncommon requirements of the QHSE3+ standards in the support portal. Figure 6. Classification matrix of topics related to the R/O of CMS QHSE3+ [25–30,91]. 3. Results, Achievements, and Discussion 3.1. Fundamental Purpose of the Research. Methodology The research that supports the results presented in this paper focuses on contributing to the effectiveness and sustainability of Entrepreneurship Projects and the Implementation of E.1. Macroeconomic E.6. Market and Competition E.2. Geopolitical E.3. Legal and Regulatory E.4. Natural phenomena E.8. Technology E.5. Contingencies. Epidemics E.9. Other external topics I.1. I.2. Corporate Project Management I.3. Behaviors. Culture, Discipline I.4. I.5.1 I.5. 2 I.6. I.6.1 I.6.2 I.6.3 I.6.4 I.6.5 I.6.6 I.6.7 I.7. I.7.1 I.7.2 I.7.3 I.8. I.8.1 I.8.2 Layer VIII Financial management 1.10 Layer IX Other Internal Topics 1.11 Other Specialized Risks And Opportunities Layer VII ICT Management 1.9 ICT planning, infrastructure, operation and control conditions. Financial and economic aspects. Layer V. Energy efficiency Conditions for the rational use of energy and for Energy Efficiency Rational Use of Energy Energy Performance. Layer VI Facilities 1,8 Adequacy of infrastructure and maintenance R/O Mechanical HS: R/O Environmental HS: Layer IV. Prevent Pollution and Protect the Environment. Conditions for the prevention of pollution and the protection of the environment Conditions related to WHAT IS USED (Resources) Conditions related to WHAT IS TRANSFORMED (Context, Land, Landscape) Conditions related to WHAT IS GENERATED (Emissions, Vertimientos, Residues, Radiations…) Layer II. Quality, Integrity and DNP Conditions for the conformity, integrity and safety of products, services and processes Planning and Development of New Products, Services and Processes. Layer III. People's Health and Safety Operational and environmental conditions for the health, safety and protection of people. R/O Physical HS R/O Chemical HS R/O Biological HS R/O Ergonomic HS R/O Psychosocial HS External R/O External General Block. E.7. Security and Public Order. Relationship with Interest Groups Internal R/O Layer I. Strategy, NBD, and Human Management Strategic management, Business Continuity and New Business Development NBD Decisions, Mistakes and Moments of Truth Figure 6. Classification matrix of topics related to the R/O of CMS QHSE3+ [25–30,91]. 3. Results, Achievements, and Discussion 3.1. Fundamental Purpose of the Research. Methodology The research that supports the results presented in this paper focuses on contributing to the effectiveness and sustainability of Entrepreneurship Projects and the Implementation of Comprehensive Management Systems QHSE3+, SMEs, and the business sector in general, through the design and preliminary application of instruments and tools that enable the understanding, implementation, and application of Good Practices for sustainable success, and, in the future, its massification, from a holistic perspective for the strategic and operational management of risks and opportunities (R/O). The following are the specific objectives in the field of Comprehensive Risk Management: the design of the Model and Reference Framework, the development of tools for the identification and classification of R/O, the parameterization of the Risk Management Process, and the initial application of the Model and its Tools in goods and services companies. The methodology used combined both applied and qualitative research: Energies 2020, 13, 5579 14 of 43 � The approach of the logical framework methodology developed by ECLAC and the IDB was applied in the formulation of this research project [92–94]. � The configuration of the model was carried out in a global and particular way for its main components, adapting the developments of the systemic design to the particular case of the functional, ergonomic, and formal design of a model of CMS [95,96]. � The applied research took place during consulting exercises in which the model and tools were validated and adapted to six cases of companies between 2014 and 2019, with positive results and the ratification of the approach. � In 2020, with the contingency of COVID-19, there was the opportunity to incorporate biosafety and business continuity plans into the model in the design and deployment of the governance plan in one of the six reference companies (See Section 2.3, Section 2.4, Section 3.2 and Figure 4, and the summary of the strategic and operational approach in Figure A6). The major results of this research include: (a) The structuring of the General Board of R/O QHSE3+ (See Section 3.2, Figure 6, and Figures A8–A14), (b) The configuration of the comprehensive R/O management model applicable to CMS QHSE3+ (See Section 3.3, and Figures 7 and 8), (c) The parameterization of the integral management of R/O of CMS QHSE3+ (See Section 3.4, and Figures 9 and 10), and (d) The general achievements obtained through the application of the model in different companies in terms of vulnerability reduction and energy efficiency (See Sections 3.5 and 3.6). Energies 2020, 13, x FOR PEER REVIEW 16 of 44 Figure 7. Model for the comprehensive R/O management of CMS QHSE3+. 3.3.2. Functional Approach of the R/O Model Applicable to CMS QHSE3+ Figure 8 illustrates the functional elements in the operation of the model, considering their visualization and interaction through a matrix of two inputs, which include four layers on the vertical axis: (1) Foundations in principles and values, (2) R/O strategic management, (3) QHSE3+ operational R/O management, and (4) complementary layer. On the horizontal axis, there are four levels of planning and action: (a) directive planning, (b) operational planning (including projects, product development, and processes), (c) contingency and emergency plans, and (d) responsibility and response actions (i.e., containment and correction, feedback, and lessons learned). The model matrix and its functional elements are analyzed below: Layer 1. Foundation in Principles and Values: Thought, Awareness, and Action for Prevention Transversal to the levels of planning and action, this layer includes the planning and development of strategies to develop skills and achieve the appropriation of the value of prevention associated with ROBT. Layer 2. Management to Decide on Strategic R/O This layer is divided into sublayers of change management to guarantee the integrity of the system, and a second sublayer to plan strategies according to each level: 11. Strategic R/O Management. Intelligence, context monitoring and decision making to consolidate and build the future of the organization. Product and business developments. R/O follow-up on strategy management. Reformulation of projects and definition of contingency actions, as necessary. 12. Culture, values and human talent for R/O management. Deployment and appropriation of the Principle corresponding to "R/O - BASED THINKING". 13. Operational Planning for R/O management. Technical management to determine R/O QHSE3+, and formulate control measures, in projects and operational and support processes. 14/18. Application of R/O Management in the QHSE3+ Arms Application of prevention measures and R/O management in the Quality, Safety and Health, Environmental Management, Energy Efficiency, and Other Applicable components. Implementation of contingency plans QHSE3+ Application of prevention measures before, during and after QHSE3+ events. Responsibility management and response to NC and QHSE3+ incidents 15. R/O Management and Feedback Axis. Feedback on the performance and approach of Comprehensive Risk Management. Risk Management during Feedback activities. 7. E2 (50k). 10. Innovation and Improvement 9. Feedback Management Core 16. R/O Management and Knowledge, Innovation and Improvement Axis. Lessons learned, Innovation and Improvement on the performance and approach of Comprehensive Risk Management. Risk Management during Innovation and Improvement activities. 7. E2 (50k). 9. Feedback 10. Innovation and Improvement Requirements and Environment Conditions. Risks Resources, Information. ¡CMS-QHSE3+… Products and processes WELL DONE, SAFE, HEALTHY, CLEAN, AND FRIENDS OF WATER AND ENERGY! Inputs R/O Management, Intelligence and Operational Planning Breastplate Heart of Talent .and Culture OPERATION OF THE CMS- QHSE3+, OPERATION, MANAGEMENT and EVOLUTION. Outputs: Sustainable Success. Decrease in Vulnerability and Progress.. , Heart of Talent .and Culture Figure 7. Model for the comprehensive R/O management of CMS QHSE3+. Energies 2020, 13, 5579 15 of 43 Energies 2020, 13, x FOR PEER REVIEW 17 of 44 Figure 8. Functional matrix of comprehensive R/O management model layers and levels. o Executive: Market intelligence and the study of the context to formulate objectives, policies, projects, and strategic corporate plans. o Operational: R/O analysis for the formulation and development of new businesses, products, and projects in line with the strategic purposes of change. o Contingency: Cycle of decisions related to business continuity plan, biosecurity management, and emergency preparedness and response. o Containment, Feedback, Responsibility, and Response. Response to performance and MMAE. Decisions and challenges of business reformulation, projects, and strategy. Layer 3. Operational R/O Management QHSE3+ This layer considers the functions of business intelligence and the management of legal requirements, process planning, comprehensive biosafety management, nonconformity LEVELS OF PLANNING-ACTION: Planning Board LAYERS OF FOUNDATION AND APPLICATION Corporate Strategic Planning Planning and project management Planning and Development of Services / Portfolio Planning of Support and Operative Processes Before During Post ContainmentCorrection Feedback Learned lessons Knowledge 2. LAYER FOR RISK MANAGEMENT AND STRATEGIC OPPORTUNITIES: 2.1 MANAGEMENT OF THE CHANGE AND INTEGRITY OF THE MANAGEMENT SYSTEM. 2.2 RISK AND OPPORTUNITIES - BASED THINKING TO PLAN STRATEGIES BASED ON THE CONTEXT. Strategic decisions Decisions in Projects Decisions in Developments Decisions in Process Planning Business Intelligence and Good Practices Good Practices Good Practices Good Practices 3.2 SUB-LAYER FOR THE MANAGEMENT OF R/O OF INTEGRAL PHYSICAL SECURITY (HS). (It Include HS Biosecurity Risks) Integral Policy HS Policy HS Management in Projects HS Component Management System HS Programs 3.3 SUB-LAYER FOR R/O MANAGEMENT OF ENERGY EFFICIENCY AND ENVIRONMENTAL MANAGEMENT. (E3) (It Include Environment Biosecurity Risks) Integral Policy Sustainability Policy Environmental and Energy Management in Projects Management System Environmental and Energy Programs Environmental and Energy Programs 3.4 SUB-LAYER FOR ADDITIONAL R/O MANAGEMENT (+). For example: R/O FINANCIAL, R/O TIC, or RISK OF CORRUPTION, among others. Personal Data Protection Policy Other Specific Policies Management of additional R/O (+) Other components of the Management System required. Management vs. Habeas Data Law 4. COMPLEMENTARY LAYER LINKED TO OTHER MEASURES TO SUPPORT THE DEPLOYMENT OF THOUGHT BASED ON RISKS AND OPPORTUNITIES Dynamics of Corporate Strategy FUNCTIONAL APPROACH OF THE CONCEPTUAL MODEL FOR THE COMPREHENSIVE MANAGEMENT OF R/O QHSE3+ . OBJECTIVE : To ensure the Intelligence for the making of individual, team and corporate decisions that allow to enhance opportunities and respond to threats and vulnerabilities, in harmony with the missionary purposes and the strategic goals of the organization. Thought, Consciousness and Action to Take Care of Yourself, Take Care and Protect the Well-being and Health of People and the Organization Operational Planning Contingency Plans Responsibility and Response Actions 1. FOUNDATION IN PRINCIPLES AND VALUES Values and elements of the corporate philosophy that support the application of the Principle corresponding to Risk and Opportunities - Based Thinking R/OBT throughout the organization. Be accountable to commitments (formal, implicit, law and word). Be respectful of others, of regulations and of the law, for a healthy coexistence Being committed to the strategic purposes and missionary role of the company Offer GOOD, SAFE and HEALTHY products and services, in accordance with the promise of value and the established requirements Understand the reality of processes and the environment and identify dangers and opportunities Ensuring that we learn from experience, mistakes, and the best that others can do. MAKE DECISIONS WITH INTELLIGENCE ... TO REDUCE VULNERABILITY AND TAKE ADVANTAGE OF OPPORTUNITIES Thought, Consciousness and Action to Take Care of youreself, Take Care, and Protect the Well-being and Health of People and the Organization OPERATIONAL CONTROL Management of Non-Conforming. Correction and Prevention Actions. Analysis of scenarios Consumer study Study of the competitors Goals. Strategic Management Corporate MMAE Integral Policy Specific Policies Study of opportunities, needs and formulation of Special Corporate Strategic Projects. Cutting-edge strategic developments Reformulation of the Promise of Value Analysis and Risk Management in Projects Project Management Plans Monitoring, Measurement, Analysis and Evaluation MMAE Operational Process Planning Change management: (Infrastructure, Projects, Processes and Services) Business Continuity Plan. Biosafety and Biosecurity protocols and Emergency plans I assume, I respond. Monitoring, Measurement, Analysis and Evaluation: MMAE Learned lessons and Knowledge Management Management System Review Business Reformulation, Products and Corporate Strategy New products development NPD New business development NBD Objectives and Projects. I decide on the Preparation and Response to Contingencies I decide, I learn and I manage the change 3. LAYER FOR OPERATIONAL R/O MANAGEMENT QHSE3+. Risk and Opportunity - Based Thinking (R/OBT) in Special Strategic Projects R/OBT in Innovation Projects: R/O studies Feasibility studies. Analysis of R/O during development. Legal Requirements Management Study R/OBT in Infrastructure Projects Operational Process Planning Change management. Comprehensive Biosecurity Management Protocols and Good Practices for Management and Treatment Not satisfied and Nonconformities Lessons Learned from Incidents, Events and News. Generation of Knowledge. Reformulation of Control measures Integrity Control - Comptroller (Corporate Audit vs COSO Internal Control System): (Decisions vs: Integrity of Resources, Non-application of Provisions, Achievement of Objectives and Goals) Cultural Management vs. Dynamic of R/O: (Immediate Decisions in Moments of Truth) 3.1 SUB-LAYER FOR THE MANAGEMENT OF R/O OF QUALITY, SAFETY OR OTHER APPLICABLE TECHNICIANS (Q) (It include Biosecurity in component Q) Policies and Decisions for the Management of Corporate Projects Quality Plans in Operations by Service Line Incident Management and Treatment of Non- conformities (TNC) MMAE and Reformulation vs (Product - Process - Quality Plans in Operations by line) Emergency and Contingency Preparation and Response Comprehensive Plan. Approach QHSE3+ MMAE and Reformulation vs INTEGRAL SECURITY MMAE and Management Review of the ENVIRONMENTAL COMPONENT MMAE and TIC Reformulation Figure 8. Functional matrix of comprehensive R/O management model layers and levels. Energies 2020, 13, 5579 16 of 43 Energies 2020, 13, x FOR PEER REVIEW 19 of 44 Figure 9. Parameterization of the application of the comprehensive R/O management model. In Step (9), the effectiveness of the plan was evaluated, and incidents and events related to the R/O of CMS QHSE3+ were monitored. In Step (10), the residual risk and the changes in vulnerability were evaluated, and the cycle was resumed and reformulated according to the changes in the context. 7 . T O A P P R E - C IA T E . M A P R /O 8 . R /O T R E A T M E N T P L A N A N D B IT A C O R E O F F O L L O W - U P 9 . E V A L U A T E E F F E C - T IV E N E S S . M O N IT O R IN G 1 0 . R E S ID U A L R /O M M A E 0 y 1 . C O N T E X T . 2 , 3 y 4 . IN C ID E N C E A N D I M P A C T 5 . C O M P O N E N T S o f R /O a n d T Y P O L O G Y ( e x t - in t) 6 . T O I D E N T IF Y a n d D E F IN E R /O 0. Defining the Scope 3. To analyze incidence of processes in the achievement of the Business Objectives. R/O TREATMENT PLAN BITACORE OF FOLLOW - UP TO THE DE TREATAMENTP LAN 10. Perform the estimation of Residual R/O and changes in Vulnerability. Retake the cycle and reformulate depending on changes, scenarios, incidents and prospective. 1. Make a List of Objectives and Processes 6.2 To Identify and Define OPERATIONAL R/O (QHSE3+ vs OBJECTIVES OF EACH PROCESS) 9. To evaluate the effectiveness of the Plan. Make Track Events of R/O 9.1 Bitacore of follow up and Incident registry and Analysis of Implications, to modify or update the R/O Administration Plan. 9.2 Follow-up of implementation and effectiveness of the R/O Management Plan. 6.1 To Identify and Define STRATEGIC R/O (INTERNAL, EXTERNAL vs. STRATEGIC OBJECTIVES) 5. To analyze components of R/O vs QHSE3 + and Typology (External and Internal) 7. Appreciate R/O (ANALYZE, EVALUATE, CAUSE ROOT, POSSIBILITY, CONSEQUENCES / IMPACT, LEVEL OF R/O) DEGREE OR LEVEL OF IMPACT OF THE PROCESSES COMPONENTS AND TIPOLOGY: QHSE3+ and EXTERNAL-- INTERNAL INTEGRATION WITH MMAE AND THE INDICATORS BOARD RISK AND OPORTUNITIES MAP (Stratégic or Operational) 8. To Establish the R/O Treatment Plan LAYER 1: Prevention (Ms of the conditions of the process) LAYER 2: Control (Parameters linked to the R/O) LAYER 3: Reaction (Response to the Manifestation of R/O) LAYER 4: Mitigation (vs. Negative Consequences of R/O) LAYER 5: Change Management (Associated with measures) CRITERIA AND ESTIMATION SCALES OF RISK AND OPPORTUNITIES R/O, UNIFIED OR BY COMPONENTS. 4. To evaluate the impact of processes on the Performance and Success of the Business. LIST OF OBJECTIVES AND PROCESSES It include BIOSECURITY IT INCLUDE Emergency Response and Business Continuity Plan 2. To analyze the incidence of processes in the fulfillment of Requirements, Offer and Agreements with the Stakeholders. Figure 9. Parameterization of the application of the comprehensive R/O management model. Energies 2020, 13, 5579 17 of 43 Energies 2020, 13, x FOR PEER REVIEW 20 of 44 Figure 10 represents an alternative set of criteria with which to perform the assessment of risks and opportunities R/O. Figure 10. Parameterization of the application of the comprehensive R/O management model. 3.5. General Achievements and Benefits of the Research The research gave rise to the following innovative products that contribute to entrepreneurship which is available to companies and stakeholders:  The presentation of the concepts related to security and with the processes of risk management and intelligence for decision-making, through a graph that correlates, orders, and explains them, facilitating their study and analysis, in the context of management systems (See Figure 1, and Section 2.1.1).  The explicit incorporation of the comprehensive biosafety management and contingency and business continuity plans to the model (See numeral 2.3 with the comprehensive approach and concepts; Figure 4 with governance in crisis; Figure 6 with the application of the integration of requirements to biosecurity and biosafety; and continuity management and response to the pandemic in Figure A6).  The presentation of the requirements of ISO 50001 and the ISO QHSE3+ standards as best practices, whose application contributes to reducing vulnerability and enhancing energy improvement and efficiency. For this purpose, the HLS was applied, and illustrated by a diagram that allows us to appreciate its logic and integration, and the blocks of particular requirements for each component See Sections 2 and 3, and Figures 3, 5, and A4, as well as the reference support portal [13] with a comprehensive checklist of best practices QHSE3+.  The generation of six matrices that present the thematic structure, approach, and projections of the ISO 31000 families of standards, and QHSE3+, which include ISO 50000. In each matrix, EXCEPTIONALLY OCCASIONALLY REGULARLY USUALLY FOREVER 1 2 3 4 5 5 EXTRAORDINARY Great benefits in the market, profitability, speed, innovation and strategic alliances 5 - LOW 10 - MODERATE 15 - HIGH 20 - HIGH 25 - VERY HIGH 4 HIGHER Significant increase in competitive capabilities and business performance 4 - LOW 8 - MODERATE 12 - HIGH 16 - HIGH 20 - HIGH 3 MEDIUM Low increase in competitive capabilities and business performance 3 - VERY LOW 6 - LOW 9 - MODERATE 12 - HIGH 15 - HIGH 2 LESS Low increase in business performance 2 - VERY LOW 4 - LOW 6 - LOW 8 - MODERATE 10 - MODERATE 1 INSIGNIFICANT Non-perceptible benefits 1 - VERY LOW 2 - VERY LOW 3 - VERY LOW 4 - LOW 5 - LOW 1 INSIGNIFICANT Minimum losses 1 - VERY LOW 2 - VERY LOW 3 - VERY LOW 4 - LOW 5 - LOW 2 LESS Moderate dissatisfaction and low performance 2 - VERY LOW 4 - LOW 6 - LOW 8 - MODERATE 10 - MODERATE 3 MEDIUM High dissatisfaction and losses that affect competitiveness 3 - VERY LOW 6 - LOW 9 - MODERATE 12 - HIGH 15 - HIGH 4 HIGHER Losses of customers under performance in products, economic, compliance and conflicts 4 - LOW 8 - MODERATE 12 - HIGH 16 - HIGH 20 - HIGH 5 CATASTROPHIC Large losses of customers and products, economic, delays and conflicts 5 - LOW 10 - MODERATE 15 - HIGH 20 - HIGH 25 - VERY HIGH CONSEQUENCES PROBABILITY CLASSIFICATION COMPETITIVENESS O PP O R TU N IT IE S R IS K S Figure 10. Parameterization of the application of the comprehensive R/O management model. 