Parameterization, Analysis, and Risk Management in a Comprehensive Management System with Emphasis on Energy and Performance (ISO 50001: 2018)

Abstract

The future of business development relies on the effective management of risks, opportunities, and energy and water resources. Here, we evaluate the application of best practices to identify, analyze, address, monitor, and control risks and opportunities (R/O) according to ISO 31000 and 50000. Furthermore, we shed light on tools, templates, ISO guides, and international documents that contribute to classifying, identifying, formulating control, and managing R/O parameterization in a comprehensive management system model, namely CMS QHSE3+, which consists of quality (Q), health and safety (HS), environmental management (E), energy efficiency (E2), and other risk components (+) that include comprehensive biosecurity and biosafety. By focusing on the deployment of R/O-based thinking (ROBT) at strategic and operational levels, we show vulnerability reduction in CMS QHSE3+ by managing energy, efficiency, and sustainability.

1. Introduction. Problem Analysis, Research Objectives, and Study Approach

1.1. Vulnerability and Low Sustainability of Entrepreneurship Efforts

In the 1950s, no one could have imagined that the first few decades of the new millennium would give companies a harsh confrontation for survival due to the acute economic situation caused by COVID-19 [1,2,3,4,5,6,7,8,9]. Statistics between 2000 and 2019 revealed that more than 80% of SMEs declared bankruptcy within 5 years of operation due to issues related to profitability, external environment, and internal decision-making, planning, the execution of good management practices [5,6,7,8,9], or the weight of what Phillipe Kottler called the “marketing war” [10].

The problem is exacerbated by the difficult conditions that entrepreneurs face in a changing market, i.e., increasingly demanding customers, aggressive and unfair competitors, a voracious financial sector, more expensive resources including water and energy, as well as a level of experience and skills that makes them more vulnerable because they do not have the methods or tools to organize themselves and make the right decisions based on information intelligence and good QHSE3+ practices to effectively address the swarm of risks and the context of potential opportunities, for the sustainability of their businesses [2,4,5,6,7,8,9,10].

Moreover, the failure rate of ICT projects and the implementation of management systems until 2019 was above 60% in countries with the highest vulnerability [4,7,8,9]. The root causes of failure in these entrepreneurship efforts are directly related to competencies, discipline, culture, and the application of simple and effective tools to facilitate comprehensive risk management (CRM) by identification, immediate response, containment, evaluation, and treatment.

This is precisely the question that justifies the research efforts that this work supports: What to do to contribute to the sustainable management of SMEs and entrepreneurs? The authors’ commitment is linked to the configuration of a Reference Framework for Comprehensive Risk Management (CRM), within the Comprehensive Management System CMS-QHSE3+, with tools that facilitate its application to entrepreneurs, supported by Good Practices of related ISO international standards.

It is important to note that the research uses the expressions Comprehensive Risk Management Model (CRM), and Comprehensive Management System (CMS), instead of Integrated Risk Management, or Integrated Management System, for the following reasons: In the first place, management in both cases is integral and holistic, since regardless of the scope or level they are managed in, its unit, its principles and strategic focus, as in DNA, are maintained. Furthermore, the integrated expression, in its etymology and definition of the DRAE, would limit the scope of the system to the sum of its parts, or to the sum of the response to the standards used in each component. Finally, it is emphasized that it is possible to have an integral management, even if it works or if it is certified with one, two, or three standards, to the extent that the dynamics around the strategy and all the processes are focused on the characteristics, priorities, interests, risks, and opportunities of the organization [4,7,11].

Previously, our research gave rise to the article entitled “ISO 50001: 2018 and its application in a Comprehensive Management System with an energy performance approach”, in which the CMS Model QHSE3+, the Route, the Task Breakdown Structure and the products to be generated in a CMS QHSE3+ Implementation Project, with emphasis on the E2 energy component, were discussed. This paper focuses on the framework of reference for Comprehensive Risk Management CRM, and on the tools for its identification, analysis, and treatment at a strategic and operational level [11,12,13].

1.2. Objectives

(1).

To present a CRM model using CMS QHSE3+ through the applications of best practices to identify, analyze, address, monitor, and control risks and opportunities (R/O), taking into account the guidelines of the families of ISO 31000 standards and ISO 50000, as well as tools, templates, and references to international ISO guides, documents that contribute to the classification, identification, formulation of controls, and parameterization for the deployment of R/O-based thinking (ROBT) at strategic and operational levels.

(2).

To present the results obtained on vulnerability reduction at strategic and operational levels through energy efficiency management and business sustainability.

These two objectives are directly linked to the purposes of the present research, which seeks to respond to the need among entrepreneurs and SMEs for tools, models, and instruments that facilitate the application of Good Practices of the families of standards related to the QHSE3+ components, and with Risk Management, to contribute to the sustainable development of entrepreneurship projects, and in the comprehensive generation of value for stakeholders.

1.3. Article Outline

Section 2 presents the basic elements of the study, including (Section 2.1) the presentation of concepts, principles, and advances for comprehensive R/O management; (Section 2.2) energy efficiency; (Section 2.3) comprehensive biosecurity; and (Section 2.4) the integration of requirements associated with high-level hierarchical structure (HLS).

Section 3.1 presents the main objectives and methods of the research, and Section 3.2 the classification matrix of the types of QHSE3+ R/O, including those related to comprehensive biosecurity, which can also be applied to health and safety (HS), environment, quality (Q), or the strategic analysis of risks and provisions to ensure business continuity. Section 3.3 describes the R/O integral management model incorporated into CMS QHSE3+, and Section 3.4 shows its flow and parameterization to facilitate its application through computer tools. Section 3.5 includes the achievements and general benefits obtained with the application of the tools and models presented in this study for the implementation/consolidation of CMS. Section 3.6 presents a discussion on the results obtained in terms of energy efficiency and vulnerability reduction for business sustainability.

Section 4 includes the conclusions. The Appendices include the logical structure and references to tools, guides, and best practices contained in the families of ISO 31000 (Figure A1), ISO 9000 (Figure A2), ISO 45000 (Figure A3), ISO 14000 (Figure A4), and ISO 50000 (Figure A5). Figure A6 presents the approach taken for the continuity plan to govern the COVID-19 pandemic based on the best practices of the ISO 22300 family of standards in a services company.

Figure A7 includes the chronology corresponding to the development of the QHSE3+ Standards in correlation with the milestones of musical, artistic, and transcendental expression of man, under a holistic approach. Figure A8, Figure A9, Figure A10, Figure A11, Figure A12, Figure A13 and Figure A14 presents the detail of the classification of internal and external R/O, according to the layers indicated in Section 2.4 and Section 3.2.

2. Materials and Inputs for Research

2.1. Concepts and Principles of CRM

2.1.1. Risks, Risk Management, Intelligence, and Decision-Making

Based on the definitions of ISO 31000: 2018, the ISO 73: 2009 Guide, the Guide for Comprehensive Risk Management published by the Standardization and Certification Body ICONTEC, from the perspective of the ILO, and the approach given by the US Federal National Security Agency to concepts related to danger, threats and risks, in its “Security Lexicon”, as illustrated in Figure 1, the terms on risk management, the intelligence cycle, and the decision-making cycle can be correlated around the Protection of the Integrity of Resources and the Creation of Value, which is the reason of being of Risk Management [13,14,15,16,17,18].