3.2. General Directory of R/O Topics Regarding QHSE3+ One of the greatest difficulties that organizations may have in terms of R/O management is associated with the competencies of people to determine and unify the criteria for classifying R/O in their operations and interactions with different interest groups. Given this circumstance, an investigation of the R/O taxonomy was carried out, not only from the point of view of the families of the QHSE3+ norms and their approaches, but also from the perspective of management schools and the cases of companies that have a longer track record of risk management. The conclusions reached by the work team after the two analyses, and later, during 2020, with the explicit incorporation of the topic of Biosafety, are as follows [13,23,24,35,38,48,51]: � To facilitate the application of the model, it is convenient to prepare a Matrix-Directory, which brings together the blocks of general topics associated with the R/O Management of companies. In this way, each company specifies its basic strategic R/O matrix and processes, based on the blocks of topics, which become a support tool. � From a general point of view, there will be R/O of external and internal origin. The external R/O come from the external environment of the company and have a direct impact on its operation and results. The internal R/O depend on the organization’s own management. � Within the categories of internal risks and opportunities, one can include, as illustrated in Figure 6, aspects related to: (i) Strategy, Business and Projects, (ii) Culture and Behavior, (iii) Decision Making, (iv) Conditions for Conformity Q, v. Conditions for the Safety and Health of People HS, (vi) Conditions for Pollution Prevention and Environmental Protection E, (vii) Conditions for the rational use of Energy and Energy Efficiency E2, (viii) Conditions and resources for the adaptation of infrastructure, maintenance and cleaning of facilities and equipment, (ix) Conditions Energies 2020, 13, 5579 18 of 43 and resources for Planning, Infrastructure and Resources, Control and Development of ICT, (x) Financial and economic elements, which include the planning, management and results of financial resources, in addition to the applicable tax, fiscal and regulatory component; (xi) Other specialized topics. There may be R/O simultaneously related to several QHSE3+ components, or external and internal topics. In the same way, for the integral biosafety management component that is part of the plus (+), it may be presented in many external and internal categories, such as strategy, culture, quality, safety, environment, infrastructure, financial elements, and even other specialized topics depending on the type of organization. Figures A8–A14 detail the topics related to the layers and particular items presented in Figure 7, for external R/O, and Layers I to IX of the internal R/O. 3.3. Conceptual Model for Comprehensive R/O Management Applicable to CMS QHSE3+ This section presents the approach of the model configured through the application of systemic design [11,91,95,96], taking into account the structural and functional elements, which are described in Sections 3.3.1 and 3.3.2, and their parameterization in Section 3.4. Figure 7 illustrates the set of the Comprehensive R/O Management Model, taking as a starting point the basic elements of the CMS QHSE3+ described in Table 2. Table 2. Basic elements of the CMS QHSE3+ Model [11,91]. PARTS DESCRIPTION 1. Management Core Energies 2020, 13, x FOR PEER REVIEW 14 of 44 adaptation of infrastructure, maintenance and cleaning of facilities and equipment, (ix) Conditions and resources for Planning, Infrastructure and Resources, Control and Development of ICT, (x) Financial and economic elements, which include the planning, management and results of financial resources, in addition to the applicable tax, fiscal and regulatory component; (xi) Other specialized topics. There may be R/O simultaneously related to several QHSE3+ components, or external and internal topics. In the same way, for the integral biosafety management component that is part of the plus (+), it may be presented in many external and internal categories, such as strategy, culture, quality, safety, environment, infrastructure, financial elements, and even other specialized topics depending on the type of organization. Figures A8 to A.14 detail the topics related to the layers and particular items presented in Figure 7, for external R/O, and Layers I to IX of the internal R/O. 3.3. Conceptual Model for Comprehensive R/O Management Applicable to CMS QHSE3+ This section presents the approach of the model configured through the application of systemic design [11,91,95–96], taking into account the structural and functional elements, which are described in Sections 3.3.1 and 3.3.2, and their parameterization in Section 3.4. Figure 7 illustrates the set of the Comprehensive R/O Management Model, taking as a starting point the basic elements of the CMS QHSE3+ described in Table 2. Table 2. Basic elements of the CMS QHSE3+ Model [11,91]. PARTS DESCRIPTION 1. Management Core “I decide with business intelligence on the aspects of management” The core of management represents the central component from where the strategic direction is developed, including business intelligence associated with the strategic decisions for differentiation and specialization based on the development of products and services for sustainable success with innovation. 2. Heart of Talent and Culture “I deploy the philosophy of R/O and develop skills and culture” This represents human management, associated with talent, competencies, and knowledge management. Culture addresses the dynamics of identification, appropriation, and experience of principles. 3. R/O Management, Intelligence, and Operational Planning Breastplate “I decide with intelligence and technique the operational aspects.” This brings together information intelligence and operational decision-making with the planning of prevention, mitigation, contingency, emergency, and R/O control measures for each component with the management of purchases and infrastructure. “I decide with business intelligence on the aspects of management” The core of management represents the central component from where the strategic direction is developed, including business intelligence associated with the strategic decisions for differentiation and specialization based on the development of products and services for sustainable success with innovation. 2. Heart of Talent and Culture Energies 2020, 13, x FOR PEER REVIEW 14 of 46 adaptation of infrastructure, maintenance and cleaning of facilities and equipment, (ix) Conditions and resources for Planning, Infrastructure and Resources, Control and Development of ICT, (x) Financial and economic elements, which include the planning, management and results of financial resources, in addition to the applicable tax, fiscal and regulatory component; (xi) Other specialized topics. There may be R/O simultaneously related to several QHSE3+ components, or external and internal topics. In the same way, for the integral biosafety management component that is part of the plus (+), it may be presented in many external and internal categories, such as strategy, culture, quality, safety, environment, infrastructure, financial elements, and even other specialized topics depending on the type of organization. Figures A8 to A.14 detail the topics related to the layers and particular items presented in Figure 7, for external R/O, and Layers I to IX of the internal R/O. 3.3. Conceptual Model for Comprehensive R/O Management Applicable to CMS QHSE3+ This section presents the approach of the model configured through the application of systemic design [11,91,95–96], taking into account the structural and functional elements, which are described in Sections 3.3.1 and 3.3.2, and their parameterization in Section 3.4. Figure 7 illustrates the set of the Comprehensive R/O Management Model, taking as a starting point the basic elements of the CMS QHSE3+ described in Table 2. Table 2. Basic elements of the CMS QHSE3+ Model [11,91]. PARTS DESCRIPTION 1. Management Core “I decide with business intelligence on the aspects of management” The core of management represents the central component from where the strategic direction is developed, including business intelligence associated with the strategic decisions for differentiation and specialization based on the development of products and services for sustainable success with innovation. 2. Heart of Talent and Culture “I deploy the philosophy of R/O and develop skills and culture” This represents human management, associated with talent, competencies, and knowledge management. Culture addresses the dynamics of identification, appropriation, and experience of principles. 3. R/O Management, Intelligence, and Operational Planning Breastplate “I decide with intelligence and technique the operational aspects.” This brings together information intelligence and operational decision-making with the planning of prevention, mitigation, contingency, emergency, and R/O control measures for each component with the management of purchases and infrastructure. 4–8. Five Arms of QHSE3+ “I apply what was planned in each component.” These symbolize the QHSE3 elements from which the strategic and operational planning is applied. In each arm, the R/O per component is managed, associated with nonconformities, “I deploy the philosophy of R/O and develop skills and culture” This represents human management, associated with talent, competencies, and knowledge management. Culture addresses the dynamics of identification, appropriation, and experience of principles. 3. R/O Management, Intelligence, and Operational Planning Breastplate Energies 2020, 13, x FOR PEER REVIEW 14 of 44 adaptation of infrastructure, maintenance and cleaning of facilities and equipment, (ix) Conditions and resources for Planning, Infrastructure and Resources, Control and Development of ICT, (x) Financial and economic elements, which include the planning, management and results of financial resources, in addition to the applicable tax, fiscal and regulatory component; (xi) Other specialized topics. There may be R/O simultaneously related to several QHSE3+ components, or external and internal topics. In the same way, for the integral biosafety management component that is part of the plus (+), it may be presented in many external and internal categories, such as strategy, culture, quality, safety, environment, infrastructure, financial elements, and even other specialized topics depending on the type of organization. Figures A8 to A.14 detail the topics related to the layers and particular items presented in Figure 7, for external R/O, and Layers I to IX of the internal R/O. 3.3. Conceptual Model for Comprehensive R/O Management Applicable to CMS QHSE3+ This section presents the approach of the model configured through the application of systemic design [11,91,95–96], taking into account the structural and functional elements, which are described in Sections 3.3.1 and 3.3.2, and their parameterization in Section 3.4. Figure 7 illustrates the set of the Comprehensive R/O Management Model, taking as a starting point the basic elements of the CMS QHSE3+ described in Table 2. Table 2. Basic elements of the CMS QHSE3+ Model [11,91]. PARTS DESCRIPTION 1. Management Core “I decide with business intelligence on the aspects of management” The core of management represents the central component from where the strategic direction is developed, including business intelligence associated with the strategic decisions for differentiation and specialization based on the development of products and services for sustainable success with innovation. 2. Heart of Talent and Culture “I deploy the philosophy of R/O and develop skills and culture” This represents human management, associated with talent, competencies, and knowledge management. Culture addresses the dynamics of identification, appropriation, and experience of principles. 3. R/O Management, Intelligence, and Operational Planning Breastplate “I decide with intelligence and technique the operational aspects.” This brings together information intelligence and operational decision-making with the planning of prevention, mitigation, contingency, emergency, and R/O control measures for each component with the management of purchases and infrastructure. “I decide with intelligence and technique the operational aspects.” This brings together information intelligence and operational decision-making with the planning of prevention, mitigation, contingency, emergency, and R/O control measures for each component with the management of purchases and infrastructure. Energies 2020, 13, 5579 19 of 43 Table 2. Cont. PARTS DESCRIPTION 4–8. Five Arms of QHSE3+ Energies 2020, 13, x FOR PEER REVIEW 15 of 44 “I apply what was planned in each component.” These symbolize the QHSE3 elements from which the strategic and operational planning is applied. In each arm, the R/O per component is managed, associated with nonconformities, incidents, potential uses, improvements, or greater value generation. 9 and 10. Feedback Axes and Model Improvement ”Through Monitoring, Measurement, Analysis, and Evaluation (MMAE), I learn, innovate, and improve”. These are the axes that ensure the dynamics of the model. Axis 9 brings together the MMAE, audit, and management review to analyze performance and pose challenges. Axis 10 corresponds to improvement, innovation, and response accordingly to incidents, nonconformities, and opportunities to generate greater value with corrective and preventive actions in full alignment with the requirements of the context and strategic purposes. 3.3.1. Structural Elements of the Comprehensive R/O Management Model in CMS QHSE3+ The following elements make direct reference to risk management:  The management nucleus has the first level of strategic risk management with product and business developments.  The operational planning QHSE3+ is carried out from the Operational Planning Breastplate of the Model, and includes planning processes, identification of R/O and determination of controls.  The Five QHSE3+ Arms apply what is planned and respond to incidents and moments of truth. Figure 7 shows the sketch of 16 components of the model, and the deployment of ROBT in a transversal way throughout the entire system for its foundation and appropriation through Components 11–16. “I apply what was planned in each component.” These symbolize the QHSE3 elements from which the strategic and operational planning is applied. In each arm, the R/O per component is managed, associated with nonconformities, incidents, potential uses, improvements, or greater value generation. 9 and 10. Feedback Axes and Model Improvement Energies 2020, 13, x FOR PEER REVIEW 15 of 44 4–8. Five Arms of QHSE3+ “I apply what was planned in each component.” These symbolize the QHSE3 elements from which the strategic and operational planning is applied. In each arm, the R/O per component is managed, associated with nonconformities, incidents, potential uses, improvements, or greater value generation. 9 and 10. Feedback Axes and Model Irovement ”Through Monitoring, Measurement, Analysis, and Evaluation (MMAE), I learn, innovate, and improve”. These are the axes that ensure the dynamics of the model. Axis 9 brings together the MMAE, audit, and management review to analyze performance and pose challenges. Axis 10 corresponds to improvement, innovation, and response accordingly to incidents, nonconformities, and opportunities to generate greater value with corrective and preventive actions in full alignment with the requirements of the context and strategic purposes. 3.3.1. Structural Elements of the Comprehensive R/O Management Model in CMS QHSE3+ The following elements make direct reference to risk management:  The management nucleus has the first level of strategic risk management with product and business developments.  The operational planning QHSE3+ is carried out from the Operational Planning Breastplate of the Model, and includes planning processes, identification of R/O and determination of controls.  The Five QHSE3+ Arms apply what is planned and respond to incidents and moments of truth. Figure 7 shows the sketch of 16 components of the model, and the deployment of ROBT in a transversal way throughout the entire system for its foundation and appropriation through Components 11–16. ”Through Monitoring, Measurement, Analysis, and Evaluation (MMAE), I learn, innovate, and improve”. These are the axes that ensure the dynamics of the model. Axis 9 brings together the MMAE, audit, and management review to analyze performance and pose challenges. Axis 10 corresponds to improvement, innovation, and response accordingly to incidents, nonconformities, and opportunities to generate greater value with corrective and preventive actions in full alignment with the requirements of the context and strategic purposes. 3.3.1. Structural Elements of the Comprehensive R/O Management Model in CMS QHSE3+ The following elements make direct reference to risk management: � The management nucleus has the first level of strategic risk management with product and business developments. � The operational planning QHSE3+ is carried out from the Operational Planning Breastplate of the Model, and includes planning processes, identification of R/O and determination of controls. � The Five QHSE3+ Arms apply what is planned and respond to incidents and moments of truth. Figure 7 shows the sketch of 16 components of the model, and the deployment of ROBT in a transversal way throughout the entire system for its foundation and appropriation through Components 11–16. 3.3.2. Functional Approach of the R/O Model Applicable to CMS QHSE3+ Figure 8 illustrates the functional elements in the operation of the model, considering their visualization and interaction through a matrix of two inputs, which include four layers on the vertical axis: (1) Foundations in principles and values, (2) R/O strategic management, (3) QHSE3+ operational R/O management, and (4) complementary layer. On the horizontal axis, there are four levels of planning and action: (a) directive planning, (b) operational planning (including projects, product development, and processes), (c) contingency and emergency plans, and (d) responsibility and response actions (i.e., containment and correction, feedback, and lessons learned). The model matrix and its functional elements are analyzed below: Layer 1. Foundation in Principles and Values: Thought, Awareness, and Action for Prevention Transversal to the levels of planning and action, this layer includes the planning and development of strategies to develop skills and achieve the appropriation of the value of prevention associated with ROBT. Layer 2. Management to Decide on Strategic R/O Energies 2020, 13, 5579 20 of 43 This layer is divided into sublayers of change management to guarantee the integrity of the system, and a second sublayer to plan strategies according to each level: o Executive: Market intelligence and the study of the context to formulate objectives, policies, projects, and strategic corporate plans. o Operational: R/O analysis for the formulation and development of new businesses, products, and projects in line with the strategic purposes of change. o Contingency: Cycle of decisions related to business continuity plan, biosecurity management, and emergency preparedness and response. o Containment, Feedback, Responsibility, and Response. Response to performance and MMAE. Decisions and challenges of business reformulation, projects, and strategy. Layer 3. Operational R/O Management QHSE3+ This layer considers the functions of business intelligence and the management of legal requirements, process planning, comprehensive biosafety management, nonconformity management, redefinition of control measures, and lessons learned vs. incidents and changes. It is divided into sublayers associated with each component of CMS QHSE3+, having the following at each of the levels: o Executive: R/OBT in special projects. Decisions and deployment of the comprehensive management policy and others. o Operational and Contingency: Application and adaptation of operational control plans and programs, emergency response, NC, and QHSE3+ incident management. o Feedback, Responsibility, and Response: Lessons learned, knowledge, review of control measures, MMAE, and managerial review by component. Layer 4. Other Measures for the Deployment of R/OBT From the strategic level, this layer considers the R/O, evaluating business alternatives, alliances, or structural changes in the organization resulting from the decisions to be made. Internal control measures based on the COSO model, with feedback, auditing, and controls to guarantee the integrity of the resources and the integral generation of value, including economic results, are highlighted in a transversal way for energy efficiency [17,55–58,66,97–99]. Another complement is related to the development of competencies to make decisions and react appropriately and in timely manner to events that lead to the presence of risk factors and dynamic opportunities, involving decisions in moments of truth or critical moments of change. 3.4. Parameterization of the Comprehensive R/O Management Model Sections 3.3.1 and 3.3.2 have made it possible to observe the breadth of comprehensive management in various aspects of external and internal R/O, considering the QHSE3+ components and their application in a transversal manner. With the tools associated with the QHSE3+ risk types directory (Figures A8–A14) and the R/O management conceptual model for CMS QHSE3+ with its functionality matrix (Figures 7 and 8), significant progress is made in the visualization of R/O. However, its generalized application requires a logical tool that facilitates its application, updating, and management in the processes, the strategic field, and the components in which this is required. Figure 9 contains the flow that illustrates the step-by-step to the parameterization of the R/O management process associated with the model. From this parameterization, diagrammed with machine language identifying reports and outputs, it is possible to structure computer applications that are very useful for companies in terms of the transversal, agile, and systematic application of R/O management under unified criteria, support guides, listings, reports, and statistics. In Figure 9, the parameterization considers 10 Steps (column on the left) in which the application context is initially defined, taking into account the definition of the scope of the system or exercise Energies 2020, 13, 5579 21 of 43 (Step 0), the components under analysis, and the list of objectives and processes (Step 1), and then proceeds to determine the priority processes based on the analysis of their incidence in the fulfillment of the requirements, obligations, strategic objectives, and the performance and success of the business (Steps 2,3, and 4). Next, the applicable R/O directory was determined by starting from the tool indicated in Section 3.2 and from each component, thus generating the list of the types of external and internal (R/O) by component QHSE3+ (Step 5). Based on the typology, a list of strategic R/O and QHSE3+ was determined and individualized, including those related to biosecurity and biosafety (Step 6). In Step 7, an assessment of the R/O was carried out, which generates the R/O map and proceeds to establish the contingency plans, business continuity, and, in general, the plan of treatment, which takes into account the layers of prevention, control, reaction, mitigation, and change management (Step 8). The Plan must be monitored in terms of its execution and results. In Step (9), the effectiveness of the plan was evaluated, and incidents and events related to the R/O of CMS QHSE3+ were monitored. In Step (10), the residual risk and the changes in vulnerability were evaluated, and the cycle was resumed and reformulated according to the changes in the context. Figure 10 represents an alternative set of criteria with which to perform the assessment of risks and opportunities R/O. 3.5. General Achievements and Benefits of the Research The research gave rise to the following innovative products that contribute to entrepreneurship which is available to companies and stakeholders: � The presentation of the concepts related to security and with the processes of risk management and intelligence for decision-making, through a graph that correlates, orders, and explains them, facilitating their study and analysis, in the context of management systems (See Figure 1, and Section 2.1.1). � The explicit incorporation of the comprehensive biosafety management and contingency and business continuity plans to the model (See numeral 2.3 with the comprehensive approach and concepts; Figure 4 with governance in crisis; Figure 6 with the application of the integration of requirements to biosecurity and biosafety; and continuity management and response to the pandemic in Figure A6). � The presentation of the requirements of ISO 50001 and the ISO QHSE3+ standards as best practices, whose application contributes to reducing vulnerability and enhancing energy improvement and efficiency. For this purpose, the HLS was applied, and illustrated by a diagram that allows us to appreciate its logic and integration, and the blocks of particular requirements for each component See Sections 2 and 3, and Figures 3, 5 and A4, as well as the reference support portal [13] with a comprehensive checklist of best practices QHSE3+. � The generation of six matrices that present the thematic structure, approach, and projections of the ISO 31000 families of standards, and QHSE3+, which include ISO 50000. In each matrix, explicit reference is made to the best practices which are most related to the integral management of risks for each component (Figures A1–A5). � The matrix “General Directory of topics for R/O QHSE3+”, which is a very useful and practical tool to make the inventory for R/O of companies. See 3.2 and Figures A8–A14. � The configuration of the R/O comprehensive management conceptual model with an energy performance perspective through the application of systemic design, which facilitates the logical and didactic presentation of its structural and functional elements. See Sections 3.3.1 and 3.3.2, and Figures 7 and 8. Energies 2020, 13, 5579 22 of 43 � The validation of the parametrization flow of the model as a base instrument with which to structure computer applications that support the administration of R/O comprehensive management in organizations. See Section 3.4 and Figures 9 and 10. � The model and its tools had were tentatively applied in six companies, where their practical utility and the benefit of their simple and logical approach were ratified to visualize and understand their structure, functionality, and operation. With one of the companies, it was possible to apply the model, considering the strategic and operational components in relation to business continuity and COVID-19. See Paragraph 3.6 and Figure A7. The achievements and results obtained will determine the course of research and subsequent actions to expand the generated instruments and promote sustainable success. 3.6. Results Obtained in Terms of Energy Efficiency and Vulnerability Reduction 3.6.1. Characteristics and Profile of the Companies in which the Preliminary Validation was Made Figure 11 presents the characteristics and profiles of six companies located in Colombia, in the Departments of Atlántico, La Guajira and Cundinamarca, where the preliminary application of the CRM Model was made, and the complete cycle of identification of R/O and of the formulation and implementation of actions to respond and address the R/O, within the framework of consulting projects for the consolidation of its Comprehensive Management Systems. Energies 2020, 13, x FOR PEER REVIEW 22 of 44 Figure 11. Characteristics of the companies in which the application of the comprehensive R/O management model was performed under CMS QHSE3+. 3.6.2. Presentation and Analysis of the Results obtained. Figures 12 and 13 summarize the results obtained in the R/O management as of December 2019 considering the contribution of opportunity management in achieving the objectives and the reduction of vulnerability for each QHSE3+ component. Some values result from projections and assumptions that were raised from the companies to consider force majeure stops or external factors that generate distortion in the handling of data. The 2020 records are not included, given their irregularity due to the confinement. Here are the most relevant aspects: A. Functionality of the Model and Appropriation of ROBT. o In the six organizations, the correct functionality of the model and the incidence indicators for the management of opportunities and the reduction of vulnerability were ratified. o The model applied and the tools that support it facilitate the management of the cycle of identification, analysis, evaluation, formulation of actions, monitoring, requalification, and reformulation of R/O through the key questions and the parameterization sequence. o In companies in which prevention and ROBT were adopted as a fundamental principle and value, it was much easier to ensure systematic continuity in the application of the model. B. Incidence of Opportunity Management in the Achievement of Strategic Purposes (Rows in Item 1). o The indicator of the incidence of opportunity management in the achievement of the objectives was valued from the different processes and positions with direct responsibility in the projects and associated actions from the estimated average percentage of the incidence of each relevant opportunity considered with evaluations agreed upon between the management and specific managers. o The average of the indicator of incidence was between 12% and 36% in the six companies. The opportunities related to ICT innovation and updating, the development of new products, new markets and businesses, renovation and investment in equipment, infrastructure and new facilities, development of new alliances, and human talent. TYPE OF ORGANIZATION Family Compensation Fund. Municipal Hospital (Health Services). Clínic (Health Services). Pharmaceutical Laboratory. Port Operation (Logistics Services). Manufacturing (Glass Containers) FOCUS OF THE MANAGEMENT SYSTEM - ACCREDITATION and / or CERTIFICATION STATUS 1 Comprehensive Approach of the Management System. CMS focused on the Strategy. CMS focused on the Regulatory Framework and the Strategy. CMS focused on the Regulatory Framework and the Strategy. CMS focused on the Strategy. CMS focused on the Strategy. CMS focused on the Strategy. 2 Strategic Business Continuity Plan and Contingency Plans. With ISO 22313: 2020 approach and HS Contingency Plans HS Emergency Plans vs Law and Accreditation HS Emergency Plans vs Law and Accreditation HS, BASC and EMS Emergency Plans Continuity Plans with Special Clients HS, BASC and EMS Emergency Plans HS, BASC and EMS Emergency Plans Continuity Plans with Corporate Clients 3 Accreditation or Certification with ISO 9001: 2015. Q: ISO 9001: 2015 Q: Acreditación Q: Acreditación Q: ISO 9001: 2015 Q: ISO 9001: 2015 Q: ISO 9001: 2015 4 Certification with ISO 45001: 2018 (Formerly OHSAS 18001: 2007). No No No No HS: OHSAS: 180001:2007 No 5 Certification with ISO 14001: 2015 (Environmental). No No No E: ISO 14001: 2015 E: ISO 14001: 2015 E: ISO 14001: 2015 6 Certification with ISO 50001: 2018. No No No No No No 7 Certification with other ISO models for "+" components. No No No Yes: BASC 2019 Yes: BASC 2019, and ISPS Code for the Protection of Ships and Port Facilities Yes: BASC 2019, and ISO 22000 Food Safety Management System CATEGORIES OF ANALYSIS Figure 11. Characteristics of the companies in which the application of the comprehensive R/O management model was performed under CMS QHSE3+. The profile includes the comprehensive approach of the Management System, the status of accreditation or certification of its QHSE3+ components, and the existence of Business Continuity Plans or Emergency and Contingency Plans. All the companies have CMS based on the certified quality component and a strategic approach, which determines the priorities of each business directed to address strategic and operational R/O, Energies 2020, 13, 5579 23 of 43 giving priority to accreditation in the health sector in the case of the hospital and clinic, and in all cases, to the QHSE3+ risk components and the regulatory obligations of each sector. Although no company is certified in E2, 1 is certified in HS, and 3 are certified in the environmental component E, all made positive progress in the application of best practices and decided to be certified in the components indicated in Figure 11, according to their priorities and market interests. Particularly, in the “+” component of additional risks, all companies applied good information security practices and the physical and logical security of their platforms, under the R/O ICT approach in accordance with ISO 27001:2013. On the other hand, two were certified in the BASC component, and 1 in ISO 22000:2018. 3.6.2. Presentation and Analysis of the Results Obtained Figures 12 and 13 summarize the results obtained in the R/O management as of December 2019 considering the contribution of opportunity management in achieving the objectives and the reduction of vulnerability for each QHSE3+ component.Energies 2020, 13, x FOR PEER REVIEW 23 of 44 Figure 12. Indicators of vulnerability reduction and incidence of opportunity management in the achievement of strategic objectives: Companies 1, 2, and 3. C. Vulnerability Reduction for Strategic and Quality Risks Q (Rows of Items 2 and 3) o The reduction in vulnerability is calculated as the percentage of risk reduction after the application of the measures in the period to be calculated, as indicated in the algorithm of the definition in Section 2.1.1, which is set out again below: %𝐷𝑖𝑠𝑚𝑉𝑢𝑙 = 𝑃𝑜 𝐺𝑜 − 𝑃𝑓 𝐺𝑓 / 𝑃𝑜 𝐺𝑜 (2) where DismVul denotes the percentage decrease in vulnerability after implementing antirisk measures, Poi and Goi are the initially assessed possibility and gravity, respectively, and Pfi and Gfi, are the final possibility and gravity, respectively, after adopting the planned measures. o The reduction of vulnerability was between 8.5 and 27% in terms of strategic and quality risks related to vulnerability due to new requirements of corporate clients, liquidity and portfolio TYPE OF ORGANIZATION Family Compensation Fund. Municipal Hospital (Health Services). Clínic (Health Services). 1 IMPACT OF THE MANAGEMENT OF OPPORTUNITIES IN THE ACHIEVEMENT OF THE STRATEGIC OBJECTIVES. (Includes examples of addressed opportunities). 3.4%: 1. Innovation with ICT; 2. New Headquarters Project; 3. Management of Legal Requirements. 12%: 1. Accreditation Management 2. Human Development 18%: 1. Update ICT Modules for Finance; 2. Investments in Infrastructure. 2 REDUCTION OF VULNERABILITY FOR STRATEGIC RISKS. (Includes the Q component of Quality) 3 EXAMPLES OF STRATEGIC, SIGNIFICANT BUSINESS RISKS WITH GREATER REDUCTION IN VULNERABILITY. 4 % REDUCTION OF VULNERABILITY IN HS RISKS OF WORKERS 'ACCIDENTS AND WORKPLACE ILLNESSES. 5 EXAMPLES OF HS SAFETY AND HEALTH HAZARDS AT WORK, RELEVANT AND WITH A GREATER REDUCTION OF VULNERABILITY. 6 REDUCTION OF VULNERABILITY IN "E" RISKS ASSOCIATED WITH ENVIRONMENTAL MANAGEMENT. 7 EXAMPLES OF RELEVANT AND ENVIRONMENTAL RISKS "E" AND WITH A GREATER REDUCTION OF VULNERABILITY (Significant environmental aspects). 8 REDUCTION OF VULNERABILITY IN "E2" RISKS ASSOCIATED WITH ENERGY EFFICIENCY. 9 EXAMPLES OF RELEVANT "E2" RISKS WITH GREATER REDUCTION OF VULNERABILITY. (Risks due to inefficiency and energy losses). 10 EXAMPLES OF SIGNIFICANT RISKS WITH GREATER REDUCTION OF VULNERABILITY, IN THE “+” COMPONENT OF "OTHER SPECIALIZED RISKS". 1. Information security Loss of information due to physical damage to Hardware and affectation of Software. 2. Food safety Risks of cross contamination due to non-application of Good Practices 1. Security of the information 1.1 Deficiencies of integrity in the information, due to unavailability and inconsistencies. 1.2 Vulnerability in the access to the data of Medical Records. 1. Security of the information 1.1 Cyber attacks on networks and interaction channels 1.2 Failures in operations and information integrity due to ICT inconsistencies # 9.3% 1. Thermal discomfort in rooms and cold areas. 2. Handling of cleaning chemicals. 3. Work position that requires standing. 8.7% 1. Risks associated with chemical and biological agents. 2. Exposure to sources of ionizing radiation. 13.6% 1. There is no protocol for the management of biological risks. 2. Risks of infection due to deficiencies in waste management. PERFORMANCE INDICATORS - EXECUTION 2019. 11.5% 1. Low response in call for events, 2. Low impact of marketing strategies. 16% 1. Vulnerability due to infection risks 2. High incidence of patients who migrate. 23% 1. Liquidity and delinquent portfolio. 2. Infection in white areas. 9.4% 1. Generation of solid and liquid waste. 2. Generation of noise and vibrations during events of the provision of services. 22.2% 1. Generation of non-domestic discharges with discharge to the sewers. 2. Contamination of water due to the spillage of hazardous waste. 17.4% 1. Vulnerability due to handling and handling of hazardous waste. 2. Generation of emissions from fixed sources of external combustion. 10.8% 1. Greater energy consumption at the Prado Headquarters, due to the non-optimal management of heat and cold. 2. Lack of energy saving mechanisms in lighting. 16.4% 1. Energy losses due to non- optimal heat and cold management in operations and services. 2. Absence of automatic control and saving mechanisms in lighting. 14.8% 1. Obsolescence of equipment and infrastructure. 2. Vulnerability due to the absence of control mechanisms and disciplinary provisions for energy saving Figure 12. Indicators of vulnerability reduction and incidence of opportunity management in the achievement of strategic objectives: Companies 1, 2, and 3. Energies 2020, 13, 5579 24 of 43 Energies 2020, 13, x FOR PEER REVIEW 24 of 44 recovery, noncompetitive rates and costs, low call and market response, infection risks, and the high incidence of patients who migrate. Figure 13. Indicators of vulnerability reduction and incidence of opportunity management in the achievement of strategic objectives: Companies 4, 5, and 6. D. Vulnerability Reduction for HS Risk (Rows of Items 4 and 5) o The reduction of vulnerability in the risks of the HS component was between 8.7% and 16.5%. The related risks include chemical products, noise levels, exposure to chemical, physical, and biological agents, contaminated waste management, particulate material, work at heights and in confined spaces, and thermal discomfort. E. Reduction of Vulnerability for Risks E. (Rows of Items 6 and 7) o The reduction of vulnerability in the risks of component E was between 9.4% and 23%. The risks include consumption of natural resources such as raw materials, consumption and TYPE OF ORGANIZATION Pharmaceutical Laboratory Port Operation (Logistics Services) Manufacturing (Glass Containers) 1 IMPACT OF THE MANAGEMENT OF OPPORTUNITIES IN THE ACHIEVEMENT OF THE STRATEGIC OBJECTIVES. (Includes examples of addressed opportunities). 16% 1. New Business Development. 2. New products and markets. 25% Equipment and infrastructure renewal. 36% 1. Redefinition of portfolio. 2. Business partner approach. 2 REDUCTION OF VULNERABILITY FOR STRATEGIC RISKS. (Includes the Q component of Quality) 3 EXAMPLES OF STRATEGIC, SIGNIFICANT BUSINESS RISKS WITH GREATER REDUCTION IN VULNERABILITY. 4 REDUCTION OF VULNERABILITY IN HS RISKS OF WORKERS 'ACCIDENTS AND WORKPLACE ILLNESSES. 5 EXAMPLES OF HS SAFETY AND HEALTH HAZARDS AT WORK, RELEVANT AND WITH A GREATER REDUCTION OF VULNERABILITY. 6 REDUCTION OF VULNERABILITY IN "E" RISKS ASSOCIATED WITH ENVIRONMENTAL MANAGEMENT. 7 EXAMPLES OF RELEVANT AND ENVIRONMENTAL RISKS "E" AND WITH A GREATER REDUCTION OF VULNERABILITY (Significant environmental aspects). 8 REDUCTION OF VULNERABILITY IN "E2" RISKS ASSOCIATED WITH ENERGY EFFICIENCY. 9 EXAMPLES OF RELEVANT "E2" RISKS WITH GREATER REDUCTION OF VULNERABILITY. (Risks due to inefficiency and energy losses). 10 EXAMPLES OF SIGNIFICANT RISKS WITH GREATER REDUCTION OF VULNERABILITY, IN THE “+” COMPONENT OF "OTHER SPECIALIZED RISKS". 1. Information security 1.1 Inconsistencies and deactivation of computer applications. 1.2. Fines and penalties for inconsistencies in reporting information to the authorities. 1. BASC: Vulnerability of the physical integrity of the cargo due to violation of the security of the containers. 2. Food Safety: Cross contamination of cargo by the presence of birds and rodents 1. Information Security: Infrastructure restrictions for the Business Continuity Plan 2. Food Safety: Cross contamination in decoration, packaging and packaging. 11.4% 1. Affectation by noise in the area of blister-packing 2. Vulnerability due to non- application of protocols in the handling of chemicals. 11.6% 1. Health damage due to contact with particulate matter. 2. Vulnerability due to work at height and confined spaces. 16,5% 1. Affectation by contact with chemical products. 2. Affectation by high noise levels in operations. PERFORMANCE INDICATORS - EXECUTION 2019. 27% 1. Vulnerability due to new GMP / FDA requirements. 2. Low liquidity due to restrictions in portfolio recovery. 8.5% 1. Conditions of the access roads and cycle times above the average. 2. Non-competitive conditions of availability and rates. 17.8% 1. Market loss due to additional supply requirements. 2. Decrease in demand for non- competitive costs. 12,6% 1. Vulnerability in the management, control and disposal of hazardous waste. 2. Generation of non-domestic discharges with discharge to the sewer. 18,4% 1. Generation of industrial water contaminated with solid waste, oil and grease. 2. Generation of hydrocarbon spills or leaks in the operation. 23% 1. Consumption of limestone and raw materials. 2. Permanent use of fuel and energy to operate the furnace. 9,6% 1. Energy consumption peaks in operations, due to non- optimal management of heat and cold 2. Absence of energy saving mechanisms in the commissioning of the operating lines. 10,8% 1. Levels of energy consumption in machinery and equipment operations. 