In Figure 1, concepts associated with intelligence, risk and security are correlated, in the context of Management Systems, taking into account the vulnerability of organizations generated by various sources of risks, which combine the possibility or severity, and that have an impact or consequences, on the achievement of objectives, on capital, or on the integrity of resources.

Oriented from bottom to top of Figure 1, there is an Axis ID which brings together the Intelligence Cycle and the Decision-Making and Actions Cycle, to illustrate the sequence of Knowing (understanding), Reasoning, Deciding, and Acting with Intelligence.

In the area to the right of Figure 1, the flow of the Risk Management Process is proposed, in accordance with the ISO 31000: 2018 approach; the Axis RMP with the same name has been established. The process comprises a sequence of the following actions: (i) Establish the strategic, organizational and risk management context, scope and related criteria; (ii) Identify the risks, that is, determine what can happen and how; (iii) Analyze the risks. This implies analyzing the possibility, the consequences, and sometimes the degree of exposure; And (iv) Assess Risks, which involves listing risks according to their priority.

So far, the steps mentioned in the Intelligence and Risks Cycle correspond to Knowing, Reasoning, and initiating the actions to Decide, based on priorities. Next, there is the stage of Acting with Intelligence. In the process, this corresponds to Treating Risk and Control, i.e., planning and implementing measures to eliminate, reduce, mitigate, or take contingency actions. Next comes the action of Monitoring the control system, and the status of the risk, to close the cycle with the action of Communicating and Consulting, which involves interacting with various parties to obtain a maximum of information about each risk and its context. Finally, all actions and risk treatment consider the Report and Record. In this approach, the following points stand out:

▪

The concept of risk is directly associated with uncertainty and constitutes the conjugation of the possibility of an event that may have a positive or negative impact on the achievement of objectives or the integrity of resources. Chance is the source of risk, and in some contexts, it is associated with the term “risk factor” [14,15,19,20].

▪

Uncertainty is the “state generated by the deficiency of information to understand or know an event, its consequences, and probability of occurrence” [16,19,20].

▪

Vulnerability is the condition of design, location, or operation that makes an asset, organism, product, service, process, or system susceptible to an attack [14,15,19,20]; its reduction can be assessed in terms of the proportion or percentage of reduction of the risk level, as indicated by Equation (1) [11], where DismVul denotes the percentage decrease in vulnerability after implementing antirisk measures, Poi and Goi are the initially assessed possibility and gravity, respectively, and Pfi and Gfi are the final possibility and gravity after adopting the planned measures, respectively.

$$\%DismVul=\left[{\displaystyle \sum }_{i=1}^n\left(P{o}_i\right)\left(G{o}_i\right)-{\displaystyle \sum }_{i=1}^n\left(P{f}_i\right)\left(G{f}_i\right)\right]/\left[{\displaystyle \sum }_{i=1}^n\left(P{o}_i\right)\left(G{o}_i\right)\right]$$

(1)

▪

The decisions cycle plays a fundamental role in the activities of any organization. This cycle includes the intelligence cycle, as it considers the phases of capturing information, classifying it, analyzing it, and understanding its context and behavior to guide decision-making [13].

▪

In the intelligence cycle, identification, analysis, and evaluation must be integrated into risk assessments. The union of the two cycles brings together know (understand), reason, decide, and act with intelligence, linking “intelligence” with decision-making and the orientation of actions with reliable information and the criteria for analyses of the matter to be decided. Thus, with the intelligence of the information, it is possible to reduce the uncertainty linked to decisions.

▪

The result or impact of R/O is the effect an event can have on the integrity of the resources and objectives. As the impact or consequences can be economic, personal, or missionary, R/O management brings together “the coordinated actions to direct and control the organization concerning its risks and opportunities” [14,17], which focus on reducing their possibility of occurrence and impact, or enhancing opportunities, thereby leading to the creation or protection of value.

▪

Resilience is the adaptive capacity of an organization in a complex and changing environment [14,15,18]. The US Department of Homeland Security [19], expands this definition as a “systems’ capacity, infrastructures, government, companies, and citizens to resist, absorb, recover from, or adapt to an adverse event that may cause harm, destruction, or loss of national importance,” or the “capacity of an organization to recognize threats and dangers and make adjustments that improve future protection efforts and risk reduction measures.”

▪

Threat [19] is a natural or man-made phenomenon generated by people, entities, or an action that has or projects potential damage to life, information, operations, the environment, or property. It considers the conditions of intent or unintentionality of the threat.

▪

The scenario corresponds to a hypothetical situation composed of hazards, an entity affected, and the associated conditions, including consequences when appropriate [19]. An incident is a natural or man-made phenomenon, or an action that has or projects potential harm to damage life, information, operations, the environment, and/or property.

2.1.2. Scope of Risk Management in Society and Companies

Many companies today face the difficulties of the market, competition, and sustainability, and see problems related to water, air, soil, energy, natural resources, global warming, and biosecurity. There are also multiple financial, social, and macroeconomic dangers related to the increase in interest rates, tax burdens, and the strengthening of the prevailing currencies. Thus, doing business is an increasingly difficult mission [12,13,14,15].

Changes in customs, habits, ways of doing business, and technological developments and restrictions on access to ICT also generate vulnerability. With this spectrum of adversities, the future of entrepreneurs and project leaders is marked by the need to make intelligent decisions that allow them to respond appropriately to adverse situations, opportunities, and contingencies.

Therefore, it is essential to apply risk management and foresight in strategy and operational dynamics [12,13,14,21,22,23,24]. Thus, it is necessary to determine the tools and guides necessary for the application of the good management practices that underlie each component of CMS QHSE3+:

▪

For Component Q, associated with the strategic and quality risks, the best practices of ISO 9001: 2015 and ISO 9000 family of standards, support this approach [25].

▪

For the HS component linked to occupational health and safety risks, the best practices of ISO 45001: 2018 and the ISO 45000 family of standards, also support this approach [26].

▪

For Component E of the environment related to risks due to contamination and deficiencies in environmental performance, ISO 14001: 2015 and the ISO 14000 family of standards, support the planning and application of best practices [27].

▪

For the energy efficiency component (E2), the best practices of ISO 50001: 2018 and the ISO 50000 family of standards, support a management approach which reduces the vulnerability associated with the use, consumption, and performance of energy [28].

▪

The sign (+) at the end of the abbreviation corresponds to any other reference that may be applicable to, or required by the organization, such as ISO 22000: 2018. “Food safety management systems”, or ISO 27001: 2013 “Information Security Management Systems” [29,30].

▪

At this point, the risks related to corporate social responsibility can be considered part of the additional risks “plus (+)”, as well as the risk of not taking actions that contribute to sustainable development [31].