2. Inefficient handling of operating cycles, with higher fuel consumption for operation 9,4% 1. High levels of fuel consumption in the furnace during the start-up of each line. 2. Fuel consumption for the inbound and outbound logistics operation. Figure 13. Indicators of vulnerability reduction and incidence of opportunity management in the achievement of strategic objectives: Companies 4, 5, and 6. Some values result from projections and assumptions that were raised from the companies to consider force majeure stops or external factors that generate distortion in the handling of data. The 2020 records are not included, given their irregularity due to the confinement. Here are the most relevant aspects: A. Functionality of the Model and Appropriation of ROBT. o In the six organizations, the correct functionality of the model and the incidence indicators for the management of opportunities and the reduction of vulnerability were ratified. o The model applied and the tools that support it facilitate the management of the cycle of identification, analysis, evaluation, formulation of actions, monitoring, requalification, and reformulation of R/O through the key questions and the parameterization sequence. Energies 2020, 13, 5579 25 of 43 o In companies in which prevention and ROBT were adopted as a fundamental principle and value, it was much easier to ensure systematic continuity in the application of the model. B. Incidence of Opportunity Management in the Achievement of Strategic Purposes (Rows in Item 1). o The indicator of the incidence of opportunity management in the achievement of the objectives was valued from the different processes and positions with direct responsibility in the projects and associated actions from the estimated average percentage of the incidence of each relevant opportunity considered with evaluations agreed upon between the management and specific managers. o The average of the indicator of incidence was between 12% and 36% in the six companies. The opportunities related to ICT innovation and updating, the development of new products, new markets and businesses, renovation and investment in equipment, infrastructure and new facilities, development of new alliances, and human talent. C. Vulnerability Reduction for Strategic and Quality Risks Q (Rows of Items 2 and 3) o The reduction in vulnerability is calculated as the percentage of risk reduction after the application of the measures in the period to be calculated, as indicated in the algorithm of the definition in Section 2.1.1, which is set out again below: %DismVul =  n∑ i=1 (Poi)(Goi)− n∑ i=1 (P fi)(G fi) /  n∑ i=1 (Poi)(Goi)  (2) where DismVul denotes the percentage decrease in vulnerability after implementing antirisk measures, Poi and Goi are the initially assessed possibility and gravity, respectively, and Pfi and Gfi, are the final possibility and gravity, respectively, after adopting the planned measures. o The reduction of vulnerability was between 8.5 and 27% in terms of strategic and quality risks related to vulnerability due to new requirements of corporate clients, liquidity and portfolio recovery, noncompetitive rates and costs, low call and market response, infection risks, and the high incidence of patients who migrate. D. Vulnerability Reduction for HS Risk (Rows of Items 4 and 5) o The reduction of vulnerability in the risks of the HS component was between 8.7% and 16.5%. The related risks include chemical products, noise levels, exposure to chemical, physical, and biological agents, contaminated waste management, particulate material, work at heights and in confined spaces, and thermal discomfort. E. Reduction of Vulnerability for Risks E. (Rows of Items 6 and 7) o The reduction of vulnerability in the risks of component E was between 9.4% and 23%. The risks include consumption of natural resources such as raw materials, consumption and contamination of water, noise and vibrations, hydrocarbon spills, generation of dumping and contaminated waste, handling and manipulation of chemicals and hazardous waste stand out. F. Reduction of Vulnerability in Terms of E2 (General—Rows of Items 8 and 9) o The reduction of vulnerability in the risks of component E2 was between 9.4% and 16.4%. The risks concern losses and higher consumption due to the non-optimal management of heat and cold, loss, and greater consumption due to the lack of lighting savings, high consumption of fuel, and energy in logistics operations of the supply chains (see Section H). G. Reduction of Vulnerability in other components of Additional R/O (+) (Row 10) In this block, three factors stand out: Energies 2020, 13, 5579 26 of 43 � Information security: Physical damage to hardware, deterioration of software, limitations in availability, access, and integrity of information, cyberattack on networks and channels, inconsistencies and deactivation of computer applications, and infrastructure. � Food safety: Cross-contamination by the nonapplication of best practices or the presence of pigeons, rodents, and other pests in loading, unloading, and storage. � BASC: Physical integrity of cargo for violation of container security. H. Recent Developments in E2 Management o Compensation Fund (i). Basic energy-saving program in all its locations, (ii). Automatic control and programming of conditioning and refrigeration, (iii). Improvements in insulation to optimize refrigeration in cold rooms, (iv). Campaigns, training, and supervision, (v). Automation of energy control in accommodation, (vi). Automatic control and savings alternatives with adaptation of roofs, (vii). Optimization in ventilation and cooling, (viii). Luminaire change and automatic control. (ix). Reduction in per capita energy consumption (2019 vs. 2018): 8.1%. o Municipal Hospital (i). Savings program in all processes, (ii). Network design optimization, (iii). Automation of lighting and air conditioning, (iv). Use of secondary sources of natural light and solar panels. (v). Optimization of ventilation and conditioning systems in hospital and care areas, (vi). Conditioning and isolation in cold areas, (vii). Control of energy use in washing, sanitation, and patient care, (viii). Maintenance and adaptation of boilers and cold equipment, (ix). MMAE of monthly consumption vs. daily bed occupations, x. Reduction in per capita energy consumption (2019 vs. 2018): 18.2%. o Clinic (Health Services) (i). Water- and energy-saving plan in all processes, (ii). MMAE of consumption and baseline, (iii). Redesign and application of intelligent lighting and air conditioning systems, iv. Insulation of “hot” pipes, walls and ceilings, (v). Optimization of ventilation, conditioning, and refrigeration of clinical and service areas, (vi). Campaigns to position values and achieve the systematic application of best practices, (vii). New eco-efficient engine room and boilers, (viii). Reduction of energy losses due to transformation, adaptation of boilers and chillers, (ix). MMAE of monthly consumption vs. daily bed occupations, (x). Reduction in per capita energy consumption (2019 vs. 2018): 20.3%. o Pharmaceutical Laboratory (i). Savings and consumption reduction plan in all lines and pharmaceutical forms, (ii). Redesign of processes and product lines with lower energy consumption, (iii). MMAE on plans to reduce use and savings, (iv). Isolation of white areas and warehouses, v. Redesign of networks and facilities with intelligent air and lighting systems, (vi). Optimization and maintenance of ventilation and conditioning of gray areas, (vii). Training and disciplinary measures for the continuity in the application of good practices, (viii). Replacement of obsolete equipment for eco-efficient conversion (with investment incentive), (ix). Devices on doors and windows to prevent leaks, (x). Cleaning and replacement of filters in air conditioning units, (xi). Reduction in per capita consumption (2019 vs. 2018): 12.2%. o Port Operation and Logistics Services (i). Winery savings program, (ii). MMAE on consumption reduction and savings, (iii). Incorporation of energy efficiency in the strategy, (iv). Training. Supervision, and measures to apply good practices for E2, (v). Substitution of fuels and development of alternative mixtures (reduction of carbon footprint and consumption of kilowatt-hour per container), (vi). Greater control over own and subcontracted consumption. (vii). Measurement and reduction of electricity and heat Losses. (viii). Planning, execution, and control of maintenance and renewal of obsolete equipment, (ix). Efficient lighting, (x). Reduction in per capita energy consumption (2019 vs. 2018): 15.2%. o Manufacturing (Glass Containers) (i). Global corporate savings program with an emphasis on oven and training, (ii). MMAE on consumption reduction and savings, (iii). 10-year global strategic challenge to reduce consumption by 50%, (iv). Campaigns, training, and supervision for E2. (v). Planning, mastery of standardization, and control in setup and operation of furnaces, Energies 2020, 13, 5579 27 of 43 (vi). Eco-efficient packaging design. (vii). Automatic control and energy-saving alternatives in lighting. (Natural and solar panels). (viii). Optimization in ventilation and conditioning. (ix). Reduction of consumption in the supply chain. (x). Reduction in per capita energy consumption (2019 vs. 2018): 10.2%. 4. Conclusions We present a conceptual model for comprehensive R/O management and the tools to facilitate its application. This includes the results obtained and references to best practices for the deployment and application of the model, from Appendices A.1–A.8. The concepts associated with intelligence for decision-making and security were incorporated into the conceptual and principles framework of the model, from the perspective of the US Department Homeland Security lexicon (Section 2.1), as well as the concepts and best practices related to biosafety management and business continuity plans (Section 2.3). In this way, the perspective was broadened, adjusting the approach to the dynamic context. The integration of model requirements was carried out from the identification of the requirements common to each component according to the approach of the HLS [87–90], as illustrated in Figure 6 (Section 2.4), where the additional specific topics of each component were identified, and an analysis of the application of these requirements to the comprehensive biosafety management was carried out. On the reference support portal [13], the authors provided a checklist associated with these requirements in terms of best practices available to the public. The model was configured using graphic illustration and a matrix, which present the structural and functional design of each component, considering the different levels of planning and action, and the layers in which ROBT is deployed within CMS QHSE3+ (Section 3.2). Two key tools were designed to support and facilitate the application of the CRM Model: the matrix-directory for the classification of risk topics, and the parameterization of the ten stages of the process, i.e., definition of the context, determination of the scope, prioritization vs. objectives and processes, identification and assessment of R/O, formulation, execution, and follow-up in the execution of the plan, evaluation of residual risk and restart of the cycle. Holistic and strategic management gives an integral character to the system, which is not a simple combination or addition of components. CMS QHSE3+ is the harmonious integration of an organization’s processes and projects focused on the achievement of the strategic purposes of the business in the path toward sustainable success. For this purpose, the comprehensive management of R/O is a fundamental tool. The importance of the management of competencies and culture is highlighted to promote and advance the individual and collective appropriation of the values related to the alignment between thought, conscience, and action, i.e., to take care of yourself, take care, and protect the integrity of resources and the health of people and the organization. The development of culture and competencies must translate into the management of energy efficiency, biosafety, and the development of products, businesses, and processes being systematically reflected in the business continuity plans, maps, and R/O management plans of the business lines, corporate projects, and processes of the organization, and therefore, in the axes and strategic and tactical actions of the organization. With the application of the model and its tools, the results described in Section 3.4 were obtained, which confirmed the validity of the approach, its applicability and contribution to any type and size of organization, and the need to face the challenges of the future. A community of consultants, teachers, entrepreneurs, workers, and researchers related to CMS QHSE3+ will continue to develop tools and strategies to particularize the progress already made in a sectorial way and promote the massification and generalized use of best practices for project management, energy efficiency, and comprehensive management for sustainable success. In practice, the application of the model and its effective implementation is limited by the need to particularize and detail the tools for different sectors of the business activity, which constitute possible Energies 2020, 13, 5579 28 of 43 future lines of research. Another limitation is associated with the development of creative, analytical, and abstract thinking, and with the strengthening of the discipline, culture and organization of leaders and process managers, who become key actors in intelligence management and the strategic and operational decision making of businesses. From a technological point of view, there are also limitations generated by the difficulties of compatibility between interfaces of the information systems and process control, and the changes in priorities in the strategic approach to ICT developments. Notwithstanding the above, the figures and results show that in SMEs, this is possible. The facts support and confirm that investment and efforts are recovering significantly, also observing that there may be a behavior curve where the reduction of vulnerability is greater in the first periods. Author Contributions: Conceptualization, P.P.P.-O., J.C.G.-D., A.P.-R., and G.C.-Z.; Methodology, P.P.P.-O., J.C.G.-D., A.P.-R., and G.C.-Z.; Validation, P.P.P.-O. and G.C.-Z.; Formal analysis, A.P.-R. and P.P.P.-O.; Investigation, P.P.P.-O., J.C.G.-D., A.P.-R., and G.C.-Z.; Data curation, A.P.-R. and P.P.P.-O.; Writing—original draft preparation, P.P.P.-O.; writing—review and editing, P.P.P.-O., J.C.G.-D., A.P.-R., and G.C.-Z.; Visualization, A.P.-R. and G.C.-Z.; Supervision, P.P.P.-O., J.C.G.-D. All authors have read and agreed to the published version of the manuscript. Funding: This research received no external funding. Acknowledgments: We express our gratitude for the support from Cajacopi Atlántico, QUARA Technology, ASTEQ Technology, Universidad Simón Bolivar, Universitat Politècnica de València and to all the personnel and companies who offered us their contributions and their valuable points of view. Conflicts of Interest: The authors declare no conflict of interest. Abbreviations ANSI American National Standards Institute BASC Business Anti-Smuggling Coalition BMBL Biosafety in Microbiological and Biomedical Laboratories CDC Centers for Disease Control and Prevention (USA) CEM Clean Energy Ministerial CMS Comprehensive Management System Component E–14k Environmental Management—ISO 14001 Component E2–50k Energy Efficiency Management—ISO 50001 Component HS–45k Health and Safety Management Component—ISO 45001 Component Q–9k Quality Management Component—ISO 9001 CRM Comprehensive risk management E2 Energy efficiency EMAS Eco-Management and Audit Scheme EnB Energy Baseline EnMS Energy Management System EnPI Energy Performance Indicators GMP–FDA Good Manufacture Practices–Food and Drug Administration HLS High-Level Structure ICT Information and Communication Technologies IDB Inter-American Development Bank ILO International Labor Organization INSST National Institute for Occupational Safety and Health (In Spain) IPEEC International Partnership for Energy Efficiency Cooperation ISO International Organization for Standardization ISO DIS ISO Draft International Standard (DIS) ISO FDIS ISO Final draft International Standard (FDIS) ISO TR Technical Report of ISO. IEC International Electrotechnical Commission ISO/TC Technical Standardization Committee ISPS International Ship and Port Facility Security KPI Key Performance Indicators MMAE Monitoring, Measurement, Analysis and Evaluation NBICE Convergence of Nano-Bio-Info-Cogno-Eco technologies OHSAS Occupational Health and Safety Assessment Specification PDCA Cycle Plan—Do—Check—Act, or Plan—Do—Check—Adjust PMBOK Project Management Body of Knowledge PMI Project Management Institute QHSE3+ Quality, Safety and Health in the workplace, Environmental management, Energy Efficiency, and other risk components R/O Risks and opportunities ROBT Risks and Opportunities R/O–Based Thinking rdis International Design Research Network SA/SNZ HB Handbook edited by National Standardization Organizations of Australia and New Zealand. SMEs Small and medium-sized enterprises UNIDO United Nations Industrial Development Organization WBS Work Breakdown Structure WHO World Health Organization Energies 2020, 13, 5579 29 of 43 Appendix A In Figure A1, the characteristics and structure of the family of ISO 31000 standards are presented, which include: The ISO IEC 73 Guide with the vocabulary, supplemented by Section 3 of ISO 31000:2018, which also contains, as the main axis of the family, the principles and guidelines, the frame of reference, and the process for risk management. As complementary standards, reference is made to the ISO TR 31004:2013 Implementation Guide and the ISO 31010:2019 Guide. Figures A2–A5, cut to August 2020, present a logic similar to that indicated here, adding in some cases the standards that are in the process of development, given their relevance in terms of the contribution in best practices for planning and risk management in QHSE3+ components. Figure A5 includes the ISO 50000 Family on E2, and in Appendix F, the illustration of the crisis management approach and strategic business continuity plan for the case of a family compensation fund in the event of the contingency generated by confinement and COVID-19. Figure A6 presents the global approach for governance, biosafety + biosecurity, and the business continuity plan. In Section 2.3 and Figure 4, the concepts, scope, and needs related to the objectives of comprehensive biosafety and biosecurity management are illustrated. In numerals 2.4 and 3.1, it is observed how this management is articulated within the components of CMS QHSE3+, and the typology of related risks. In the description of the comprehensive R/O management model (Section 3.2, an implicit reference is made to the strategic, operational, and human management for biosafety + biosecurity, contingencies, and business continuity plans. Figure A6 illustrates the strategic and operational approach in one of the 6 companies in which the model was validated: The Family Compensation Fund. Figure A7 presents the chronological and historical milestones related to the development of technology, QHSE3+ standards, and musical and artistic expression. Figures A8–A14 included in Appendix A.8, present the details of the classification of the different risk topics, for the layers considered in Section 3.2, starting from Figure 6. Appendix A.1 Energies 2020, 13, x FOR PEER REVIEW 30 of 46 Appendix A.1 Figure A1. Approach and Logical Structure of the ISO 31000 Family of Standards. [14,20,50,51,65,66]. ISO IEC 73: 2009. Risk management. Vocabulary ISO 31000: 2018. Risk Management. Principles and Guidelines ISO TR 31004: 2013. Risk Management. Guidelines for the Implementation of ISO 31000 SECTION 4. Continuous improvement ISO 31010: 2019. Risk Management. Risk Assessment / Assessment Techniques SECTION 4. Core Concepts SECTION 5. SECTION 6. Implementing Risk Assessment SECCIÓN 7. Selecting RISK ASSESSMENT TECHNIQUES THE PRINCIPLES ESTABLISH THAT RISK MANAGEMENT SHOULD 1. Be Integral and Transversal to all the processes of the organization. 2. Be structured and exhaustive, to measure progress continuously. 3. Adapt to the context and be intimately related to the objectives. 4. Inclusive to involve the parties with direct information. 5. Dynamic, to anticipate and respond to changes. 6. Build on the best information available. Respect confidentiality. 7. Consider internal and external human and cultural factors. 8. Promote and direct continuous improvement, based on learning and the knowledge that experience gives. SECTION 6. RISK MANAGEMENT PROCESS - APPLICATION OF THE PRINCIPLES AND PROVISIONS OF THE FRAMEWORK TO: 1. The cycle of activities of: Definition of scope, context and criteria. Risk assessment (identification, analysis and assessment). Risk Treatment. Registration - Report. 2. The transversal activities of Communication - Consultation, Monitoring and Review. Uses of Risk Assessment Techniques RISK APPRECIATION TECHNIQUES SELECTION GUIDE ISO 31010 4.1 Uncertainty 4.2 Risk Objective: To provide guidelines for the selection and application of systematic techniques for risk assessment, considering the specific reference to other international standards, where the concept and application of techniques are described in greater detail. This standard is not intended for purposes of certification, nor for regulatory or contractual uses. The document has been very well accepted and widely used, due to its clarity and didactics in the annexes. 6.1 Plan the Assessment 6.2 Manage information and develop models 6.3 Apply Risk Assesment Techniques 6.4 Review the Analysis 6.5 Apply results to support decisions 6.6 Record and report risk assesment process and outcomes 7.1 General, 7.2 Selecting Techniques, . Annex A: CATEGORIZATION OF TECHNIQUES. PRINCIPAL AXIS OF GUIDELINES ISO 31000:2018 RISK MANAGEMENT HAS THREE KEY COMPONENTS: Framework - Principles - Risk Management Process. IMPLEMENTATION GUIDE TR 31004: 2013 SECTION 3. How to Implement ISO 31000 3.1 General: Presents the general approach of the section and the premises associated with the transversal implementation and maintenance of Risk Management. 3.2 How to Implement: Application of a generic and systematic approach that integrates risk management into the organization's processes, starting from a diagnosis of the needs, and then continuing with its planning, implementation, monitoring and review. 