From the integral perspective of risk management, the approach of ISO 31000: 2018 risk management is applied, and the terms and definitions for risk management and QHSE3+ components are adopted from ISO 73 GUIDE, ISO 9000: 2015, ISO 45001: 2018, ISO 14001: 2015, ISO 14050: 2009, ISO 50001: 2018, and ISO/IEC 13273: 2015 [16,25,26,27,28,30,31,32,33] (See Figure A1, Figure A2, Figure A3, Figure A4 and Figure A5, and Figure A8, Figure A9, Figure A10, Figure A11, Figure A12, Figure A13 and Figure A14)

Although there are no specific developments in Risk Management from a comprehensive QHSE3+ perspective, the work carried out by Aven T., Labodová A., the ISO Committee TC 262, ANDI, and ILO, among others, is highlighted [34,35,36,37,38,39,40,41,42,43,44,45,46,47,48]. See also Figure A1.

2.1.3. Principles of Risk Management

Risk Management must be based on the application of several principles that support its application in the processes and functions of the organization in the context of a business culture that focuses on continuous improvement, the integral generation of value, and sustainable success.

Figure 2 presents the principles of ISO 31000: 2018 [14] within a model in which its perspective is broadened, taking into account the critical factors that underlie the approaches of the previous paragraph regarding the scope and importance of the Management of Risks in companies and in society.

For this reason, the illustration uses three versions of “La Danse”, a famous work by Henri Matisse [49], to highlight the holistic and social nature of Comprehensive Risk Management and its principles. Six basic perspectives are considered for its classification: Management and Leadership, Talent and Culture, Processes, Stakeholders, Decisions and Improvement.

In a similar way to dashboards or strategy maps, Figure 2 is structured in terms of its perspectives, from the bottom up, in such a way that the foundations of the management of principles and values are based on Leadership and the example of the Management Team, which are reflected in Human Talent, Culture and capacities, to develop Processes, in interaction with Stakeholders, and are projected in the Decisions of the entire organization, to ensure Improvement, and Comprehensive Management of Risks on the factors associated with the dynamics of change.

2.2. Basic Principles and Management Approach for E2

Given that organizations require energy resources for the operation of their processes and interactions with stakeholders, continuous and systematic improvement of energy performance is imperative from strategic and operational standpoints, based on the best practices of the ISO 50000 family of standards, considering (See Figure 3 and Figure A5):

2.2.1. Aspects Related to Planning in Energy Management Systems (EnMS)

Aspects related to planning in Energy Management Systems include the planning, design, and development of businesses, products, services, processes, and projects, according to parameters and technology, with specific objectives, plans, and challenges to improve savings, energy performance, the registration of energy data, analyses, and associated risk management.

This stage also includes an analytical part called the “energy review”, in which readings, consumption, trends in parameters, flows, and losses are analyzed, and areas of significant use are determined. This is the starting point to register, prioritize, and formalize the possible fronts for improvement with relevant strategic impact [52].

2.2.2. Aspects Related to the Execution of the Plans and the Operation of the EnMS

Aspects Related to the execution of the plans and the operation of the EnMS include the execution of plans and provisions, and the implementation of established best practices, which also include the promotion of culture for energy management and the application of operational control (i.e., the management of the components of processes) through which it is possible to control parameters and address risks associated with energy efficiency (i.e., methods, competencies, maintenance, tuning, control of purchases, materials and contracts, and energy supply, among others).

2.2.3. Aspects Related to EnMS Feedback

Aspects related to EnMS feedback include articulated feedback from the management of energy performance indicators (EnPI), the LBEn energy baseline, understood as the “quantitative reference that provides the basis for the comparison of performance in a given period,” the measurement with “energy models” to summarize and analyze the energy consumed by the system, monitoring, and other feedback and auditing mechanisms.

2.2.4. Aspects Related to the Maintenance, Adjustment, and Improvement Actions of the EnMS

Aspects related to the maintenance, adjustment, and improvement actions of the EnMS include actions for the adjustment, correction, maintenance, or improvement in energy performance, which also include lessons learned and the projection of decisions and challenges resulting from management reviews and determining the future of the organization in terms of energy efficiency management.

2.2.5. Developments Related to the Optimization and Improvement of EnMS

Although there has been a fairly broad spectrum of technological developments and advances in the optimization and improvement of the rational and efficient consumption of energy, works related to awareness raising and EnMS are highlighted, e.g., works carried out by J. Wu, B. Cheng, M. Wang and J. Chen, as well as those related to ISO TC 301, and those of other researchers such as R. Uriarte and J. Cosgrove [52,53,54,55,56,57,58,59]. See also Figure A5.

2.3. Basic Principles and Management Approach for Biosecurity and Biosafety

2.3.1. Biosecurity and Biosafety

In this section, the concepts of and approach to comprehensive management for biosafety and biosecurity are raised as an additional input element from the perspective of the WHO, ILO, and CDC [60,61,62,63,64]. According to the WHO [61], biosecurity, is “the set of principles, standards, protocols, technologies, and practices that are implemented to avoid the risk to health and the environment that comes from exposure to biological agents, causes of infectious, toxic or allergic diseases, such as COVID-2019”.

According to the CDC and the BMBL [62], biosafety, “is the discipline that addresses safety against microbiological agents and toxins and threats they pose to human and animal health, the environment, and the economy; the misuse, exposure, or deliberate or intentional release of these biological agents”.

2.3.2. Comprehensive Biosecurity Management

Comprehensive biosecurity management (CBM) considers the synergy between biosafety and biosecurity, that is, it considers intentional and unintentional cases. For everything related to intentional cases or terrorism, the measures understood as Bioprotection Plans will be adopted. For the case in which companies are part of the food chain, as suppliers, processors, transporters, or distributors, the Food Defense Plans will be applied [60,61,62,63,64].

In line with the approaches described above, under the approaches of the CDC, BMBL, INSST, ILO, and WHO,

Table 1. Characteristics of comprehensive management for biosecurity based on CDC, BMBL, INSST, ILO, and WHO [60,61,62,63,64].

COMPONENT	KEY SENTENCE SUMMARY	DESCRIPTION
What?	Thought, awareness, and action: PDCA with full awareness BE, DO, and MAKE IT DO	Everything we do with full awareness in our work: Think, Know and PHVA of Principles, Norms, Protocols, Technologies, and Practices. This is: The planning, application, feedback, and control required to ensure the vertical and transversal integration of the required principles, standards, protocols, technologies, and practices...
For What?	Self-care, care and protect: TO EFFECTIVELY IDENTIFY, PREVENT, CONTAIN, RESPOND, AND REDUCE VULNERABILITY AGAINST RISKS TO HEALTH AND THE ENVIRONMENT	... For the identification, prevention, containment, and effective response, through good practices, technology, and infrastructure, to risks to health and the environment...
Where?	In the face of biological, chemical, physical, or mechanical risks: Due to EXPOSURE TO AGENTS GENERATING INFECTIOUS, TOXIC OR ALLERGIC DISEASES, FROM OR TOWARDS THE ORGANIZATION’S PROCESSES	In exposure to biological, chemical, physical and/or mechanical agents, from or to our activities and processes. In the interaction with areas, things, products, people, and internal and external environment; They can cause infectious, toxic, or allergic diseases.

illustrates, as a conclusion, the three logical blocks corresponding to the What, What for, and Where, of the concept of Comprehensive Biosafety. With this perspective, it is proposed as a conclusion that Comprehensive Biosafety Management comprises the planning, application, feedback, and control required to ensure the vertical and transversal integration of the principles, norms, protocols, technologies, and practices required for the identification, prevention, containment, and response through good practices and infrastructure to the risks to health and the environment that come from exposure to biological agents that cause infectious, toxic, or allergic diseases, from or to the processes of an organization in their interaction with interest groups [60,61,62,63,64].

2.3.3. Comprehensive Biosecurity and Biosafety Management: Risks, Strategy, and Business Continuity

In this section, advances, and developments in four areas which are associated with governance and the need for a comprehensive management model, i.e., risks, biosecurity and biosafety, business continuity, and strategic prospective, are provided.

In recent decades, the development of knowledge in risk management and biosecurity + biosafety has become vital for various fields and for technological development. This is reflected in the proliferation of management standards, such as the developments of the ISO TC 292 Technical Committee, that lead International Standards on Security and Resilience, including incident management, emergencies, contingency plans, and business continuity, e.g., ISO 22301: 2019, ISO 22313: 2020, and ISO 22317: 2015 [51,65,66].

Management for biosecurity and biosafety is a factor of mandatory consideration within CRM, for not only companies, but also for laboratories and the food chain, given the current context associated with COVID-19. The scope of biosecurity and biosafety management covers all processes, facilities, and products, and applies to workers or third parties who perform activities on behalf of companies and users who interact with them.

The ILO, WHO, and other researchers have developed guides, standards, and resolutions of mandatory applications. These developments in technology, regulation, and knowledge are associated with the multiplication of potential risk factors determined by acute moments of economic depression and geopolitical crisis, terrorist attacks, biological weapons, and other critical events, such as COVID-19.

With technological developments and regulations in the field of health, work, and well-being, management systems point toward integrality to support businesses; they require global management of intelligence in interactions with relevant parties and comprehensive management protection, which includes biosecurity and biosafety, with a transversal scope that covers ICT and generational change [67,68,69,70,71,72,73,74,75]. Figure A6 provides further information on www.sra.org (Society for Risk Analysis) and www.eird.org/americas/indexeng.html (UN Office for Disaster Risk Reduction) as sources that contribute to safety, care, and protection in operations and projects through developments, tools, and information at the service of stakeholders. These references are complemented with articles, publications, and developments in the foundations and strategic and operational dimensions of risk management, resilience, and reliability [35,37,38,40,76,77].

It is a challenge for companies to choose the right tools to address the transformation of their processes and businesses under a CRM umbrella. This implies ensuring the relevance of services and processes and in a transversal way, self-care, care, protection, containment, and creative forms of response to the conjugation of contingencies which are maintained in crises under the premise of sustainability, health, and well-being [78,79,80,81].

In terms of strategic foresight, the developments have been led by French schools since 1990 by generating manuals, computer applications, and tools at the service of the community [82,83,84,85].

Despite these improvements and those mentioned in the preceding paragraphs, SMEs do not have simple and comprehensive tools that are grouped under the umbrella of strategic management, risk management, energy efficiency, business continuity plans, and response to potential and real crises such as COVID-19. In addition, they are mostly unaware of the best practices of the recognized international standards and guides [44,45,46,47,48,50,51] to respond to the basic needs that, for a CMS, and with regards to energy efficiency and biosafety, must apply to a company.

Figure 4 illustrates that under contingency conditions, companies must attend to a systematic plan for different types of incidents, which may be associated with a business strategy, quality, safety and regulatory requirements of products and services, aspects of health, safety, and impact on the environment, energy efficiency, information security, networks, and communications, or any other types of combined or independent risks [44,47,48,50,65,66]. The materialization of risks translates into incidents with potential implications in terms of vulnerability due to the interruption of operations, the supply chain, or business continuity. Then, business continuity plans [50,65,66] must address incidents by prioritizing their impact and potentiality.

Incidents, regarding their occurrence and association with QHSE3+ components, generate crises and situations associated with their implications and the collateral implications of the measures adopted to respond to them.

The governance of these crises should be included in the organization’s management through the crisis management command bridge from where particular scenarios located in the “red” zone with the greatest probability, and their consequences, should be prioritized, and contingency plans should be formulated.

Importantly, within the QHSE3+ framework, the objectives of comprehensive biosafety management with its business continuity and contingency plans for crisis scenarios include: Protecting the health and well-being of people and the organization with an emphasis on self-care; Adapting the promise of value and the product/service to the conditions of the situation, and complying with excellence; and Guaranteeing the continuity and sustainability of the business, supply, and supply chain (See also Figure A6).

2.4. Integration of CMS QHSE3+ Requirements and HLS

CMS QHSE3+ is a harmonious integration of the elements required to develop a management model that focuses on complying with agreements, requirements, and applicable legislation, preventing failures and risks, and having a proactive approach that shows the causes of failures and leads to continuous improvement in business performance. Since the end of the last century, a common structure has been envisioned in the required standards on management systems led by several standardization secretariats, such as BSI-England and AENOR-Spain, which generated UNE 66177:2005 and PAS 99:2012 [86,87], respectively.

See also, in Figure A7, under a holistic approach, the chronology corresponding to the historic development of the QHSE3+ Standards in correlation with the milestones of technology and the expression of man, throughout the ages.

In 2013, HLS was defined to guide these standards since 2015. This reference became the “Appendix SL” of the Supplement to the ISO/IEC Directives on the hierarchical structure of management systems standards [86,87,88,89,90]. Figure 5 summarizes the HLS approach under the PDCA cycle with which the requirements and mandatory basic structure of the management systems standards are defined and integrated; this approach meets the requirements from Chapters 4 to 10, given that initials 1 to 3 are intended for Scope (1), Normative References (2), and Terms and Definitions (3). Chapters 4 to 7 with a yellow background belong to the P for Planning and include 4. Context of the Organization, 5. Leadership, 6. Planning, and 7. Support. In the H of Doing with a green background, Chapter 8. Operation; In V of Verify with a light red background, the feedback topics under Chapter 9. Performance Evaluation; and in A of Act with a light blue background, Chapter 10. Improvements are outlined.

As a convention, the requirements in purple italics have the same title for the standards of the QHSE3+ components, and are given in the extension of Chapters 4, 7, and 10. ISO 45001:2018 includes several additional exclusive numerals for this reference identified in red (HS): accountability (Numeral 5.3 partial), participation and consultation (Numeral 5.4), change management (Item 8.1.3), and emergency preparedness and response (Numeral 8.2) are also included by ISO 14001:2015 (E), in the same paragraph (Numeral 8.2).

In Figure 5, under the criteria of affinity with risks and planning, numeral 8.2 Plans to Respond to Emergencies has been placed as part of the planning in numeral 6.1, i.e., Actions to address R/O. In its application, best practices for business continuity are considered both from a global strategic point of view, as well as for each service line and the supply chain.

ISO 9001:2015 has requirements specific to this component identified with a blue letter (Q): planning of changes (Numeral 6.3) requirements for products and services (Numeral 8.2), design and development (Numeral 8.3), control of externally supplied processes, products and services (Numeral 8.4), production and service provision (Numeral 8.5), release of products and services (Numeral 8.6), and control of nonconforming outputs (Numeral 8.7).