3.3 Integration of ISO 31000 to the Organization's Processes: Analysis of the sequence of stages, from the mandate and commitment; the design of the frame; the implementation of management; to monitoring and review. Objective: Guide organizations in relation to effective risk management through the application of the ISO 31000: 2009 standard, based on: a. The reinforcement and application approach of the concepts on risk management. (Annex A). b. Guidance on the Principles and Frame of Reference for Risk Management. (Annex A). c. Guidelines on Monitoring and Review for Risk Management (Annex D). d. Information on the integration of Risk Management to a Management System Identification of opportunities for improvement in the design of the process and / or the reference framework, based on feedback from monitoring and review, knowledge management, and the dynamics of change in the external and internal context. GUIDE ANNEXES. A. Concepts and Fundamental Principles: Extension of the concepts related to risks vs. objectives, uncertainty, control measures, frame of reference, criteria and managing risks. B. Application of the Principles: Conceptualization and Guidelines associated with the 11 principles proposed in 2009. (Valid for the 8 principles of the current version ISO 31000: 2018, insofar as they maintain the focus, and integrate in a more logical sequence And simple. OBJECTIVE: The ISO 31000: 2018 Standard aims to provide guidelines for managing risk in organizations. The application of these guidelines is adapted to any organization and its context. It can be used in any activity, considering decision-making at all levels. Includes in section 3. Terms and Definitions, with adjustments and simplification of vocabulary. Blocks of terms related to: Risk, Risk Management, Risk Management Process, Communication and Consultation, Context, Risk Assessment, Risk Identification, Risk Analysis, Risk Assessment, Risk Treatment; and Monitoring and measurement. Risk, Risk Management. Risk Management Process VOCABULARY Guide 73: 2009 See also, the Section 3 of ISO 31000: 2018 Communication and Consultation, Interested party, Perception of risk. Establishment of context, External context, Internal context. Objective: To provide definitions of generic terms related to risk management. To stimulate a common and homogeneous understanding and application of activities related to risk management, from a general perspective. The particular aspects of specialized topics are considered, as appropriate, in the initial section of other specific standards: Risk Criteria, Appreciation, Identification, Description, Risk Source, Event, Danger, Risk Owner. Risk analysis, Possibility (likehood), Exposure, Consequence, Probability (probability), Frequency, Vulnerability, Risk matrix, Risk level. Risk assessment, Attitude, Appetite, Tolerance, Risk aversion, Risk aggregation, Risk acceptance. Treatment, Control, Avoidance, Risk Sharing, Risk Financing, Risk Retention, Residual Risk, Resilience. Risk Tracking (Monitoring), Measurement, Risk Report, Risk Register, Risk Profile, Risk Management Audit. 2. Framework 3. Manegement Process THE FRAME OF REFERENCE INCLUDES: THE DIRECTIVE BASE (Policy, Objectives, Leadership and Commitment), and THE PROVISIONS (Accountability, Plans, Methods and Resources), FOR: 1. Promote Comprehensive, transversal and effective Risk Management. 2. Design, Implement and Improve the Management and the Framework, in coherence with the organizational dynamics, its context and its changes. 3. Systematically apply the process and ensure its impact on the Organization. PRINCIPLES FOR RISK MANAGEMENT. FOCUSED ON THE Protection and Integral Generation of Value. Figure A1. Approach and Logical Structure of the ISO 31000 Family of Standards. [14,20,50,51,65,66]. Energies 2020, 13, 5579 30 of 43 Appendix A.2 Energies 2020, 13, x FOR PEER REVIEW 30 of 44 Appendix A.2 Figure A2. Approach and Logical Structure of the ISO 9000 Family of Standards [16,25]. STANDARDS GROUP Main Block Complementary Block Observations VOCABULARY OR FRAMEWORK OF REFERENCE ISO 9000: 2015 Quality Management Systems - Fundamentals and Vocabulary Published in September 2015, this standard sets out the principles and vocabulary of the ISO 9000 family of standards, emphasizing risk management and taking up the vocabulary of ISO Guide 73. See also the definitions of ISO Guide 73: on risks, and the International Vocabulary of Metrology VIM. 1. Committee TC 176 was created in 1979 and published the first version of ISO 9000 and ISO 9001 in 1987. 2. Although SC1 is officially in charge of developing ISO 9000, the ISO standards include an official definition section, in which, as the case may be, ISO 9000 definitions are taken, or others are added, as appropriate. required. STANDARDS - REQUIREMENTS ISO 9001: 2015. Quality Management Systems. Requirements FRAMEWORK CERTIFICATION ISO / TS 9002: 2016 Quality Management Systems - Guidelines for the application of ISO 9001: 2015. ISO 9004:2018 Quality management. Quality of an Organization. Guide to achieve sustainable success ISO 10005: 2018 Quality management. Guidelines for Quality Plans. ISO 10006: 2017 Quality management - Guidelines for quality management in projects ISO 10007: 2017 Quality management. Guidelines for Configuration Management. Although these standards do not set out guidelines on Management Systems, they are in the field of Quality Management in three key issues for business: Planning of the quality of processes and products, Management Quality in Projects, and Configuration Management, applicable in the development of products, from their conception to final disposal. (The three standards are developed from SC2. ISO 10001: 2018 Quality management - Customer satisfaction - Guidelines for codes of conduct in organizations ISO / AW1 10009 [Under development] Quality management - Guidance for quality tools and their application ISO 10012: 2003 Measurement management systems - Requirements for measurement processes and measurement equipment c ISO / TR 10013: 2001 Guidelines for Quality Management in the Documentation System. At this time, the revision of this guide on document management is in the process of being revised in the WD Working Draft phase. ISO 10014: 2006 Quality management - Guidelines for obtaining economic and financial benefits. E Quality in the Documentation System. GUIDELINES AND GOOD APPLICATION PRACTICES IN SPECIFIC SECTORS, IN THE PHASE OF PUBLICATION, PREPARATION OR APPROVAL. (Documents by Subcommittee SC3) ISO 10008: 2013 Quality management - Customer satisfaction - Guidelines for electronic commerce transactions between businesses and consumers. ISO 10015: 2019 Quality management - Guidelines for Competency Management and Human Development. ISO DIS 10017 Guide to Statistical Techniques for ISO 9001. I n the ISO DIS phase, cut-off to August 2020. ISO 10018: 2020 Quality management - Guidance for people engagement ISO 10019: 2005 Guidelines for the selection of quality management system consultants and the use of their services. IS O 9 0 0 0 - T C 1 7 6 F A M IL Y O F S T A N D A R D S D o c u m e n ts a lr e a d y p u b li s h e d a s I n te rn a ti o n a l S ta n d a rd s I S O A W C o m m it te e W o rk in g D o c u m e n t. C D D ra ft C o m m it te e . D IS D ra ft I n te rn a ti o n a l S ta n d a rd . F D IS F in a l D ra ft I n te rn a ti o n a l S ta n d a rd It is emphasized that the ISO 9001: 2015 reference, developed since SC2, is focused on organizations that understand quality as a strategic factor for success. The deployment and application of Thought based on Risks and Opportunities (TBRO) stands out as a new requirement, from the process approach, the System approach and the strategic path of the organization. The fact that the Management System is framed in a context where stakeholders play a definitive role in the survival and transcendence of business and entrepreneurial efforts is underlined. GUIDELINES (General Guidelines) ISO / TS 9002: 2016 (TS by Technical Specification), provides guidance on the rationale and purpose of the requirements in ISO 9001: 2015, with examples of the possible steps that an organization can take to meet the requirements. It does not add, subtract, or modify those requirements in any way. It also does not prescribe mandatory approaches to implementation, nor does it provide any preferred method of interpretation. (Developed since SC2) ISO 9004: 2018 raises guidelines to improve the capacity of an organization, in order to seek sustainable success, under the approach of the universal quality principles presented in ISO 9000: 2015. It also contains a self-assessment tool to review to what extent the organization has appropriated these guidelines. It is applicable to any organization, regardless of its size, type and activity. (By SC2) OTHER GENERAL AND SPECIALIZED STANDARDS OF RECENT PUBLICATION OR FOR 2019-2020, SINCE TC 176 R e c e n t D o c u m e n ts o r in p ro c e s s o f G e n e ra ti o n GUIDELINES & GOOD PRACTICES OF GENERAL APPLICATION, IN THE PUBLICATION, PREPARATION OR APPROVAL PHASE (Documents by Subcommittee SC3) ISO 10002: 2018 Quality management - Customer satisfaction - Guidelines for handling complaints in organizations. ISO 10003: 2018 Quality management - Customer satisfaction - Guidelines for the resolution of conflicts external to organizations ISO 10004: 2018 Quality management - Customer satisfaction - Guidelines for monitoring and measuring Figure A2. Approach and Logical Structure of the ISO 9000 Family of Standards [16,25]. Energies 2020, 13, 5579 31 of 43 Appendix A.3 Energies 2020, 13, x FOR PEER REVIEW 32 of 46 Appendix A.3 Figure A3. Approach and Logical Structure of the ISO 45000 Family of Standards [26,60,64]. STANDARDS GROUP Main Block Complementary Block Observations VOCABULARY OR FRAME OF REFERENCE Although the TC 283 Committee has not published any specific standard on vocabulary, the terms, definitions and notes in Section 3 of ISO 45001 are mostly taken from the vocabulary of the ISO IEC 73: 2009 Guide, Risk Management Vocabulary, and ISO 9000: 2015 See also the publications of the Library of the International Labor Organization ILO, and the W orld Health Organization WHO, have been developed with ministries and regulatory entities in Spain and Latin American countries. (Guides and Good Practices at www.ilo.org./inform/online). 1. Reference is also made to the ISO 31000 standards on Risk Management, and to the ISO 31010 standard on Risk Assessment Techniques, which contain definitions that are also useful. 2. Legislation on occupational health and safety issued by the ministries and regulatory entities of the different countries also provides developments and definitions adopted from OHSAS documents and from ILO Library on Occupational Safety and Health OSH documents. REQUIREMENTS REQUIREMENTS ISO 45001: 2018 Occupational Health and Safety Management Systems. Requirements with guidelines For your application. CERTIFICATION FRAME OF REFERENCE OHSAS 18002: 2008 Occupational Health and Safety Management Systems - Recommendations for the Implementation of OHSAS 18001: 2007 GUIDELINES & GOOD PRACTICES OF GENERAL APPLICATION, IN THE PUBLICATION, PREPARATION PHASE O APPROVAL ISO / DIS 45003 (Under development) Management of safety and health at work - Health and psychological safety in the workplace - Guidelines. GUIDELINES AND GOOD APPLICATION PRACTICES IN SPECIFIC SECTORS, IN THE PHASE OF PUBLICATION, PREPARATION OR APPROVAL. ISO 12100:2010 Machine safety. General principles of design. Risk assessment and risk reduction. This guide was reviewed and ratified in its entirety in 2015, by Committee TC 199, Machinery Safety. It specifies the principles of risk assessment and risk reduction to help designers achieve this goal. These principles are based on knowledge and experience of the design, use, incidents, accidents and risks associated with machinery. (Replaces ISO 14121: 2007 Safety of machinery. Risk assessment) IEC 61508-5:2010 Parts 1 to5 Functional safety of electrical / electronic / programmable safety-related systems. Prepared from IEC TC 65, this is one of the codes for electrical and electronic safety. IS O 4 5 0 0 0 / T C 2 8 3 F A M IL Y O F S T A N D A R D S D o c u m e n ts a lr e a d y p u b li s h e d a s I n te rn a ti o n a l S ta n d a rd s I S O A W C o m m it te e W o rk in g D o c u m e n t. C D D ra ft C o m m it te e . D IS D ra ft I n te rn a ti o n a l S ta n d a rd . F D IS F in a l D ra ft I n te rn a ti o n a l S ta n d a rd The ISO 45001: 2018 reference, developed from TC 283, aims to contribute to the protection of companies and jobs, based on the definition of the requirements that a Management System must meet in Occupational Health and Safety OHSMS, based on the establishment and deployment of Thought based on Risks and Opportunities (TBRO), which focuses on the risks associated with incidents, accidents and occupational diseases. As the health and safety legislation of each country also becomes a requirement, it is important to bear in mind that the spectrum of requirements is expanded with the different Decrees, Resolutions and Codes that have the character of mandatory compliance. (Construction, Fire Protection Codes, Technical Regulations for Electrical Installations, Disaster Prevention Codes, among others). All this applicable or reference regulation constitutes an extension of the OHSMS requirements. GUIDELINES (General Guidelines) Due to its process approach, structural clarity and simple handling of the subject, this is one of the best guides that have been had in the matter of guidelines to interpret the requirements and implement an OHSMS, in the last twenty years, maintaining the international standard approach. It was developed under the coordination of BSI by the OHSAS project, with the participation of different standardization and certification institutions from Latin America, Asia, Africa, Australia, and entities from France, Spain, Holland, Sweden, Norway and England throughout Europe. (Germany, the United States, Canada, China and Italy were conspicuous by their absence). See also: 1. Annex A of ISO 45001, which presents guidelines and guidance on the interpretation of the requirements. 2. The progress that TC 283 has on the "" Implementation Handbook "" assigned to the W G3 W orking Group. 3. The Medical Standards in Health, specifically associated with the different risk factors considered, which in many cases give the technical guidelines to follow in terms of prevention, measurement and control measures. As of the closing date of this state-of-the-art study, unlike the majority of Committees, TC 283 has not submitted its Business Plan or its strategic approach for public review. There are also no significant advances regarding the ISO 45001 Implementation Manual, as a task assigned to the W G3 working group. OTHER GENERAL AND SPECIALIZED STANDARDS OF RECENT PUBLICATION OR FOR 2019-2020. D o c u m e n ts in p ro c e s s o f G e n e ra ti o n This Guide for Health and Psychological Safety, considers one of the key aspects for OSH Management: Psychosocial Risk in the work place. According to the records of Committee TC 283, it is in the phase of Draft International Standard ISO DIS, within the W orking Group (AW I). Figure A3. Approach and Logical Structure of the ISO 45000 Family of Standards [26,60,64]. Energies 2020, 13, 5579 32 of 43 Appendix A.4 Energies 2020, 13, x FOR PEER REVIEW 33 of 46 Appendix A.4 Figure A4. Approach and Logical Structure of the ISO 14000 Family of Standards [27,31]. STANDARDS GROUP M a i Main Block O b s Complementary Block Observations VOCABULARY OR FRAME OF REFERENCE Committee TC 207 published the standard ISO 14050:2009 Environmental Management. Vocabulary. This standard is found Under review, in its Draft phase or Committee Draft (CD). See also the terms and definitions of: 1. Section 3, and Annex A.3 - Clarification of Concepts of ISO 14001: 2015. 2. ISO 9000: 2015 Quality management systems - Fundamentals and vocabulary. 3. The Guide IS0 73: 2009 and ISO 31000: 2018. 4. The International Vocabulary of Metrology VIM. The ISO TC 207 Secretariat has directly the topics assigned to SC6, and with it the Revision of ISO CD 14050, which covers the vocabulary blocks on Management, EMS, Validation , verification and auditing, Product systems, Life Cycle, Labeling and GHG. The secretariat is additionally in charge of the following projects: ISO CD 14053. Material flow cost accounting - Guide for SMEs ISO NP TR 14055-2 Good practices to combat land degradation and desertification ISO AWI 14100 Evaluation of green financial projects IEC DIS 62959 Environmentally Conscious Design (ECD) - Principles, Requirements and Guidance. REQUIREMENTS ISO 1401: 2015. Environmental management systems. Requirements with Guidelines for its application. CERTIFICATION FRAME OF REFERENCE GUIDES AND PROJECTS OF THE SUB-COMMISSION SC1 Environmental management Systems (EMS) GUIDES AND PROJECTS OF THE SUBCOMMISSION SC2 Audit Environmental and Investigations Associated Environmental GUIDES AND PROJECTS OF THE SUB- COMMISSION SC3 Labeling Environmental GUIDES AND PROJECTS OF THE SUB- COMMISSION SC4 Environmental Performance Evaluation GUIDES AND PROJECTS OF THE SUB- COMMISSION SC5 Life Cycle Assessment IS O 1 40 00 F A M IL Y O F S TA N D A R D S - C O M M IT TE E IS O T C 2 07 In te rn at io na l S ta nd ar ds a nd P ro je ct s w ith G en er al R eq ui re m en ts a nd G ui de lin es S ta nd ar ds a nd S pe ci fic A pp lic at io n P ro je ct s A W C om m itt ee W or ki ng D oc um en t. C D D ra ft C om m itt ee . D IS D ra ft In te rn at io na l S ta nd ar d. F D IS F in al D ra ft In te rn at io na l S ta nd ar d The ISO 14001: 2015 standard establishes the requirements that an Environmental Management System must meet, and with them, good practices to improve environmental performance, prevent pollution, and protect the environment. The standard presents in Annex A guidelines and clarifying notes about the interpretation of the requirements, highlighting their purpose and rationale, in terms of good practices associated with each requirement. In some sections, there are examples associated with the scope or types of application of the requirements, specifying aspects related to the overall what associated with meeting the requirement ISO 14004: 2016 GHS - General implementation guidelines ISO 14005: 2019 EMS: Guidelines for a flexible phased implementation approach ISO 14006: 2011 Environmental management systems. Guidelines for the incorporation of eco-design. ISO 14008: 2019 Monetary valuation of environmental impacts and related environmental aspects. ISO CD 14009 SGA. Guidelines for incorporating redesign to improve the circulation of materials (In CD phase). ISO DIS 14002-1 SGA - Guidelines for using ISO 14001 - Part 1: General (In the Draft International Standard phase). ISO DIS 14006 Environmental management systems - Guidelines to incorporate eco-design (In the Draft International Standard phase). ISO DIS 14007 Environmental management - Guidelines for determining environmental costs and benefits (Also in the DIS phase). ISO 14015: 2001 Environmental Management - Environmental Assessment of Sites and Organizations (EASO) ISO DIS 14016 Environmental management - Guidelines for the assurance of environmental reports (Draft International Standard DIS) ISO 14020: 2000 Environmental labels and declarations. General principles. There are also the following projects and standards on labeling: ISO 14021: 2016 Self-declaration Type II; ISO 14024: 2018, Type I Labeling; ISO 14025: 2006 Type III environmental declarations; ISO 14026: 2017 Footprint information; ISO TS 14027: 2017 Product category rules for labeling. OTHER SPECIALIZED STANDARDS FROM SUBCOMMISSIONS SC4 (Performance), SC5 (Life Cycle), and SC7 (GEI) ISO 14031: 2013 Environmental management - Environmental performance evaluation - Guidelines ISO 14033: 2019 Environmental management - Quantitative environmental information - Guidelines and examples ISO 14034: 2016: Environmental management - Environmental technology verification (ETV). Additionally, the following are ongoing: ISO DIS 14030 Environmental performance assessment - Green debt instruments: Part 1: Process for green bonds, Part 2: Green Loan Process, Part 3: Taxonomy, Part 4: Verification ISO CDTR 14035 Environmental Technology Verification - ETV - Guidance for implementing ISO 14034 ISO 14040: 2006 Life Cycle Assessment - Principles and framework. Two addenda: The 1st in 2017, and the 2nd in CD phase. ISO 14044: 2006 Life cycle assessment - Requirements. Two addenda: The 1st in 2017, and the 2nd in CD phase. ISO 14045: 2012 Evaluation of the ecological efficiency of product systems: Principles, requirements and guidelines. ISO 14046: 2014 Water footprint: principles, requirements and guidelines. ISO TR 14073: 2017 Water footprint - Illustrative examples on how to apply ISO 14046. ISO TR 14047: 2012 Life cycle assessment - Illustrative examples on how to apply ISO 14044. ISO TS 14048: 2002 Life cycle assessment - Data documentation format. ISO TR 14049: 2012 Life cycle assessment - Application examples of ISO 14044 (Objectives and scope). ISO TS 14071: 2014 Life Cycle Assessment - Critical Review Processes and Reviewer Competencies. ISO TS 14072: 2014 Life cycle assessment - Requirements and guidelines for the organization cycle. GUIDES AND PROJECTS OF THE SUB- COMMISSION SC7 Greenhouse Gases ISO 14064-1: 2018 Quantification and reporting of GHG emissions and removals. Part 1. Parts 2 and 3 were published in 2019. ISO 14065: 2013 GHG. Requirements for validation and verification bodies. There is a revision in phase CD ISO 14066: 2011 GHG. Competence requirements for GHG validation and verification teams. ISO 14067: 2018 GHG. Carbon footprint of products. Requirements and guidelines for quantification. ISO TR 14069: 2013 GHG. Quantification and notification of emissions for organizations. Guidance for the application of ISO 14064-1. ISO 14080: 2018 GHG Management and related activities. Principles for methodologies on climate actions. ISO AWI 14082 Management of radioactive forcing - Guidance for quantification and reporting of climate footprints based on radioactive forcing and mitigation efforts ISO 14090: 2019 Adaptation to climate change - Principles, requirements and guidelines ISO DIS 14091 Adaptation to climate change. Vulnerability, impacts and risk assessment ISO TS 14092: 2020 Management of Greenhouse Gases GHG and related activities: Requirements and guidance of adaptation planning for organizations, including local governments and communities ISO DIS 14097 Framework and principles for evaluating and reporting investments and financing activities related to climate change ISO DIS 19694-1 Emissions from stationary sources. Determination of GHG emissions in energy-intensive industries. Part 1: General aspects. Figure A4. Approach and Logical Structure of the ISO 14000 Family of Standards [27,31]. Energies 2020, 13, 5579 33 of 43 Appendix A.5 Energies 2020, 13, x FOR PEER REVIEW 34 of 46 Appendix A.5 Figure A5. Approach and Logical Structure of the ISO 50000 Family of Standards [28,52–55,99]. Figure A5. Approach and Logical Structure of the ISO 50000 Family of Standards [28,52–55,99]. Energies 2020, 13, 5579 34 of 43 Appendix A.6 Energies 2020, 13, x FOR PEER REVIEW 35 of 46 Appendix A.6 Figure A6. Strategic and Operational Approach to Biosafety and Biosecurity Continuity Plan. [50,51,65,66]. Image Incidents and Others (+) Business and Product Incidents Health Incidents - SST Environ- mental Incidents Disruption Incidents E2 Incidents Incidents TI - SI J. Update and Improve. Lessons Learned. BUSINESS AND QUALITY (Q) HEALTH (HS) ENVIRON- MENT (E) COMPONENTS vs INCIDENTS and CONTINUITY ENERGY EFFICIENCY (E2) ICT (+) REPUTATION AND OTHERS (+) C ri s is M a n a g e m e n t C y c le A. Institutionalize the Command Bridge for the Governance of the Crisis B. Institutionalize the Matrix - Dashboard Situational Information C. Carry out a Census and Matrix of Status of each Person D. Identify and Analyze Risk and Impact of Crisis Scenarios E. Define Strategies and Actions vs. Risks F. Plan Contingency Plans, by priority scenario G. Implement the Contingency Plan H. Follow up on the Management and Results I. Verify compliance. 10. Respond to Changes in Context INPUTS OUTPUTS T A C T IC A L M A N A G E M E N T A N D O P E R A T IO N A L 1. Outputs from Strategic Addressing 2. Regulation by Service Line 3. New Legislation and Regulations vs. COVID 19. 4. Other experiences in management approach, in related entities. 5. Statistics, Internal Census vs COVID, 6. Good Practices and Guidelines ISO 22313 ANDI, WHO, ILO, and others. Health of the Organization and the people, Continuity in the Operation of the Lines of service. Excellence in Projects, Processes, Products and Services 1. Value Promise for Service Lines 2. Portfolio - Service Tree: (Paused, active and new) 3. Updating of Risk Maps and Measures of Control. 4. Review of product specifications, insu- mos, inbound services, packaging, packing and operation of each line vs COVID 19. 5. Protocols according to prevention and control measures 6. Governance and Continuity Plan S tr a te g ic L in e s o f A c ti o n 1. Governance of the Crisis and the Context 2. Comply with the Legal Requirements of Biosafety and Biosecurity (+) 3. Communicate Risk and its Impact 4. Preventing the Risk of Contagion 5. Manage Remote Work 6. Prevent Non-Conformities 7. Protect Information 8. Prevent Risk ofSupply and Inputs 9. Prevent Operational Risk INPUTS OUTPUTS OBJECTIVE C O R P O R A T IV E S T R A T E G Y 1. Study of Context and Actors 2. Previous Strategic Exercise - KPI 3. Scenario Analysis and Intelligence 4. Other corporate experiences 5. Study of the Regulations. 6. Analysis of Changes 7. Study of interruption incidents 8. Prioritization of incidents vs continuity 9. Good Practices: ISO 22300 Family Guidelines WHO, ILO, ANDI, INSST. 1. Reformulation of the R/OBT Prevention Value 2. Reformulation of the Comprehensive Policy (+ Bio) 3. Reformulation of the Strategic Map: Solidarity Presence, Caring and Protecting, ICT Competences and Culture for Contingency Reformulation of Product Lines 4. New PROMISES OF VALUE by Line 5. Projects, Developments and Deployment of Plans and Corporate Protocols 6. Governance and Continuity Plan 7. Results: Reduction of Vulnerability Health, Continuity and Excellence Command Bridge for Crisis Gobernanza Figure A6. Strategic and Operational Approach to Biosafety and Biosecurity Continuity Plan. [50,51,65,66]. Energies 2020, 13, 5579 35 of 43 Appendix A.7 Timeline in Technology Development, QHSE3+ Standards and expression By observing the chronological development of different techniques of know-how and their deployment in daily life and work, construction, or manufacturing, or by analyzing the development of schools of control, quality assurance, and total quality, among others, the emergence of a large number of standards on management systems can be observed. In all cases, what has been standardized or established as the best solution at scale and concerted is fundamentally a set of requirements, which are named as best practices, the key tricks to develop activities with a lower possibility of failure. At the beginning, these good practices are the best-kept secrets of families and transmitted from parents to children by oral tradition. Later, they become the teachings of artisans in the family or the teacher to the apprentice and finally become the knowledge and know-how or the heritage of a conglomerate, an ethnic group, or a particular group. The reality is that, in one way or another, this knowledge has always been consolidated as a set of best practices that focus on reducing the different types of risks linked to failures, noncompliance’s, malfunctions, or ineffective performance, or conditions of vulnerability. Figure A7 summarizes the chronological milestones in the development of energy, knowledge, techniques, and concepts of quality (Q-ISO 9001, Family 9k), occupational health and safety (HS-ISO 45001, Family 45k), environmental management (E- ISO 14001, Family 14k), energy efficiency (E2-ISO 50001, Family 50k), risk management (ISO 31000 Family 31k), and standards on business continuity plans. This illustration comprehensively takes into account relevant actors, milestones, and parallel axes of significant events in the history of humanity, and with it, the history of art, music, technology, and mega-projects. The development of best practices is also associated with risk management in the history of mankind, the development and expansion of the frontier of knowledge, expression, significance, and the development of administrative thinking. In Figure A7, this approach is illustrated in detail, considering the chronology of the development of management systems in correlation with key milestones in the history of energy, humanity, and artistic expression, and combined with the projections, the convergent developments in NBICE technology [13,100] and its implications for businesses are on the horizon. Most of the approaches formulated in each of the requirements and best practices standards had a foundation generated well before the publication of the reference models in question, and this was taken into account directly and indirectly when formulating the concepts, definitions, blocks of terms and requirements, and guidelines for application and specific topics that lead the topics within the TC ISO Technical Commissions. This is illustrated in the lower right area referring to each TC of the families of standards (See Figures A1–A5), which develop each component of the QHSE3+ model and indicate the years in which the successive reviews were carried out. The ISO 22313: 2020 Standard have been added (guide for the application of ISO 22301: 2018 on business continuity management) as well as ISO 22320: 2018 on incident management, developed from TC 292, Security and Resilience, given its importance to support management systems and respond to crises and contingencies associated with COVID-19 or other types of emergencies. Energies 2020, 13, x FOR PEER REVIEW 37 of 46 Figure A7. Timeline in the development of QHSE3+ standards in correlation with the milestones of humanity [13,100]. -10000 0 1400 1776 1800 1900 1950 1975 2000 2010 . 2020 9k: TC 176 45k: TC 283 14k: TC 207 50k: TC 301 31k: TC 262 BCM 22,3k: TC292 CHOPIN 1810 TCHAIKOVSKY 1840 - 1893 LUIS A CALVO 1882-1945 ENIO MORRICONE 1928-2020 PIERRE BOULEZ 1925-2016 MARIO RIVEROS 1961- DUKE ELLINGTON 1899-1974 JA P A N 1 st E co n o m ic P o w er A n ci en t E g yp t 26 00 H am m u ra b i C o d e 17 28 Th e In du st ri al R ev ol ut io n. M A S S IV E P R O D U C TI O N . S Q C in In du st ry 19 47 : C re at io n of IS O 19 52 : D E M IN G IS H IK A W A J U R A N FE IG E N B A U M A w ar ds N A S A A M E F , 1 96 9 C O D E X B P M S H IN G O P o ka Y o ke A K A O - Q F D 19 88 : E F Q M m o d el P la tó n π οι ότ ης p o io te s, q u al it as G re ek s C la ss ic al A rt O th er C u lt u re s C ra d le o f C iv ili za ti o n Impressionism, Fauvism Manet, Monet, Sorolla, Vincent, Renoir, Gaugin, Matisse Renaissance Art Sistine Chapel Miguel Ángel Rafael - Sandro. 1500 Romanticism Delacroix Chopin 1770 - 1870 DEBUSSY 1860 W at er a n d E n er g y C ri si s. O il cr is is G R E A T W O R L D E C O N O M IC C R IS IS BACH 1685 MOZART 1756 BEETHOVEN 1772 BRAHMS 1833 GERSHWIN 1937 LOUIS AMSTRONG 1901-1971 From the manual and artisanal ... To the mechanized Approach focused on the detection and separation of nonconformity STATISTICAL CONTROL AND SAMPLING PLANS Consolidation from the War Industry NANO-BIO.ECO-INFO-COGNO-TECHNOLOGY: NBICE USA USSR Space Race ... Commerce - Tourism DIGITAL ERA- ICT-INTERNET-CELL PHONE 2 ISO 9001 1987, 1994, 2000, 2008 - 2015 ISO 14001 1996, 2004- 2015 IEC 1906 AFNOR 1926 IRANOR 1945 1 First and Second World Wars OHSAS ISO 45001 1999, 2007- 2018 ISO 50001 2011, 2018 ISO 31000: 2009 y 2018 ISO 22313: 2012 y 2020 COVID 19 "P ro m et h eu s" - F ir e (- 79 0. 00 0) P lo w (- 12 .0 00 ) عي را ش ب رك م (- 3. 00 0) O ld S ai lb oa t H id ra ul ic M ill R o m e (2 00 ) P hy si ca l M ea ni ng o f E ne rg y S te am M ac h in e A lt er n at o r. E le ct ri c P o w er 1979 Figure A7. Timeline in the development of QHSE3+ standards in correlation with the milestones of humanity [13,100]. Energies 2020, 13, 5579 36 of 43 Appendix A.8 Classification matrix of topics related to external and internal R/O Energies 2020, 13, x FOR PEER REVIEW 38 of 46 Appendix A.8 Classification matrix of topics related to external and internal R/O Figure A8. Classification matrix of topics related to external R/O. [14,51,65,101]. Figure A9. Classification matrix of topics related to internal R/O. Layer I: I1 to I.4. [14,51,65,101]. E.1. Market and Competition Fluctuations and variations in the market associated with supply, demand, competitors, participation and portfolio acceptance. E.2. Geopolitical Implications linked to conflicts, new trends, political, economic and military relations between countries, groups or regions. E.3. Legal Variations in the legal and regulatory provisions related to the operation and the portfolio of the organization. E.4. Macroeconomic Fluctuations in inflation, exchange rates, monetary policies and interest rates at the local, regional and global levels. E.5. Technology Safe emergence of new tools, applications, platforms and technological developments for services and operations. E.6. Natural phenomena Possible occurrence of natural phenomena and non-anthropic disasters with an impact on the operation and on the supply/demand. E.8. Contingencies. Epidemics Implications in the behavior of the context, due to the irruption of contingencies, plagues or epidemics. E.9. Other External Topics Other types of external R / O with relevant impact on the organization and its sustainability. Topics related to External R/O External General Block. E.7. Security and Public Order. Relationship with stakeholders Public order and relationship with external interest groups that have impact on the operation, image and results of the organization. I.1. a. Intelligence for strategy formulation. b. PDCA for the NBD and the deployment of corporate strategy. I.2. a. Study of the Problem and Formulation of the scope, b. Planning and Allocation of Resources, c. Procurement and Management with contractors, d. Control of the project and its parameters of time, scope, costs and quality. e. Generation and delivery of the products object of the project. f. Project closure. g. Effective performance. I.3. a. Organizational behavior in office and its processes, and with the stakeholders. b. Appropriation of institutional values. c. Adherence to the principles and provisions. Degree of compliance with the requirements. I.4. a. Competences and Information Intelligence for decisions. b. Opportunity and ability to succeed in decision making. c. Ability to identify and respond appropriately in moments of truth. Topics related to Internal R/O Layer I: I.1 to I.4. Strategy, New Business Development (NBD), Projects and Human Management BUSINESS CONTINUITY: ISO 22301:2019; ISO 22313:2020; ISO 22317:2015. PROJECTS MANAGEMENT: ISO 21500:2012; ANSI/PMI PMBOK 99-001-2017) INNOVATION MANAGEMENT: ISO 56002:2019; IRAM 50501. SURVEILLANCE AND STRATEGIC INTELLIGENCE SYSTEM: IRAM 50520: 2017, UNE 166006:2018 Strategic Management, Business Continuity and New Business Development (NBD) Corporate Projects Management Behavior. Culture and Discipline Decisions. Mistakes and Moments of Truth (General) Figure A8. Classification matrix of topics related to external R/O. [14,51,65,101]. Energies 2020, 13, x FOR PEER REVIEW 38 of 46 Appendix A.8 Classification matrix of topics related to external and internal R/O Figure A8. Classification matrix of topics related to external R/O. [14,51,65,101]. Figure A9. Classification matrix of topics related to internal R/O. Layer I: I1 to I.4. [14,51,65,101]. E.1. Market and Competition Fluctuations and variations in the market associated with supply, demand, competitors, participation and portfolio acceptance. E.2. Geopolitical Implications linked to conflicts, new trends, political, economic and military relations between countries, groups or regions. E.3. Legal Variations in the legal and regulatory provisions related to the operation and the portfolio of the organization. E.4. Macroeconomic Fluctuations in inflation, exchange rates, monetary policies and interest rates at the local, regional and global levels. E.5. Technology Safe emergence of new tools, applications, platforms and technological developments for services and operations. E.6. Natural phenomena Possible occurrence of natural phenomena and non-anthropic disasters with an impact on the operation and on the supply/demand. E.8. Contingencies. Epidemics Implications in the behavior of the context, due to the irruption of contingencies, plagues or epidemics. E.9. Other External Topics Other types of external R / O with relevant impact on the organization and its sustainability. Topics related to External R/O External General Block. E.7. Security and Public Order. Relationship with stakeholders Public order and relationship with external interest groups that have impact on the operation, image and results of the organization. I.1. a. Intelligence for strategy formulation. b. PDCA for the NBD and the deployment of corporate strategy. I.2. a. Study of the Problem and Formulation of the scope, b. Planning and Allocation of Resources, c. Procurement and Management with contractors, d. Control of the project and its parameters of time, scope, costs and quality. e. Generation and delivery of the products object of the project. f. Project closure. g. Effective performance. I.3. a. Organizational behavior in office and its processes, and with the stakeholders. b. Appropriation of institutional values. c. Adherence to the principles and provisions. Degree of compliance with the requirements. I.4. a. Competences and Information Intelligence for decisions. b. Opportunity and ability to succeed in decision making. c. Ability to identify and respond appropriately in moments of truth. Topics related to Internal R/O Layer I: I.1 to I.4. Strategy, New Business Development (NBD), Projects and Human Management BUSINESS CONTINUITY: ISO 22301:2019; ISO 22313:2020; ISO 22317:2015. PROJECTS MANAGEMENT: ISO 21500:2012; ANSI/PMI PMBOK 99-001-2017) INNOVATION MANAGEMENT: ISO 56002:2019; IRAM 50501. SURVEILLANCE AND STRATEGIC INTELLIGENCE SYSTEM: IRAM 50520: 2017, UNE 166006:2018 Strategic Management, Business Continuity and New Business Development (NBD) Corporate Projects Management Behavior. Culture and Discipline Decisions. Mistakes and Moments of Truth (General) Figure A9. Classification matrix of topics related to internal R/O. Layer I: I1 to I.4. [14,51,65,101]. Energies 2020, 13, 5579 37 of 43 Energies 2020, 13, x FOR PEER REVIEW 39 of 46 Figure A10. Classification matrix of topics related to internal R/O. Layer II: I.5. [25,48,50,65]. Figure A11. Classification matrix of topics related to internal R/O. Layer III: I.6. [25,48,50,65]. I.5.1 a. Functional and performance specifications, b. Technical specifications for product / service and materials / tickets design, c . Specifications and contractual terms of packaging, packaging, and logistics, d . Specifications of planning conditions and process control. e. Training requirements, competencies and personnel assignment, f. Contractual conditions for reverse logistics. Fines and guarantees by NC. I.5.2 a . Planning of the design and development and Management of the Input Data. b . Review, Verification and Validation of Design and Development c . D&D Exit Data Management and Change Control. (Includes Biosecurity) d. Administration and management of Idea Banks, Concepts, Projects and Developments I.5.3 a . Standardization and Tuning of Processes. b . Metrological Management and Instrumentation c . Enlistment of inputs, supplies, organization and programming. I.5.4 COMPETENCES AND TRAINING, TO HANDLE CRITERIA AND SUCCESSFUL DECISIONS, in moments of truth during "hot" operations: Experience and criteria to act in case of contingencies in an immediate and adequate way. Example of response to unforeseen conditions by drivers on the highway. I.5.5 I.5.5.1 R/O Physical Safety By facilities, equipment, personnel, utensils, packaging, process or supply chain, in interaction with or from the organization's processes. I.5.5.2 R/O Chemical Safety Naturally generated by the conditions of the materials or incorporated from or to the processes of the organization I.5.5.3 R/O Biological Safety Generated by Bacteria, Fungi, Arachnids, Insects, Superior Animals and Protozoa, to or from the processes of the organization. Layer II. I.5 Conditions for the conformity and integrity of products, services and processes QUALITY: ISO 9001:2015; ISO 9000:2015; ISO 9004:2018 PRIMARY PACKAGING: ISO 15378:2017, RISK (MANAGEMENT AND ASSESSMENT) ISO 31000:2018, ISO 31010: 2019, SAFETY - FOOD CHAIN ISO 22000:2018; PHARMACEUTICAL, CLINICAL AND Y LABORATORIES+B33 FDA / GMP, GLP, GCP, ICH - GCP, MEDICAL DEVICES: ISO 13485:2016 Compliance with contractual conditions and terms agreed with the parties. (Include Biosecurity Requirements) Compliance with requirements in the design and development (D&D) of products, services, processes and projects. Setup and tuning of the operating conditions of lines and processes Successful automatic response associated with the management of moments of truth and decisions in operations. ("Dynamic" Risks and Opportunities) R/O associated with the integrity and safety of products / services (Includes the Biosafety Component) I.6.1 I.6.1.1 Noise and lighting. a. Vibrations that can generate discomfort, pain or involvement of the spine.b. Exposure to contrasts or high or low lighting peaks I.6.1.2 Temperature and Humidity a. Variations or peaks in temperature and humidity that are (20-22) ºC, can generate heat, cold or thermal stress. b. Variations or spikes in humidity or dryness outside (35-45)%. I.6.1.3 Ionizing Radiations. Electromagnetic waves by artificial sources such as X-rays, diagnostic or treatment techniques, and radioactive sources. I.6.2 a. Interaction with chemicals in the operation.. b. Exposure by inhalation, absorption or ingestion. I.6.3 Contact with pathogens carrying viruses, bacteria, fungi or parasites, from or to the organization's processes in the interaction with stakeholders and the context. I.6.4 Prolonged positions, inadequate postures, weight lifting, or repetitive movement. I.6.5 Work conditions related to: harassment, stress, fatigue, instability, monotony, job fatigue. I.6.6 a. Work at height, unsafe surfaces and confined spaces.b. Misuse of defective tools or equipment. I.6.7 For natural or anthropogenic causes, such as rains, floods or other types of disasters. Layer III. I.6 Operational and environmental conditions for the safety and protection of people SAFETY AND HEALTH AT WORK:: ISO45001:2018: BS45002:2018) BUSINESS CONTINUITY: ISO 22301:2019; ISO 22313:2020; ISO 22317:2015 R/O Physical HS (Noise, Illumination Temperature, Humidity, Ionizing Radiations) R/O Chemical HS R/O Biological HS R/O Ergonomic HS R/O Psychosocial HS R/O Mechanical HS R/O Environmental HS Figure A10. Classification matrix of topics related to internal R/O. Layer II: I.5. [25,48,50,65]. Energies 2020, 13, x FOR PEER REVIEW 39 of 46 Figure A10. Classification matrix of topics related to internal R/O. Layer II: I.5. [25,48,50,65]. Figure A11. Classification matrix of topics related to internal R/O. Layer III: I.6. [25,48,50,65]. I.5.1 a. Functional and performance specifications, b. Technical specifications for product / service and materials / tickets design, c . Specifications and contractual terms of packaging, packaging, and logistics, d . Specifications of planning conditions