The ISO 50001: 2018 standard also includes particular requirements identified with the green letter petroleum (E2), the numerals: 6.3 energy review, 6.4 energy performance, 6.5 energy baseline, and 6.6 planning for the collection of energy data, as well as design (Numeral 8.2) and acquisitions (Numeral 8.3). To facilitate the comprehensive application of these requirements and additional ones such as ISO 27001: 2013, the authors provided reference [13], an excel application that is included in the approach of the structure of Figure 6, a checklist of common and uncommon requirements of the QHSE3+ standards in the support portal.

3. Results, Achievements, and Discussion

3.1. Fundamental Purpose of the Research. Methodology

The research that supports the results presented in this paper focuses on contributing to the effectiveness and sustainability of Entrepreneurship Projects and the Implementation of Comprehensive Management Systems QHSE3+, SMEs, and the business sector in general, through the design and preliminary application of instruments and tools that enable the understanding, implementation, and application of Good Practices for sustainable success, and, in the future, its massification, from a holistic perspective for the strategic and operational management of risks and opportunities (R/O).

The following are the specific objectives in the field of Comprehensive Risk Management: the design of the Model and Reference Framework, the development of tools for the identification and classification of R/O, the parameterization of the Risk Management Process, and the initial application of the Model and its Tools in goods and services companies. The methodology used combined both applied and qualitative research:

▪

The approach of the logical framework methodology developed by ECLAC and the IDB was applied in the formulation of this research project [92,93,94].

▪

The configuration of the model was carried out in a global and particular way for its main components, adapting the developments of the systemic design to the particular case of the functional, ergonomic, and formal design of a model of CMS [95,96].

▪

The applied research took place during consulting exercises in which the model and tools were validated and adapted to six cases of companies between 2014 and 2019, with positive results and the ratification of the approach.

▪

In 2020, with the contingency of COVID-19, there was the opportunity to incorporate biosafety and business continuity plans into the model in the design and deployment of the governance plan in one of the six reference companies (See Section 2.3, Section 2.4, Section 3.2 and Figure 4, and the summary of the strategic and operational approach in Figure A6).

The major results of this research include: (a) The structuring of the General Board of R/O QHSE3+ (See Section 3.2, Figure 6, and Figure A8, Figure A9, Figure A10, Figure A11, Figure A12, Figure A13 and Figure A14), (b) The configuration of the comprehensive R/O management model applicable to CMS QHSE3+ (See Section 3.3, and Figure 7 and Figure 8), (c) The parameterization of the integral management of R/O of CMS QHSE3+ (See Section 3.4, and Figure 9 and Figure 10), and (d) The general achievements obtained through the application of the model in different companies in terms of vulnerability reduction and energy efficiency (See Section 3.5 and Section 3.6).

3.2. General Directory of R/O Topics Regarding QHSE3+

One of the greatest difficulties that organizations may have in terms of R/O management is associated with the competencies of people to determine and unify the criteria for classifying R/O in their operations and interactions with different interest groups. Given this circumstance, an investigation of the R/O taxonomy was carried out, not only from the point of view of the families of the QHSE3+ norms and their approaches, but also from the perspective of management schools and the cases of companies that have a longer track record of risk management.

The conclusions reached by the work team after the two analyses, and later, during 2020, with the explicit incorporation of the topic of Biosafety, are as follows [13,23,24,35,38,48,51]:

▪

To facilitate the application of the model, it is convenient to prepare a Matrix-Directory, which brings together the blocks of general topics associated with the R/O Management of companies. In this way, each company specifies its basic strategic R/O matrix and processes, based on the blocks of topics, which become a support tool.

▪

From a general point of view, there will be R/O of external and internal origin. The external R/O come from the external environment of the company and have a direct impact on its operation and results. The internal R/O depend on the organization’s own management.

▪

Within the categories of internal risks and opportunities, one can include, as illustrated in Figure 6, aspects related to: (i) Strategy, Business and Projects, (ii) Culture and Behavior, (iii) Decision Making, (iv) Conditions for Conformity Q, v. Conditions for the Safety and Health of People HS, (vi) Conditions for Pollution Prevention and Environmental Protection E, (vii) Conditions for the rational use of Energy and Energy Efficiency E2, (viii) Conditions and resources for the adaptation of infrastructure, maintenance and cleaning of facilities and equipment, (ix) Conditions and resources for Planning, Infrastructure and Resources, Control and Development of ICT, (x) Financial and economic elements, which include the planning, management and results of financial resources, in addition to the applicable tax, fiscal and regulatory component; (xi) Other specialized topics.

There may be R/O simultaneously related to several QHSE3+ components, or external and internal topics. In the same way, for the integral biosafety management component that is part of the plus (+), it may be presented in many external and internal categories, such as strategy, culture, quality, safety, environment, infrastructure, financial elements, and even other specialized topics depending on the type of organization.

Figure A8, Figure A9, Figure A10, Figure A11, Figure A12, Figure A13 and Figure A14 detail the topics related to the layers and particular items presented in Figure 7, for external R/O, and Layers I to IX of the internal R/O.

3.3. Conceptual Model for Comprehensive R/O Management Applicable to CMS QHSE3+

This section presents the approach of the model configured through the application of systemic design [11,91,95,96], taking into account the structural and functional elements, which are described in Section 3.3.1 and Section 3.3.2, and their parameterization in Section 3.4.

Figure 7 illustrates the set of the Comprehensive R/O Management Model, taking as a starting point the basic elements of the CMS QHSE3+ described in

Table 2. Basic elements of the CMS QHSE3+ Model [11,91].

PARTS	DESCRIPTION
1. Management Core	“I decide with business intelligence on the aspects of management” The core of management represents the central component from where the strategic direction is developed, including business intelligence associated with the strategic decisions for differentiation and specialization based on the development of products and services for sustainable success with innovation.
2. Heart of Talent and Culture	“I deploy the philosophy of R/O and develop skills and culture” This represents human management, associated with talent, competencies, and knowledge management. Culture addresses the dynamics of identification, appropriation, and experience of principles.
3. R/O Management, Intelligence, and Operational Planning Breastplate	“I decide with intelligence and technique the operational aspects.” This brings together information intelligence and operational decision-making with the planning of prevention, mitigation, contingency, emergency, and R/O control measures for each component with the management of purchases and infrastructure.
4–8. Five Arms of QHSE3+	“I apply what was planned in each component.” These symbolize the QHSE3 elements from which the strategic and operational planning is applied. In each arm, the R/O per component is managed, associated with nonconformities, incidents, potential uses, improvements, or greater value generation.
9 and 10. Feedback Axes and Model Improvement	”Through Monitoring, Measurement, Analysis, and Evaluation (MMAE), I learn, innovate, and improve”. These are the axes that ensure the dynamics of the model. Axis 9 brings together the MMAE, audit, and management review to analyze performance and pose challenges. Axis 10 corresponds to improvement, innovation, and response accordingly to incidents, nonconformities, and opportunities to generate greater value with corrective and preventive actions in full alignment with the requirements of the context and strategic purposes.

.

3.3.1. Structural Elements of the Comprehensive R/O Management Model in CMS QHSE3+

The following elements make direct reference to risk management:

▪

The management nucleus has the first level of strategic risk management with product and business developments.

▪

The operational planning QHSE3+ is carried out from the Operational Planning Breastplate of the Model, and includes planning processes, identification of R/O and determination of controls.

▪

The Five QHSE3+ Arms apply what is planned and respond to incidents and moments of truth.

Figure 7 shows the sketch of 16 components of the model, and the deployment of ROBT in a transversal way throughout the entire system for its foundation and appropriation through Components 11–16.

3.3.2. Functional Approach of the R/O Model Applicable to CMS QHSE3+

Figure 8 illustrates the functional elements in the operation of the model, considering their visualization and interaction through a matrix of two inputs, which include four layers on the vertical axis: (1) Foundations in principles and values, (2) R/O strategic management, (3) QHSE3+ operational R/O management, and (4) complementary layer.

On the horizontal axis, there are four levels of planning and action: (a) directive planning, (b) operational planning (including projects, product development, and processes), (c) contingency and emergency plans, and (d) responsibility and response actions (i.e., containment and correction, feedback, and lessons learned).

The model matrix and its functional elements are analyzed below:

Layer 1. Foundation in Principles and Values: Thought, Awareness, and Action for Prevention

Transversal to the levels of planning and action, this layer includes the planning and development of strategies to develop skills and achieve the appropriation of the value of prevention associated with ROBT.

Layer 2. Management to Decide on Strategic R/O

This layer is divided into sublayers of change management to guarantee the integrity of the system, and a second sublayer to plan strategies according to each level:

o

Executive: Market intelligence and the study of the context to formulate objectives, policies, projects, and strategic corporate plans.

o

Operational: R/O analysis for the formulation and development of new businesses, products, and projects in line with the strategic purposes of change.

o

Contingency: Cycle of decisions related to business continuity plan, biosecurity management, and emergency preparedness and response.

o

Containment, Feedback, Responsibility, and Response. Response to performance and MMAE. Decisions and challenges of business reformulation, projects, and strategy.

Layer 3. Operational R/O Management QHSE3+

This layer considers the functions of business intelligence and the management of legal requirements, process planning, comprehensive biosafety management, nonconformity management, redefinition of control measures, and lessons learned vs. incidents and changes. It is divided into sublayers associated with each component of CMS QHSE3+, having the following at each of the levels:

o

Executive: R/OBT in special projects. Decisions and deployment of the comprehensive management policy and others.

o

Operational and Contingency: Application and adaptation of operational control plans and programs, emergency response, NC, and QHSE3+ incident management.

o

Feedback, Responsibility, and Response: Lessons learned, knowledge, review of control measures, MMAE, and managerial review by component.

Layer 4. Other Measures for the Deployment of R/OBT

From the strategic level, this layer considers the R/O, evaluating business alternatives, alliances, or structural changes in the organization resulting from the decisions to be made. Internal control measures based on the COSO model, with feedback, auditing, and controls to guarantee the integrity of the resources and the integral generation of value, including economic results, are highlighted in a transversal way for energy efficiency [17,55,56,57,58,66,97,98,99].

Another complement is related to the development of competencies to make decisions and react appropriately and in timely manner to events that lead to the presence of risk factors and dynamic opportunities, involving decisions in moments of truth or critical moments of change.

3.4. Parameterization of the Comprehensive R/O Management Model

Section 3.3.1 and Section 3.3.2 have made it possible to observe the breadth of comprehensive management in various aspects of external and internal R/O, considering the QHSE3+ components and their application in a transversal manner.

With the tools associated with the QHSE3+ risk types directory (Figure A8, Figure A9, Figure A10, Figure A11, Figure A12, Figure A13 and Figure A14) and the R/O management conceptual model for CMS QHSE3+ with its functionality matrix (Figure 7 and Figure 8), significant progress is made in the visualization of R/O.

However, its generalized application requires a logical tool that facilitates its application, updating, and management in the processes, the strategic field, and the components in which this is required.

Figure 9 contains the flow that illustrates the step-by-step to the parameterization of the R/O management process associated with the model. From this parameterization, diagrammed with machine language identifying reports and outputs, it is possible to structure computer applications that are very useful for companies in terms of the transversal, agile, and systematic application of R/O management under unified criteria, support guides, listings, reports, and statistics.

In Figure 9, the parameterization considers 10 Steps (column on the left) in which the application context is initially defined, taking into account the definition of the scope of the system or exercise (Step 0), the components under analysis, and the list of objectives and processes (Step 1), and then proceeds to determine the priority processes based on the analysis of their incidence in the fulfillment of the requirements, obligations, strategic objectives, and the performance and success of the business (Steps 2,3, and 4).

Next, the applicable R/O directory was determined by starting from the tool indicated in Section 3.2 and from each component, thus generating the list of the types of external and internal (R/O) by component QHSE3+ (Step 5). Based on the typology, a list of strategic R/O and QHSE3+ was determined and individualized, including those related to biosecurity and biosafety (Step 6).

In Step 7, an assessment of the R/O was carried out, which generates the R/O map and proceeds to establish the contingency plans, business continuity, and, in general, the plan of treatment, which takes into account the layers of prevention, control, reaction, mitigation, and change management (Step 8). The Plan must be monitored in terms of its execution and results.

In Step (9), the effectiveness of the plan was evaluated, and incidents and events related to the R/O of CMS QHSE3+ were monitored.

In Step (10), the residual risk and the changes in vulnerability were evaluated, and the cycle was resumed and reformulated according to the changes in the context.

Figure 10 represents an alternative set of criteria with which to perform the assessment of risks and opportunities R/O.

3.5. General Achievements and Benefits of the Research

The research gave rise to the following innovative products that contribute to entrepreneurship which is available to companies and stakeholders:

▪

The presentation of the concepts related to security and with the processes of risk management and intelligence for decision-making, through a graph that correlates, orders, and explains them, facilitating their study and analysis, in the context of management systems (See Figure 1, and Section 2.1.1).

▪

The explicit incorporation of the comprehensive biosafety management and contingency and business continuity plans to the model (See numeral 2.3 with the comprehensive approach and concepts; Figure 4 with governance in crisis; Figure 6 with the application of the integration of requirements to biosecurity and biosafety; and continuity management and response to the pandemic in Figure A6).

▪

The presentation of the requirements of ISO 50001 and the ISO QHSE3+ standards as best practices, whose application contributes to reducing vulnerability and enhancing energy improvement and efficiency. For this purpose, the HLS was applied, and illustrated by a diagram that allows us to appreciate its logic and integration, and the blocks of particular requirements for each component

See Section 2 and Section 3, and Figure 3, Figure 5 and Figure A4, as well as the reference support portal [13] with a comprehensive checklist of best practices QHSE3+.

▪

The generation of six matrices that present the thematic structure, approach, and projections of the ISO 31000 families of standards, and QHSE3+, which include ISO 50000. In each matrix, explicit reference is made to the best practices which are most related to the integral management of risks for each component (Figure A1, Figure A2, Figure A3, Figure A4 and Figure A5).