and process control. e. Training requirements, competencies and personnel assignment, f. Contractual conditions for reverse logistics. Fines and guarantees by NC. I.5.2 a . Planning of the design and development and Management of the Input Data. b . Review, Verification and Validation of Design and Development c . D&D Exit Data Management and Change Control. (Includes Biosecurity) d. Administration and management of Idea Banks, Concepts, Projects and Developments I.5.3 a . Standardization and Tuning of Processes. b . Metrological Management and Instrumentation c . Enlistment of inputs, supplies, organization and programming. I.5.4 COMPETENCES AND TRAINING, TO HANDLE CRITERIA AND SUCCESSFUL DECISIONS, in moments of truth during "hot" operations: Experience and criteria to act in case of contingencies in an immediate and adequate way. Example of response to unforeseen conditions by drivers on the highway. I.5.5 I.5.5.1 R/O Physical Safety By facilities, equipment, personnel, utensils, packaging, process or supply chain, in interaction with or from the organization's processes. I.5.5.2 R/O Chemical Safety Naturally generated by the conditions of the materials or incorporated from or to the processes of the organization I.5.5.3 R/O Biological Safety Generated by Bacteria, Fungi, Arachnids, Insects, Superior Animals and Protozoa, to or from the processes of the organization. Layer II. I.5 Conditions for the conformity and integrity of products, services and processes QUALITY: ISO 9001:2015; ISO 9000:2015; ISO 9004:2018 PRIMARY PACKAGING: ISO 15378:2017, RISK (MANAGEMENT AND ASSESSMENT) ISO 31000:2018, ISO 31010: 2019, SAFETY - FOOD CHAIN ISO 22000:2018; PHARMACEUTICAL, CLINICAL AND Y LABORATORIES+B33 FDA / GMP, GLP, GCP, ICH - GCP, MEDICAL DEVICES: ISO 13485:2016 Compliance with contractual conditions and terms agreed with the parties. (Include Biosecurity Requirements) Compliance with requirements in the design and development (D&D) of products, services, processes and projects. Setup and tuning of the operating conditions of lines and processes Successful automatic response associated with the management of moments of truth and decisions in operations. ("Dynamic" Risks and Opportunities) R/O associated with the integrity and safety of products / services (Includes the Biosafety Component) I.6.1 I.6.1.1 Noise and lighting. a. Vibrations that can generate discomfort, pain or involvement of the spine.b. Exposure to contrasts or high or low lighting peaks I.6.1.2 Temperature and Humidity a. Variations or peaks in temperature and humidity that are (20-22) ºC, can generate heat, cold or thermal stress. b. Variations or spikes in humidity or dryness outside (35-45)%. I.6.1.3 Ionizing Radiations. Electromagnetic waves by artificial sources such as X-rays, diagnostic or treatment techniques, and radioactive sources. I.6.2 a. Interaction with chemicals in the operation.. b. Exposure by inhalation, absorption or ingestion. I.6.3 Contact with pathogens carrying viruses, bacteria, fungi or parasites, from or to the organization's processes in the interaction with stakeholders and the context. I.6.4 Prolonged positions, inadequate postures, weight lifting, or repetitive movement. I.6.5 Work conditions related to: harassment, stress, fatigue, instability, monotony, job fatigue. I.6.6 a. Work at height, unsafe surfaces and confined spaces.b. Misuse of defective tools or equipment. I.6.7 For natural or anthropogenic causes, such as rains, floods or other types of disasters. Layer III. I.6 Operational and environmental conditions for the safety and protection of people SAFETY AND HEALTH AT WORK:: ISO45001:2018: BS45002:2018) BUSINESS CONTINUITY: ISO 22301:2019; ISO 22313:2020; ISO 22317:2015 R/O Physical HS (Noise, Illumination Temperature, Humidity, Ionizing Radiations) R/O Chemical HS R/O Biological HS R/O Ergonomic HS R/O Psychosocial HS R/O Mechanical HS R/O Environmental HS Figure A11. Classification matrix of topics related to internal R/O. Layer III: I.6. [25,48,50,65]. Energies 2020, 13, 5579 38 of 43 Energies 2020, 13, x FOR PEER REVIEW 40 of 46 Figure A12. Classification matrix of topics related to internal R/O. Layer IV: I.7. [27,40,47,56]. Figure A13. Classification matrix of topics related to internal R/O. Layer V: I.8, and Layer VI: I.9 [11,28,52–55,99]. I.7.1 I.7.1.1 Energy consumption a. Hydraulic, Electric, Nuclear, Natural Gas and Fuelsb. Renewable energy I.7.1.2 Water consumption. a. Pressure on the resource. Industrial Consumption for Business Processes.b. Domestic consumption for cleaning, toilets, washing, cooking and irrigation, am.ong others. I.7.1.3 Consumption of Fuels and Lubricants a. Consumption of solid, liquid and gaseous fuels, such as: Coal, Kerosene, Oil, Diesel; Gasoline and Natural Gas, among others. b. Liquid, gaseous, solid and semi-solid lubricants or additives; mineral, synthetic, vegetable or animal in nature. I.7.1.4 Consumption of inputs linked to natural resources a. Packaging material (Cardboard, strech, plastic, strap, wood ...), Stationery, or others. b. Inputs from natural resources of mineral origin (metals, stone or sand), vegetable (woods, fibers, cotton, linen, cork and paper), or animal, such as leather. I.7.2 I.7.2.1 Transformations of soil and the vegetal layer. By works and Interaction of the processes with the soil or the vegetal layer. I.7.2.2 Landscape transformations. a. For Constructions and Works.b. For advertising, fences or similar elements. I.7.2.3 Transformation of socioeconomic conditions. a. For indirect jobs, generation of direct jobs or generation of skills. b. By generating changes in behaviors, habits and types of interaction. I.7.3 I.7.3.1 Emissions. a. Gases and particulate,, b. Vibrations and noise, c. Thermal radiation,d. Ionizing radiation, and e. Non-ionizing radiation.. I.7.3.2 Vertimientos. a. Industrial wastewater, b. Domestic wastewater, c. Direct pouring. I.7.3.3 Solid Waste a. Usable Waste, b, Non-usable waste, c. Dangerous residues,d. Conventional Waste, and e. Special Waste. Layer IV. I.7 Conditions for the prevention of pollution and the protection of the environment ENVIRONMENTAL MANAGEMENT SYSTEM: ISO 14001: 2015; ISO 14004: 2016. ENVIRONMENTAL PERFORMANCE EVALUATION: ISO DIS 14030:2020; ISO 14031:2013 Conditions related to WHAT IS USED: Conditions related to WHAT IS TRANSFORMED: Conditions related to WHAT IS GENERATED: I.8.1 a. Terms and context related to the organization's energy supply,b. Rationing associated with the supply of Energy, c. Volatility of prices and rates. I.8.2 a. Related to competencies,b. Related to adherence to the principles and culture for energy efficiency. I.8.3 a. R/O in the planning and development of projects for generation and cogeneration.b. R/O in the operation of the infrastructure associated with generation and cogeneration. I.8.4 a. R/O related to the management and uses of energy for the management of heat and cold. b. R/O in energy consumption, c. R/O related to the designs, creation and management of networks and systems for managing heat and cold. d. Good practices for the management of heat and cold. I.8.5 R/O related to the funding and financing capacity of investments and technological conversion projects for energy efficiency. I.8.6 R/O related to obsolescence, and damage, contingencies and contingencies of equipment for operation and key projects for energy efficiency. I.8.7 R/O related to the Planning and Development of actions, Good Practices and Controls for the Improvement in the uses, consumptions and energy performance. I.9.1 a. R/O in the Planning and Allocation of Resources for the Equipment and Infrastructure.b. R/O in the Maintenance Management of Equipment and Infrastructure. Layer V. I.8 Conditions for the rational use of energy and for Energy Efficiency ENERGY MANAGEMENT SYSTEM: ISO 50001: 2018; ISO 50004: 2014. MEASUREMENT OF PERFORMANCE AND ENERGY SAVING: ISO 50006:2014; ISO 50047:2016 Conditions of Energy Supply. Conditions related to Talent and Behavior for Energy Efficiency. Conditions related to Generation and Cogeneration. Technical management for heat and cold management. Conditions related to Financial Leverage Resources. Obsolescence, Contingencies and Contingencies of the Infrastructure for Energy Efficiency. Internal management for Energy Efficiency. Layer VI. I.9 Conditions linked to infrastructure resources and equipment and facilities maintenance ASSET MANAGEMENT SYSTEM: ISO 55001: 2014; ISO 55002: 2014. Infrastructure Planning, Assignment and Maintenance Conditions. (Under Biosecurity requirements) Figure A12. Classification matrix of topics related to internal R/O. Layer IV: I.7. [27,40,47,56]. Energies 2020, 13, x FOR PEER REVIEW 40 of 46 Figure A12. Classification matrix of topics related to internal R/O. Layer IV: I.7. [27,40,47,56]. Figure A13. Classification matrix of topics related to internal R/O. Layer V: I.8, and Layer VI: I.9 [11,28,52–55,99]. I.7.1 I.7.1.1 Energy consumption a. Hydraulic, Electric, Nuclear, Natural Gas and Fuelsb. Renewable energy I.7.1.2 Water consumption. a. Pressure on the resource. Industrial Consumption for Business Processes.b. Domestic consumption for cleaning, toilets, washing, cooking and irrigation, am.ong others. I.7.1.3 Consumption of Fuels and Lubricants a. Consumption of solid, liquid and gaseous fuels, such as: Coal, Kerosene, Oil, Diesel; Gasoline and Natural Gas, among others. b. Liquid, gaseous, solid and semi-solid lubricants or additives; mineral, synthetic, vegetable or animal in nature. I.7.1.4 Consumption of inputs linked to natural resources a. Packaging material (Cardboard, strech, plastic, strap, wood ...), Stationery, or others. b. Inputs from natural resources of mineral origin (metals, stone or sand), vegetable (woods, fibers, cotton, linen, cork and paper), or animal, such as leather. I.7.2 I.7.2.1 Transformations of soil and the vegetal layer. By works and Interaction of the processes with the soil or the vegetal layer. I.7.2.2 Landscape transformations. a. For Constructions and Works.b. For advertising, fences or similar elements. I.7.2.3 Transformation of socioeconomic conditions. a. For indirect jobs, generation of direct jobs or generation of skills. b. By generating changes in behaviors, habits and types of interaction. I.7.3 I.7.3.1 Emissions. a. Gases and particulate,, b. Vibrations and noise, c. Thermal radiation,d. Ionizing radiation, and e. Non-ionizing radiation.. I.7.3.2 Vertimientos. a. Industrial wastewater, b. Domestic wastewater, c. Direct pouring. I.7.3.3 Solid Waste a. Usable Waste, b, Non-usable waste, c. Dangerous residues,d. Conventional Waste, and e. Special Waste. Layer IV. I.7 Conditions for the prevention of pollution and the protection of the environment ENVIRONMENTAL MANAGEMENT SYSTEM: ISO 14001: 2015; ISO 14004: 2016. ENVIRONMENTAL PERFORMANCE EVALUATION: ISO DIS 14030:2020; ISO 14031:2013 Conditions related to WHAT IS USED: Conditions related to WHAT IS TRANSFORMED: Conditions related to WHAT IS GENERATED: I.8.1 a. Terms and context related to the organization's energy supply,b. Rationing associated with the supply of Energy, c. Volatility of prices and rates. I.8.2 a. Related to competencies,b. Related to adherence to the principles and culture for energy efficiency. I.8.3 a. R/O in the planning and development of projects for generation and cogeneration.b. R/O in the operation of the infrastructure associated with generation and cogeneration. I.8.4 a. R/O related to the management and uses of energy for the management of heat and cold. b. R/O in energy consumption, c. R/O related to the designs, creation and management of networks and systems for managing heat and cold. d. Good practices for the management of heat and cold. I.8.5 R/O related to the funding and financing capacity of investments and technological conversion projects for energy efficiency. I.8.6 R/O related to obsolescence, and damage, contingencies and contingencies of equipment for operation and key projects for energy efficiency. I.8.7 R/O related to the Planning and Development of actions, Good Practices and Controls for the Improvement in the uses, consumptions and energy performance. I.9.1 a. R/O in the Planning and Allocation of Resources for the Equipment and Infrastructure.b. R/O in the Maintenance Management of Equipment and Infrastructure. Layer V. I.8 Conditions for the rational use of energy and for Energy Efficiency ENERGY MANAGEMENT SYSTEM: ISO 50001: 2018; ISO 50004: 2014. MEASUREMENT OF PERFORMANCE AND ENERGY SAVING: ISO 50006:2014; ISO 50047:2016 Conditions of Energy Supply. Conditions related to Talent and Behavior for Energy Efficiency. Conditions related to Generation and Cogeneration. Technical management for heat and cold management. Conditions related to Financial Leverage Resources. Obsolescence, Contingencies and Contingencies of the Infrastructure for Energy Efficiency. Internal management for Energy Efficiency. Layer VI. I.9 Conditions linked to infrastructure resources and equipment and facilities maintenance ASSET MANAGEMENT SYSTEM: ISO 55001: 2014; ISO 55002: 2014. Infrastructure Planning, Assignment and Maintenance Conditions. (Under Biosecurity requirements) Figure A13. Classification matrix of topics related to internal R/O. Layer V: I.8, and Layer VI: I.9 [11,28,52–55,99]. Energies 2020, 13, 5579 39 of 43 Energies 2020, 13, x FOR PEER REVIEW 41 of 46 Figure A14. Classification matrix of topics related to internal R/O. Layers VII: I.10, VIII: I.11 and IX: I.12 [17,29,30]. References 1. Organization for Economic Co-Operation and Development OECD. SDBS Business Demography Indicators. 6 September 2018. Available online from OECD. Available online: https://stats.oecd.org /index.aspx?queryid=70734 (accessed on 30 June 2020). 2. Organization for Economic Co-Operation and Development OECD. 24 June 2020. The World Economy on a Tightrope. OECD Economic Outlook, June 2020. Latest Economic Projections. Available online: http://www.oecd.org/economic-outlook/ (accessed on 28 June 2020). 3. DG GROW. Strategic Plan 2016–2020. Bruxelles: CEE. 2017. Available online: www. https://trade.ec.europa.eu/doclib/docs/2016/august/tradoc_154919.pdf (accessed on 26 June 2020). 4. Zapata, E. SMEs, and Their Business Problems. Case Analysis. School of Business Administration Magazine, Vol. September–December 2004; No 52, pp. 118–135. (In Spanish). Available online: https://www.redalyc.org/pdf/206/20605209.pdf (accessed on 20 October 2020). 5. Muñoz, P. The distinctive importance of sustainable entrepreneurship. CUOCIEnt 2013, 2, 1–6. 6. Parrish, B.D. Sustainability-driven entrepreneurship: Principles of organization design. J. Bus. Ventur. 2010, 25, 510–523. 7. The Standish Group. Chaos Report 2015. Available online: http://www.laboratorioti.com /2016/05/16/ informe-del-caos-2015-chaos-report-2015/ (accessed on 25 June 2020). 8. Arévalo, G. Cluster Support Programs in Latin America: Lessons Learned from the IDB Experience; Fourth Latin American Cluster Congress; CLAC TCI-Mendoza Government: Mendoza, Argentina, 2009; pp. 1–16. (In Spanish). Available online: https://publications.iadb.org/es/publicacion/15838 (accessed on 24 June 2020). 9. Fernández, V.; Vigil, J. Clusters, and territorial development. Theoretical review and methodological challenges for Latin America. Econ. Soc. Y Territ. 2007, 6, 859–912. 10. Kottler, P.; Lane, K. Dirección de Marketing. Ciudad de México: Pearson and Prentice Hall, 12a Edición; 2009. ISBN 970.260763-9. (In Spanish). Available online: http://biblio.econ.uba.ar/opac- tmpl/bootstrap/tc/148262_TC.pdf (accessed on 20 October 2020). I.10.1 R/O associated with the organization, competencies, culture and management of Planning Operations, Feedback, Control and Improvement of ICT. I.10.2 R/O regarding systems acquisition, development and maintenance. Interaction with suppliers and stakeholders. I.10.3 a. R/O regarding the operation and opportunity of the services, b. R/O n the management and response to contingencies and inconsistencies in ICT developments for operation and services, c. R/O in the Planning, Development and Control of ICT Maintenance. I.10.4 a. R/O regarding the update status in Information Technology and Communications. b. R/O regarding consistencies between interfaces. I.10.5 R/O in Logical Security Management (Use of software and system assets, data protection, processes and programs). I.10.6 R/O in Physical, Environmental and Operations Security, with the use of information assets and physical conditions for information dynamics. I.10.7 a. R/O in Network Information Transfers.b. R/O in the interaction to and from platform, channels and servers. I.11.1 a. R/O specific to topics related to Planning of financial resources,b. R/O in the allocation, management and control of financial and economic aspects. Associated with the purchase of Systems, the development and maintenance of ICT. Layer VII. I.10 ICT planning, infrastructure, operation and control conditions. MANAGEMENT FOR INFORMATION SECURITY AND CYBER SECURITY: ISO 27001: 2013; ISO 27002: 2013; ISO 27000: 2018; ISO 27103:2018 Associated with the General Management of ICT Conditions related to Financial Management Layer IX. I.12 OTHER SPECIALIZED RISKS AND OPPORTUNITIES (+) RISK MANAGEMENT: ISO 31000: 2018. OTHER RISKS LINKED TO THE NATURE OF THE ORGANIZATION.. Associated to the State of Operation and ICT Operation Associated with the Status of ICT Updates Associated with Logical Security Associated with Physical, Environmental and Operations Security. Associated with Communication Security Layer VIII. I.11 Conditions linked to Financial Management RISK MANAGEMENT: ISO 31000: 2018. Figure A14. Classification matrix of topics related to internal R/O. Layers VII: I.10, VIII: I.11 and IX: I.12 [17,29,30]. References 1. Organization for Economic Co-Operation and Development OECD. SDBS Business Demography Indicators. 6 September 2018. Available online from OECD. Available online: https://stats.oecd.org/index.aspx?queryid= 70734 (accessed on 30 June 2020). 2. Organization for Economic Co-Operation and Development OECD. The World Economy on a Tightrope. OECD Economic Outlook, June 2020. Latest Economic Projections. 24 June 2020. Available online: http://www.oecd.org/economic-outlook/ (accessed on 28 June 2020). 3. DG GROW. Strategic Plan 2016–2020. Bruxelles: CEE. 2017. Available online: www.https://trade.ec.europa. eu/doclib/docs/2016/august/tradoc_154919.pdf (accessed on 26 June 2020). 4. Zapata, E. SMEs, and Their Business Problems. Case Analysis. School of Business Administration Magazine. Vol. September–December 2004, No. 52. pp. 118–135. (In Spanish). Available online: https://www.redalyc. org/pdf/206/20605209.pdf (accessed on 20 October 2020). 5. Muñoz, P. The distinctive importance of sustainable entrepreneurship. CUOCIEnt 2013, 2, 1–6. [CrossRef] 6. Parrish, B.D. Sustainability-driven entrepreneurship: Principles of organization design. J. Bus. Ventur. 2010, 25, 510–523. [CrossRef] 7. The Standish Group. Chaos Report 2015. Available online: http://www.laboratorioti.com/2016/05/16/informe- del-caos-2015-chaos-report-2015/ (accessed on 25 June 2020). 8. Arévalo, G. Cluster Support Programs in Latin America: Lessons Learned from the IDB Experience. Fourth Latin American Cluster Congress; CLAC TCI-Mendoza Government: Mendoza, Argentina, 2009; pp. 1–16, (In Spanish). Available online: https://publications.iadb.org/es/publicacion/15838 (accessed on 24 June 2020). 9. Fernández, V.; Vigil, J. Clusters, and territorial development. Theoretical review and methodological challenges for Latin America. Econ. Soc. Y Territ. 2007, 6, 859–912. https://stats.oecd.org/index.aspx?queryid=70734 https://stats.oecd.org/index.aspx?queryid=70734 http://www.oecd.org/economic-outlook/ www.https://trade.ec.europa.eu/doclib/docs/2016/august/tradoc_154919.pdf www.https://trade.ec.europa.eu/doclib/docs/2016/august/tradoc_154919.pdf https://www.redalyc.org/pdf/206/20605209.pdf https://www.redalyc.org/pdf/206/20605209.pdf http://dx.doi.org/10.11565/cuocient.v2i1.26 http://dx.doi.org/10.1016/j.jbusvent.2009.05.005 http://www.laboratorioti.com/2016/05/16/informe-del-caos-2015-chaos-report-2015/ http://www.laboratorioti.com/2016/05/16/informe-del-caos-2015-chaos-report-2015/ https://publications.iadb.org/es/publicacion/15838 Energies 2020, 13, 5579 40 of 43 10. Kottler, P.; Lane, K. Dirección de Marketing. Ciudad de México: Pearson and Prentice Hall, 12a Edición. 2009. Available online: http://biblio.econ.uba.ar/opac-tmpl/bootstrap/tc/148262_TC.pdf (accessed on 20 October 2020). 11. Poveda-Orjuela, P.P.; García-Díaz, J.C.; Pulido-Rojano, A.; Cañón-Zabala, G. ISO 50001: 2018 and its application in a comprehensive Management System with an Energy-Performance Focus. Energies 2019, 12, 4700. [CrossRef] 12. Godet, M. The Art of Scenarios and Strategic Planning: Tools and Pitfalls. Technol. Soc. 2000, 65, 3–22. 13. Poveda, P.; Cañón, G. Guide for Integral Risk Management. Understand, Decide and Act Intelligently for Sustainable Success; ICONTEC: Bogotá, Colombia, 2015; ISBN 9789588585512. (In Spanish) 14. ISO. ISO 31000:2018. Risk Management—Guidelines; ISO/IEC: Geneva, Switzerland, 2018. 15. Davidson Institute (DI). Continuity Planning for Your Business. 2020. Available online: https://www.westpac.com.au/ content/dam/public/wbc/documents/pdf/help/disaster/WBC_business_continuity_planning_covid-19_checklist.pdf (accessed on 25 June 2020). 16. ISO. ISO 9000:2015, QMS—Fundamentals and Vocabulary; ISO/IEC: Geneva, Switzerland, 2015. 17. ISO/IEC. ISO/IEC 27001:2013, Information Technology-Security Techniques-Information Security Management Systems—Requirements; ISO/IEC: Geneva, Switzerland, 2013. 18. EY. COVID-19: Five Ways to Maintain Continuity and Reshape for Resilience. 