▪

The matrix “General Directory of topics for R/O QHSE3+”, which is a very useful and practical tool to make the inventory for R/O of companies. See 3.2 and Figure A8, Figure A9, Figure A10, Figure A11, Figure A12, Figure A13 and Figure A14.

▪

The configuration of the R/O comprehensive management conceptual model with an energy performance perspective through the application of systemic design, which facilitates the logical and didactic presentation of its structural and functional elements. See Section 3.3.1 and Section 3.3.2, and Figure 7 and Figure 8.

▪

The validation of the parametrization flow of the model as a base instrument with which to structure computer applications that support the administration of R/O comprehensive management in organizations. See Section 3.4 and Figure 9 and Figure 10.

▪

The model and its tools had were tentatively applied in six companies, where their practical utility and the benefit of their simple and logical approach were ratified to visualize and understand their structure, functionality, and operation. With one of the companies, it was possible to apply the model, considering the strategic and operational components in relation to business continuity and COVID-19. See Paragraph 3.6 and Figure A7.

The achievements and results obtained will determine the course of research and subsequent actions to expand the generated instruments and promote sustainable success.

3.6. Results Obtained in Terms of Energy Efficiency and Vulnerability Reduction

3.6.1. Characteristics and Profile of the Companies in which the Preliminary Validation was Made

Figure 11 presents the characteristics and profiles of six companies located in Colombia, in the Departments of Atlántico, La Guajira and Cundinamarca, where the preliminary application of the CRM Model was made, and the complete cycle of identification of R/O and of the formulation and implementation of actions to respond and address the R/O, within the framework of consulting projects for the consolidation of its Comprehensive Management Systems.

The profile includes the comprehensive approach of the Management System, the status of accreditation or certification of its QHSE3+ components, and the existence of Business Continuity Plans or Emergency and Contingency Plans.

All the companies have CMS based on the certified quality component and a strategic approach, which determines the priorities of each business directed to address strategic and operational R/O, giving priority to accreditation in the health sector in the case of the hospital and clinic, and in all cases, to the QHSE3+ risk components and the regulatory obligations of each sector.

Although no company is certified in E2, 1 is certified in HS, and 3 are certified in the environmental component E, all made positive progress in the application of best practices and decided to be certified in the components indicated in Figure 11, according to their priorities and market interests.

Particularly, in the “+” component of additional risks, all companies applied good information security practices and the physical and logical security of their platforms, under the R/O ICT approach in accordance with ISO 27001:2013. On the other hand, two were certified in the BASC component, and 1 in ISO 22000:2018.

3.6.2. Presentation and Analysis of the Results Obtained

Figure 12 and Figure 13 summarize the results obtained in the R/O management as of December 2019 considering the contribution of opportunity management in achieving the objectives and the reduction of vulnerability for each QHSE3+ component.

Some values result from projections and assumptions that were raised from the companies to consider force majeure stops or external factors that generate distortion in the handling of data. The 2020 records are not included, given their irregularity due to the confinement. Here are the most relevant aspects:

A. Functionality of the Model and Appropriation of ROBT.

o

In the six organizations, the correct functionality of the model and the incidence indicators for the management of opportunities and the reduction of vulnerability were ratified.

o

The model applied and the tools that support it facilitate the management of the cycle of identification, analysis, evaluation, formulation of actions, monitoring, requalification, and reformulation of R/O through the key questions and the parameterization sequence.

o

In companies in which prevention and ROBT were adopted as a fundamental principle and value, it was much easier to ensure systematic continuity in the application of the model.

B. Incidence of Opportunity Management in the Achievement of Strategic Purposes (Rows in Item 1).

o

The indicator of the incidence of opportunity management in the achievement of the objectives was valued from the different processes and positions with direct responsibility in the projects and associated actions from the estimated average percentage of the incidence of each relevant opportunity considered with evaluations agreed upon between the management and specific managers.

o

The average of the indicator of incidence was between 12% and 36% in the six companies. The opportunities related to ICT innovation and updating, the development of new products, new markets and businesses, renovation and investment in equipment, infrastructure and new facilities, development of new alliances, and human talent.

C. Vulnerability Reduction for Strategic and Quality Risks Q (Rows of Items 2 and 3)

o

The reduction in vulnerability is calculated as the percentage of risk reduction after the application of the measures in the period to be calculated, as indicated in the algorithm of the definition in Section 2.1.1, which is set out again below:

$$\%DismVul=\left[{\displaystyle \sum }_{i=1}^n\left(P{o}_i\right)\left(G{o}_i\right)-{\displaystyle \sum }_{i=1}^n\left(P{f}_i\right)\left(G{f}_i\right)\right]/\left[{\displaystyle \sum }_{i=1}^n\left(P{o}_i\right)\left(G{o}_i\right)\right]$$

(2)

where DismVul denotes the percentage decrease in vulnerability after implementing antirisk measures, Poi and Goi are the initially assessed possibility and gravity, respectively, and Pfi and Gfi, are the final possibility and gravity, respectively, after adopting the planned measures.

o

The reduction of vulnerability was between 8.5 and 27% in terms of strategic and quality risks related to vulnerability due to new requirements of corporate clients, liquidity and portfolio recovery, noncompetitive rates and costs, low call and market response, infection risks, and the high incidence of patients who migrate.

D. Vulnerability Reduction for HS Risk (Rows of Items 4 and 5)

o

The reduction of vulnerability in the risks of the HS component was between 8.7% and 16.5%. The related risks include chemical products, noise levels, exposure to chemical, physical, and biological agents, contaminated waste management, particulate material, work at heights and in confined spaces, and thermal discomfort.

E. Reduction of Vulnerability for Risks E. (Rows of Items 6 and 7)

o

The reduction of vulnerability in the risks of component E was between 9.4% and 23%. The risks include consumption of natural resources such as raw materials, consumption and contamination of water, noise and vibrations, hydrocarbon spills, generation of dumping and contaminated waste, handling and manipulation of chemicals and hazardous waste stand out.

F. Reduction of Vulnerability in Terms of E2 (General—Rows of Items 8 and 9)

o

The reduction of vulnerability in the risks of component E2 was between 9.4% and 16.4%.

The risks concern losses and higher consumption due to the non-optimal management of heat and cold, loss, and greater consumption due to the lack of lighting savings, high consumption of fuel, and energy in logistics operations of the supply chains (see Section H).

G. Reduction of Vulnerability in other components of Additional R/O (+) (Row 10)

In this block, three factors stand out:

▪

Information security: Physical damage to hardware, deterioration of software, limitations in availability, access, and integrity of information, cyberattack on networks and channels, inconsistencies and deactivation of computer applications, and infrastructure.

▪

Food safety: Cross-contamination by the nonapplication of best practices or the presence of pigeons, rodents, and other pests in loading, unloading, and storage.

▪

BASC: Physical integrity of cargo for violation of container security.