2020. Available online: https: //www.ey.com/en_be/transactions/companies-can-reshape-results-and-plan-forcovid-19-recovery (accessed on 27 June 2020). 19. US Department Homeland Security. DHS Risk Lexicon; US Department Homeland Security: Washington, DC, USA, 2008. 20. ISO. GUIDE 73:2009, Risk Management—Vocabulary; ISO/IEC: Geneva, Switzerland, 2009. 21. Aven, T. The risk concept—Historical and recent development trends. Reliab. Eng. Syst. Saf. 2012, 99, 33–44. [CrossRef] 22. Oliva, F.L. A maturity model for enterprise risk management. Int. J. Prod. Econ. 2016, 173, 66–79. [CrossRef] 23. Paraschivescu, A.O. Risk and quality management. An integrate approach. ETC 2016, 19, 55–61. 24. Aven, T.; Zio, E. Some considerations on the treatment of uncertainties in risk assessment for practical decision making. Reliab. Eng. Syst. Saf. 2011, 96, 64–74. [CrossRef] 25. ISO. ISO 9001:2015, QMS—Requirements; ISO/IEC: Geneva, Switzerland, 2015. 26. ISO. ISO 45001:2018, Occupational Health and Safety Management Systems—Requirements; ISO/IEC: Geneva, Switzerland, 2018. 27. ISO. ISO 14001:2015, Environmental Management Systems—Requirements with Guidance for Use; ISO/IEC: Geneve, Switzerland, 2015. 28. ISO. ISO 50001:2018. Energy Management Systems—Requirements with Guidance for Use; ISO/IEC: Geneva, Switzerland, 2018. 29. ISO. ISO 22000:2018, Food Safety Management Systems—Requirements for Any Organization in the Food Chain; ISO/IEC: Geneva, Switzerland, 2018. 30. ISEC LTD-ISO/IEC JTC1/SC 27. The ISO 27k Forum. 2018. Available online: https://www.iso27001security. com/html/iso27000.html (accessed on 1 June 2019). 31. ISO. ISO 26000:2010, Guidance on Social Responsibility; ISO/IEC: Geneva, Switzerland, 2018. 32. ISO/IEC. ISO/IEC 13273—1:2015, Energy Efficiency and Renewable Energy Sources—Common International Terminology—Part 1: Energy Efficiency; ISO/IEC: Geneva, Switzerland, 2015. 33. ISO/IEC. ISO/IEC 13273—2:2015, Energy Efficiency and Renewable Energy Sources—Common International Terminology—Part 2: Renewable Energy Sources; ISO/IEC: Geneva, Switzerland, 2015. 34. Kaya, I. Perspectives on Internal Control and Enterprise Risk Management. Eurasian Bus. Perspect. 2018, 8, 379–389. [CrossRef] 35. Barafort, B.; Mesquida, A.-L.; Mas, A. Integrating risk management in IT settings from ISO standards and management systems perspectives. Comput. Stand. Interfaces 2017, 54, 176–185. [CrossRef] 36. Aven, T. Risk assessment and risk management: Review of recent advances on their foundation. Eur. J. Oper. Res. 2016, 253, 1–13. [CrossRef] 37. Thekdi, S.; Aven, T. An enhanced data-analytic framework for integrating risk management and performance management. Reliab. Eng. Syst. Saf. 2016, 156, 277–287. [CrossRef] 38. Aven, T.; Zio, E. Foundational Issues in Risk Assessment and Risk Management. Risk Anal. 2014, 32, 1164–1172. [CrossRef] http://biblio.econ.uba.ar/opac-tmpl/bootstrap/tc/148262_TC.pdf http://dx.doi.org/10.3390/en12244700 https://www.westpac.com.au/content/dam/public/wbc/documents/pdf/help/disaster/WBC_business_continuity_planning_covid-19_checklist.pdf https://www.westpac.com.au/content/dam/public/wbc/documents/pdf/help/disaster/WBC_business_continuity_planning_covid-19_checklist.pdf https://www.ey.com/en_be/transactions/companies-can-reshape-results-and-plan-forcovid-19-recovery https://www.ey.com/en_be/transactions/companies-can-reshape-results-and-plan-forcovid-19-recovery http://dx.doi.org/10.1016/j.ress.2011.11.006 http://dx.doi.org/10.1016/j.ijpe.2015.12.007 http://dx.doi.org/10.1016/j.ress.2010.06.001 https://www.iso27001security.com/html/iso27000.html https://www.iso27001security.com/html/iso27000.html http://dx.doi.org/10.1007/978-3-319-67913-6_26 http://dx.doi.org/10.1016/j.csi.2016.11.010 http://dx.doi.org/10.1016/j.ejor.2015.12.023 http://dx.doi.org/10.1016/j.ress.2016.07.010 http://dx.doi.org/10.1111/risa.12132 Energies 2020, 13, 5579 41 of 43 39. Krohn, B.; Aven, T. A new perspective on how to understand, assess and manage risk. Reliab. Eng. Syst. Saf. 2014, 121, 1–10. [CrossRef] 40. Labodová, A. Implementing integrated management systems using a risk analysis-based approach. J. Clean. Prod. 2004, 12, 571–580. [CrossRef] 41. Bitar, S. World trends and the future of Latin America; ECLAC UNIDO, 2016–Public Management Series, No 85. ISSN 1680-8827, LC/L.4246 LC/IP/L.348. (In spanish). Available online: https://repositorio.cepal.org/ bitstream/handle/11362/40788/S1600740_es.pdf?sequence=1&isAllowed=y (accessed on 19 August 2020). 42. Baena Paz, G. Political Prospective. Guide for Your Understanding Comprehension and Practice; PAPIME Project; Universidad Nacional Autónoma de México: Mexico City, Mexico, 2015; (In Spanish). Available online: https://lideresdeizquierdaprd.files.wordpress.com/2015/11/prospectiva_politica_guia_ para_su_comprension_-y_practica_guillermina_baena.pdf (accessed on 9 August 2020). 43. Budhi, M.; Lestari, N.; Suasih, N.; Wijaya, P. Strategies and policies for developing SMEs based on creative economy. Manag. Sci. Lett. 2020, 10, 2301–2310. [CrossRef] 44. ILO International Labour Organization. Prevent and Prepare for Pandemics. Business Continuity Planning. Guidelines for Small and Medium-Sized Enterprises; ILO Programme on Crisis Response and Reconstruction; ILO/Crisis: Geneva, Switzerland, 2009; ISBN 9789221228295. Available online: https://www.ilo.org/wcmsp5/ groups/public/---ed_emp/documents/publication/wcms_115048.pdf (accessed on 19 July 2020). 45. Tsuyoshi, K. Protecting Your Employees and Business from Pandemic Human Influenza: Ministry of Labour; ILO: Bangkok, Thailand, 2009; ISBN 9789221219491. Available online: https://www.ilo.org/wcmsp5/groups/ public/---asia/---ro-bangkok/documents/publication/wcms_101422.pdf (accessed on 28 June 2020). 46. Melly, D.; Hanrahan, J. Tourism biosecurity risk management and planning: An international comparative analysis and implications for Ireland. Tour. Rev. 2020. [CrossRef] 47. ILO International Labour Office. Multi-hazard Business Continuity Management: Guide for Small and Medium Enterprises; Programme for Crisis Response and Reconstruction (ILO/CRISIS); ILO: Geneva, Switzerland, 2012; ISBN 9789221265337. Available online: http://www.oit.org/wcmsp5/groups/public/---ed_emp/documents/ instructionalmaterial/wcms_187875.pdf (accessed on 7 June 2020). 48. ANDI, National Association of Industrialists. Guide for Business Continuity during COVID-19. (In Spanish). 2020. Available online: http://www.andi.com.co/Uploads.pdf (accessed on 15 June 2020). 49. Matisse, H. La Danse, 1910. Musee de l’Hermitage, Saint-Pétersbourg, Russie. Consulté le 28 Juillet 2020. Available online: https://www.hermitagemuseum.org/wps/portal/hermitage/ (accessed on 28 July 2020). 50. ISO. ISO 22320:2018. Security and Resilience—Emergency Management—Guidelines for Incident Management; ISO/IEC: Geneve, Switzerland, 2018. 51. ISO. ISO 22301:2019 “Security and Resilience—Business Continuity Management Systems—Requirements”; ISO: Geneva, Switzerland, 2019. 52. ISO. ISO 50004:2014 Energy Management Systems. Guide for the Implementation, Maintenance, and Improvement of an EnMS; ISO/IEC: Geneve, Switzerland, 2014. 53. ISO. ISO 50006: 2014 Energy Management Systems—Measuring Energy Performance Using Energy Baselines (EnB) and Energy Performance Indicators (EnPI)—General Principles and Guidance; ISO/IEC: Geneve, Switzerland, 2014. 54. ISO. ISO 50015: 2014 Energy Management Systems—Measurement and Verification of Energy Performance of Organizations—General Principles and Guidance; ISO/IEC: Geneve, Switzerland, 2014. 55. ISO. ISO 50047: 2016 Energy Savings—Determination of Energy Savings in Organizations; ISO/IEC: Geneve, Switzerland, 2016. 56. Uriarte, R.; Gil, M.; Valenzuela, J.; Ceballos, J. Methodology for the successful integration of an Energy Management System to an Operational Environmental System. Sustainability 2017, 9, 1304. 57. Cosgrove, J.; Littlewood, J.; Wilgeroth, P. Development of a framework of key performance indicators to identify reductions in energy consumption in a medical devices production facility. Int. J. Ambient Energy 2018, 39, 202–210. [CrossRef] 58. ISO. ISO 50049: 2020. Calculation Methods for Energetic Efficiency and Energy Consumption Variations on Country, Region and City Levels: Relationship with Energy Savings and Other Factors; ISO/IEC: Geneve, Switzerland, 2020. 59. Wu, J.; Cheng, B.; Wang, M.; Chen, J. Quality-Aware Energy Optimization in Wireless Video Communication with Multipath TCP. IEEE/ACM Trans. Netw. 2017, 25, 2701–2718. [CrossRef] http://dx.doi.org/10.1016/.jress.2013.07005 http://dx.doi.org/10.1016/j.jclepro.2003.08.008 https://repositorio.cepal.org/bitstream/handle/11362/40788/S1600740_es.pdf?sequence=1&isAllowed=y https://repositorio.cepal.org/bitstream/handle/11362/40788/S1600740_es.pdf?sequence=1&isAllowed=y https://lideresdeizquierdaprd.files.wordpress.com/2015/11/prospectiva_politica_guia_para_su_comprension_-y_practica_guillermina_baena.pdf https://lideresdeizquierdaprd.files.wordpress.com/2015/11/prospectiva_politica_guia_para_su_comprension_-y_practica_guillermina_baena.pdf http://dx.doi.org/10.5267/j.msl.2020.3.005 https://www.ilo.org/wcmsp5/groups/public/---ed_emp/documents/publication/wcms_115048.pdf https://www.ilo.org/wcmsp5/groups/public/---ed_emp/documents/publication/wcms_115048.pdf https://www. ilo.org/wcmsp5/groups/public/---asia/---ro-bangkok/documents/publication/wcms_101422.pdf https://www. ilo.org/wcmsp5/groups/public/---asia/---ro-bangkok/documents/publication/wcms_101422.pdf http://dx.doi.org/10.1108/TR-07-2019-0312 http://www.oit.org/wcmsp5/groups/public/---ed_emp/documents/instructional material/wcms_187875.pdf http://www.oit.org/wcmsp5/groups/public/---ed_emp/documents/instructional material/wcms_187875.pdf http://www.andi.com.co/Uploads.pdf https://www.hermitagemuseum.org/wps/portal/hermitage/ http://dx.doi.org/10.1080/01430750.2017.1278718 http://dx.doi.org/10.1109/TNET.2017.2701153 Energies 2020, 13, 5579 42 of 43 60. ILO International Labour Organization. the Face of a Pandemic: Ensuring Safety and Health at Work; ILO: Geneva, Switzerland, 2020; ISBN 978-92-2-032136-2. Available online: https://www.ilo.org/wcmsp5/groups/public/-- -edprotect/---protrav/---safework/documents/publication/wcms_742463.pdf (accessed on 27 June 2020). 61. WHO; CDC. Severe Acute Respiratory Syndrome. Supplement I: Infection Control in Healthcare, Home, and Community Settings. Public Health Guidance for Community-Level Preparedness and Response to Severe Acute Respiratory Syndrome (SARS); Version 2; World Health Organization: Washington, DC, USA, 2005. 62. World Health Organization (WHO). Laboratory Biosafety Manual, 3rd ed.; Centers for Disease Control and Prevention (CDC): Atlanta, GA, USA, 2004; ISBN 92-4-154650-6. 63. INSST—National Institute for Occupational Safety and Health. Biosecurity. Madrid. (In Spanish). Available online: https://www.insst.es/-/bioseguridad (accessed on 8 July 2020). 64. United States Department of Agriculture (USDA). A Biosecurity Checklist for School Foodservice Programs. Biosecurity Guidelines; 2004. Available online: https://childnutrition.ncpublicschools.gov/information- resources/food-defense-security (accessed on 12 July 2019). 65. ISO. ISO 22313:2020 “Security and Resilience—Business Continuity Management Systems—Guidance on the Use of ISO 22301”; ISO/IEC: Geneva, Switzerland, 2019. 66. ISO. ISO 22317:2015 “Security and Resilience—BUSINESS Continuity Management Systems—Guidelines for Business Impact Analysis (BIA)”; ISO/IEC: Geneva, Switzerland, 2015. 67. Buba, P.; Azahari, R.; Armanura, M. The Impact of Information and Communication Technology Resources on SMEs. Asian J. Multidiscip. Stud. 2018, 6, 66–76. 68. Arvanitis, S.; Loukis, E.; Diamantopoulou, V. The effect of soft ICT capital on innovation performance of Greek firms. J. Enterp. Inf. Manag. 2013, 26, 679–701. [CrossRef] 69. Harindranath, G.; Dyerson, R.; Barnes, D. ICT in small firms: Factors affecting the adoption and use of ICT in Southeast England SMEs. Available online: https://aisel.aisnet.org/ecis2008/167 (accessed on 20 October 2020). 70. Cavalcanti, G. Barriers to Implementation of Information and Communication Technologies among Small and Medium-Sized Enterprises—Digital Divide through the Business Lens. Masters’ Thesis, California State University, Fresno, CA, USA, 2006. 71. Legg, S.J.; Olsen, K.B.; Laird, I.S.; Hasle, P. Managing safety in small and medium enterprises. Saf. Sci. 2015, 71, 189–196. [CrossRef] 72. Podgórski, D. Measuring operational performance of OSH management system—A demonstration of AHP-based selection of leading KPI. Saf. Sci. 2015, 73, 146–166. [CrossRef] 73. Cagno, E.; Micheli, G.J.L.; Masi, D.; Jacinto, C. Economic evaluation of OSH and its way to SMEs: A constructive review. Saf. Sci. 2013, 53, 134–152. [CrossRef] 74. Badri, A.; Gbodossou, A.; Nadeau, S. Occupational health, and safety risks: Towards the integration into project management. Saf. Sci. 2012, 50, 190–198. [CrossRef] 75. Carlson, R.; Erixon, M.; Forsberg, P.; Pålsson, A.C. System for integrated business environmental information management. Adv. Environ. Res. 2001, 4, 369–375. [CrossRef] 76. Florio, C.; Leoni, G. Enterprise risk management and firm performance: The Italian case. Br. Account. Rev. 2017, 49, 56–74. [CrossRef] 77. Aven, T.; Ylönen, M. A risk interpretation of sociotechnical safety perspectives. Reliab. Eng. Syst. Saf. 2018, 175, 13–18. [CrossRef] 78. Ribeiro-Cerejo da Cruz Monteiro, J.I. Factors that Affect Effectiveness in the Use of Enterprise Resource Planning Systems. Reality in Portugal Landscape; Magister Project; NOVA School: Cascais, Portugal, 2019. 79. Skorupinska, A.; Toreent-Sellens, J. ICT, innovation, and productivity: Evidence based on Eastern European manufacturing companies. J. Knowl. Econ. 2017, 8, 768–788. [CrossRef] 80. Cabello Cervantes, L.M.; Morales-Hernández, L.A.; Ríos-Moreno, G. The Specific Virtual Strategy (EVE) as a Factor of Value Creation; International Network of Researchers in Competitiveness: Guadalajara, Mexico, 2014; Volume 8, pp. 795–806. (In Spanish) 81. Benítez-Amado, J.; Llorens-Montes, F.J. Information technology-enabled intrapreneurship culture and firm performance. Ind. Manag. Data Syst. 2010, 110, 550–566. [CrossRef] 82. González-Posada, D.M.; Reyes-Bedoya, N. Management tools within reach: The case of the hostel network in the city of Medellín. CEA J. Econ. Adm. Sci. 2019, 5, 113–129. (In Spanish) [CrossRef] 83. Mattar, J.; Cuervo, L. Planning and Prospects for the Construction of the Future in Latin America and the Caribbean; Selected texts 2013–2016; ECLAC UNIDO: Santiago de Chile, Chile, 2016. (In Spanish) https://www.ilo.org/wcmsp5/groups/public/---edprotect/---protrav/---safework/documents/publication/wcms_742463.pdf https://www.ilo.org/wcmsp5/groups/public/---edprotect/---protrav/---safework/documents/publication/wcms_742463.pdf https://www.insst.es/-/bioseguridad https://childnutrition.ncpublicschools.gov/information-resources/food-defense-security https://childnutrition.ncpublicschools.gov/information-resources/food-defense-security http://dx.doi.org/10.1108/JEIM-07-2013-0048 https://aisel.aisnet.org/ecis2008/167 http://dx.doi.org/10.1016/j.ssci.2014.11.007 http://dx.doi.org/10.1016/j.ssci.2014.11.018 http://dx.doi.org/10.1016/j.ssci.2012.08.016 http://dx.doi.org/10.1016/j.ssci.2011.08.008 http://dx.doi.org/10.1016/S1093-0191(01)00088-0 http://dx.doi.org/10.1016/j.bar.2016.08.003 http://dx.doi.org/10.1016/j.ress.2018.03.004 http://dx.doi.org/10.1007/s13132-016-0441-1 http://dx.doi.org/10.1108/02635571011039025 http://dx.doi.org/10.22430/24223182.1261 Energies 2020, 13, 5579 43 of 43 84. Baena Paz, G. Strategic Prospective Planning. Theories, Methodologies and Good Practices in Latin America”; PAPIME Project; Universidad Nacional Autónoma de México: Mexico City, Mexico, 2015. (In Spanish) 85. Aguirre Ramírez, J.; Cataño Rojas, J.; Rojas López, D. Prospective analysis of business opportunities based on technological surveillance. Puente 2013, 7, 29–39. (In Spanish) [CrossRef] 86. AENOR. UNE 66177:2005 “Management Systems. Guide for the Integration of Management Systems”; AENOR: Madrid, Spain, 2005. (In Spanish) 87. BSI British Standards. BSI PAS 99:2012. “Publicly Available Specification. Common Management System Requirements as a Framework for Integration; BSI: London, UK, 2012; ISBN 978058076869. Available online: https://andrewtmarlow.files.wordpress.com/2012/04/pas-99-second-draft-1-7.pdf (accessed on 24 July 2020). 88. ISO. DRAFT ISO GUIDE 83:2011. High Level Structure and Identical Text for Management System Standards and Common Core Management System Terms and Definitions; ISO/IEC: Geneve, Switzerland, 2011. 89. ISO/IEC. ISO/IEC (2011). Consolidated ISO Supplement. Procedures Specific to ISO. Annex SL (Normative) Proposals for Management System Standards. International Organization for Standardization ISO/IEC Directives Annex; ISO/IEC: Geneve, Switzerland, 2011. 90. ISO/IEC. ISO/IEC (2018). International Organization for Standardization. Directives and Policies Ninth Edition. Obtenido de International Organization for Standardization. Official Rules to Develop an ISO STANDARD; ISO/IEC: Geneve, Switzerland, 2018; Available online: www.iso.org/directives-and-policies.html (accessed on 2 May 2020). 91. Poveda, P.; García-Díaz, J.; Hernandis, B. Application of the Systemic Method to the Design of a Conceptual Model for Comprehensive Management Systems QHSE3 + in SMEs. In IFDP‘16—Systems and Design: Beyond Processes and Thinking. Electronic Book Proceedings; Ortuño, B.H., Ed.; Universitat Politècnica de València: Valencia, Spain, 2016; pp. 651–664. (In Spanish) 92. ISO. ISO 21500:2012, Guidance on Project Management; ISO/IEC: Geneva, Switzerland, 2012. 93. Ortegón, E.; Pacheco, J.F.; Prieto, A. ECLAC Manuals: Logical Framework Methodology for Project Planning, Monitoring and Evaluation; ECLAC UNIDO: Santiago de Chile, Chile, 2005. (In Spanish) 94. Rosato, M. Go Small for Project Success. PMWJ 2018, 7, 1–10. 95. Hernandis Ortuño, B.; Briede Westermeyer, J.C. An educational application for a product design and engineering systems using integrated conceptual models. Ingeniare. Revista Chilena de Ingeniería 2009, 17, 432–442. [CrossRef] 96. Guerrero, M.; Hernandis, B. An approach to the representation of a product’s form and appearance: Study on design attributes. Innovar 2018, 28, 25–39. 97. ISO. ISO 17741: 2016, Energy Savings. General Technical Rules for Measurement, Calculation, and Verification of Energy Savings of Projects; ISO/IEC: Geneva, Switzerland, 2016. 98. ISO. ISO 17743:2016, Energy Savings. Definition of a Methodological Framework Applicable to Calculation and Reporting on Energy Savings; ISO/IEC: Geneva, Switzerland, 2016. 99. ISO. ISO/TS 50044:2019. Energy Saving Projects (EnSPs)-Guidelines for Economic and Financial Evaluation; ISO/IEC: Geneve, Switzerland, 2019. 100. Rueda Ortíz, R. Technological convergence: Synthesis or political and cultural multiplicity. Signo y Pensamiento 2009, 28, 114–130. (In Spanish). Available online: https://revistas.javeriana.edu.co/ index.php/signoypensamiento/article/view/4530 (accessed on 17 May 2020). 101. IEC. IEC FDIS 31010:2010. Risk Assessment Techniques; IEC: Geneve, Switzerland, 2010. Available online: http://ehss.moe.gov.ir/getattachment/f7de1f2a-7559-49b5-8b97-c69b13fa17a9/31010-FDIS- (Risk-Assessment-Technics) (accessed on 2 September 2019). Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. © 2020 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/). http://dx.doi.org/10.18566/puente.v7n1.a03 https://andrewtmarlow.files.wordpress.com/2012/04/pas-99-second-draft-1-7.pdf www.iso.org/directives-and-policies.html http://dx.doi.org/10.4067/S0718-33052009000300017 https://revistas.javeriana.edu.co/index.php/signoypensamiento/article/view/4530 https://revistas.javeriana.edu.co/index.php/signoypensamiento/article/view/4530 http://ehss.moe.gov.ir/getattachment/f7de1f2a-7559-49b5-8b97-c69b13fa17a9/31010-FDIS-(Risk-Assessment-Technics) http://ehss.moe.gov.ir/getattachment/f7de1f2a-7559-49b5-8b97-c69b13fa17a9/31010-FDIS-(Risk-Assessment-Technics) http://creativecommons.org/ http://creativecommons.org/licenses/by/4.0/. Introduction. Problem Analysis, Research Objectives, and Study Approach Vulnerability and Low Sustainability of Entrepreneurship Efforts Objectives Article Outline Materials and Inputs for Research Concepts and Principles of CRM Risks, Risk Management, Intelligence, and Decision-Making Scope of Risk Management in Society and Companies Principles of Risk Management Basic Principles and Management Approach for E2 Aspects Related to Planning in Energy Management Systems (EnMS) Aspects Related to the Execution of the Plans and the Operation of the EnMS Aspects Related to EnMS Feedback Aspects Related to the Maintenance, Adjustment, and Improvement Actions of the EnMS Developments Related to the Optimization and Improvement of EnMS Basic Principles and Management Approach for Biosecurity and Biosafety Biosecurity and Biosafety Comprehensive Biosecurity Management Comprehensive Biosecurity and Biosafety Management: Risks, Strategy, and Business Continuity Integration of CMS QHSE3+ Requirements and HLS Results, Achievements, and Discussion Fundamental Purpose of the Research. Methodology General Directory of R/O Topics Regarding QHSE3+ Conceptual Model for Comprehensive R/O Management Applicable to CMS QHSE3+ Structural Elements of the Comprehensive R/O Management Model in CMS QHSE3+ Functional Approach of the R/O Model Applicable to CMS QHSE3+ Parameterization of the Comprehensive R/O Management Model General Achievements and Benefits of the Research Results Obtained in Terms of Energy Efficiency and Vulnerability Reduction Characteristics and Profile of the Companies in which the Preliminary Validation was Made Presentation and Analysis of the Results Obtained Conclusions References