H. Recent Developments in E2 Management

o

Compensation Fund

(i). Basic energy-saving program in all its locations, (ii). Automatic control and programming of conditioning and refrigeration, (iii). Improvements in insulation to optimize refrigeration in cold rooms, (iv). Campaigns, training, and supervision, (v). Automation of energy control in accommodation, (vi). Automatic control and savings alternatives with adaptation of roofs, (vii). Optimization in ventilation and cooling, (viii). Luminaire change and automatic control. (ix). Reduction in per capita energy consumption (2019 vs. 2018): 8.1%.

o

Municipal Hospital

(i). Savings program in all processes, (ii). Network design optimization, (iii). Automation of lighting and air conditioning, (iv). Use of secondary sources of natural light and solar panels. (v). Optimization of ventilation and conditioning systems in hospital and care areas, (vi). Conditioning and isolation in cold areas, (vii). Control of energy use in washing, sanitation, and patient care, (viii). Maintenance and adaptation of boilers and cold equipment, (ix). MMAE of monthly consumption vs. daily bed occupations, x. Reduction in per capita energy consumption (2019 vs. 2018): 18.2%.

o

Clinic (Health Services)

(i). Water- and energy-saving plan in all processes, (ii). MMAE of consumption and baseline, (iii). Redesign and application of intelligent lighting and air conditioning systems, iv. Insulation of “hot” pipes, walls and ceilings, (v). Optimization of ventilation, conditioning, and refrigeration of clinical and service areas, (vi). Campaigns to position values and achieve the systematic application of best practices, (vii). New eco-efficient engine room and boilers, (viii). Reduction of energy losses due to transformation, adaptation of boilers and chillers, (ix). MMAE of monthly consumption vs. daily bed occupations, (x). Reduction in per capita energy consumption (2019 vs. 2018): 20.3%.

o

Pharmaceutical Laboratory

(i). Savings and consumption reduction plan in all lines and pharmaceutical forms, (ii). Redesign of processes and product lines with lower energy consumption, (iii). MMAE on plans to reduce use and savings, (iv). Isolation of white areas and warehouses, v. Redesign of networks and facilities with intelligent air and lighting systems, (vi). Optimization and maintenance of ventilation and conditioning of gray areas, (vii). Training and disciplinary measures for the continuity in the application of good practices, (viii). Replacement of obsolete equipment for eco-efficient conversion (with investment incentive),

(ix). Devices on doors and windows to prevent leaks, (x). Cleaning and replacement of filters in air conditioning units, (xi). Reduction in per capita consumption (2019 vs. 2018): 12.2%.

o

Port Operation and Logistics Services

(i). Winery savings program, (ii). MMAE on consumption reduction and savings, (iii). Incorporation of energy efficiency in the strategy, (iv). Training. Supervision, and measures to apply good practices for E2, (v). Substitution of fuels and development of alternative mixtures (reduction of carbon footprint and consumption of kilowatt-hour per container), (vi). Greater control over own and subcontracted consumption.

(vii). Measurement and reduction of electricity and heat Losses. (viii). Planning, execution, and control of maintenance and renewal of obsolete equipment, (ix). Efficient lighting, (x). Reduction in per capita energy consumption (2019 vs. 2018): 15.2%.

o

Manufacturing (Glass Containers)

(i). Global corporate savings program with an emphasis on oven and training, (ii). MMAE on consumption reduction and savings, (iii). 10-year global strategic challenge to reduce consumption by 50%, (iv). Campaigns, training, and supervision for E2. (v). Planning, mastery of standardization, and control in setup and operation of furnaces, (vi). Eco-efficient packaging design. (vii). Automatic control and energy-saving alternatives in lighting. (Natural and solar panels). (viii). Optimization in ventilation and conditioning. (ix). Reduction of consumption in the supply chain. (x). Reduction in per capita energy consumption (2019 vs. 2018): 10.2%.

4. Conclusions

We present a conceptual model for comprehensive R/O management and the tools to facilitate its application. This includes the results obtained and references to best practices for the deployment and application of the model, from Appendix A.1, Appendix A.2, Appendix A.3, Appendix A.4, Appendix A.5, Appendix A.6, Appendix A.7 and Appendix A.8.

The concepts associated with intelligence for decision-making and security were incorporated into the conceptual and principles framework of the model, from the perspective of the US Department Homeland Security lexicon (Section 2.1), as well as the concepts and best practices related to biosafety management and business continuity plans (Section 2.3). In this way, the perspective was broadened, adjusting the approach to the dynamic context.

The integration of model requirements was carried out from the identification of the requirements common to each component according to the approach of the HLS [87,88,89,90], as illustrated in Figure 6 (Section 2.4), where the additional specific topics of each component were identified, and an analysis of the application of these requirements to the comprehensive biosafety management was carried out. On the reference support portal [13], the authors provided a checklist associated with these requirements in terms of best practices available to the public.

The model was configured using graphic illustration and a matrix, which present the structural and functional design of each component, considering the different levels of planning and action, and the layers in which ROBT is deployed within CMS QHSE3+ (Section 3.2).

Two key tools were designed to support and facilitate the application of the CRM Model: the matrix-directory for the classification of risk topics, and the parameterization of the ten stages of the process, i.e., definition of the context, determination of the scope, prioritization vs. objectives and processes, identification and assessment of R/O, formulation, execution, and follow-up in the execution of the plan, evaluation of residual risk and restart of the cycle.

Holistic and strategic management gives an integral character to the system, which is not a simple combination or addition of components. CMS QHSE3+ is the harmonious integration of an organization’s processes and projects focused on the achievement of the strategic purposes of the business in the path toward sustainable success. For this purpose, the comprehensive management of R/O is a fundamental tool. The importance of the management of competencies and culture is highlighted to promote and advance the individual and collective appropriation of the values related to the alignment between thought, conscience, and action, i.e., to take care of yourself, take care, and protect the integrity of resources and the health of people and the organization.

The development of culture and competencies must translate into the management of energy efficiency, biosafety, and the development of products, businesses, and processes being systematically reflected in the business continuity plans, maps, and R/O management plans of the business lines, corporate projects, and processes of the organization, and therefore, in the axes and strategic and tactical actions of the organization.

With the application of the model and its tools, the results described in Section 3.4 were obtained, which confirmed the validity of the approach, its applicability and contribution to any type and size of organization, and the need to face the challenges of the future.

A community of consultants, teachers, entrepreneurs, workers, and researchers related to CMS QHSE3+ will continue to develop tools and strategies to particularize the progress already made in a sectorial way and promote the massification and generalized use of best practices for project management, energy efficiency, and comprehensive management for sustainable success.

In practice, the application of the model and its effective implementation is limited by the need to particularize and detail the tools for different sectors of the business activity, which constitute possible future lines of research. Another limitation is associated with the development of creative, analytical, and abstract thinking, and with the strengthening of the discipline, culture and organization of leaders and process managers, who become key actors in intelligence management and the strategic and operational decision making of businesses.

From a technological point of view, there are also limitations generated by the difficulties of compatibility between interfaces of the information systems and process control, and the changes in priorities in the strategic approach to ICT developments.

Notwithstanding the above, the figures and results show that in SMEs, this is possible. The facts support and confirm that investment and efforts are recovering significantly, also observing that there may be a behavior curve where the reduction of vulnerability is greater in the first periods.