Parameterization, Analysis, and Risk Management in a Comprehensive Management System with Emphasis on Energy and Performance (ISO 50001: 2018)

The future of business development relies on the effective management of risks, opportunities, and energy and water resources. Here, we evaluate the application of best practices to identify, analyze, address, monitor, and control risks and opportunities (R/O) according to ISO 31000 and 50000. Furthermore, we shed light on tools, templates, ISO guides, and international documents that contribute to classifying, identifying, formulating control, and managing R/O parameterization in a comprehensive management system model, namely CMS QHSE3+, which consists of quality (Q), health and safety (HS), environmental management (E), energy efficiency (E2), and other risk components (+) that include comprehensive biosecurity and biosafety. By focusing on the deployment of R/O-based thinking (ROBT) at strategic and operational levels, we show vulnerability reduction in CMS QHSE3+ by managing energy, efficiency, and sustainability.



Uncertainty is the "state generated by the deficiency of information to understand or know an event, its consequences, and probability of occurrence" [16,19,20].  Vulnerability is the condition of design, location, or operation that makes an asset, organism, product, service, process, or system susceptible to an attack [14,15,19,20]; its reduction can be assessed in terms of the proportion or percentage of reduction of the risk level, as indicated by Equation (1) [11], where DismVul denotes the percentage decrease in vulnerability after implementing antirisk measures, Poi and Goi are the initially assessed possibility and gravity, respectively, and Pfi and Gfi are the final possibility and gravity after adopting the planned measures, respectively.
The decisions cycle plays a fundamental role in the activities of any organization. This cycle includes the intelligence cycle, as it considers the phases of capturing information, classifying it, analyzing it, and understanding its context and behavior to guide decision-making [13].  In the intelligence cycle, identification, analysis, and evaluation must be integrated into risk assessments. The union of the two cycles brings together know (understand), reason, decide, and act with intelligence, linking "intelligence" with decision-making and the orientation of actions with reliable information and the criteria for analyses of the matter to be decided. Thus, with the intelligence of the information, it is possible to reduce the uncertainty linked to decisions.  The result or impact of R/O is the effect an event can have on the integrity of the resources and objectives. As the impact or consequences can be economic, personal, or missionary, R/O management brings together "the coordinated actions to direct and control the organization concerning its risks and opportunities" [14,17], which focus on reducing their possibility of occurrence and impact, or enhancing opportunities, thereby leading to the creation or protection of value.  [13,14,19,20].
So far, the steps mentioned in the Intelligence and Risks Cycle correspond to Knowing, Reasoning, and initiating the actions to Decide, based on priorities. Next, there is the stage of Acting with Intelligence. In the process, this corresponds to Treating Risk and Control, i.e., planning and implementing measures to eliminate, reduce, mitigate, or take contingency actions. Next comes the action of Monitoring the control system, and the status of the risk, to close the cycle with the action of Communicating and Consulting, which involves interacting with various parties to obtain a maximum of information about each risk and its context. Finally, all actions and risk treatment consider the Report and Record. In this approach, the following points stand out: The concept of risk is directly associated with uncertainty and constitutes the conjugation of the possibility of an event that may have a positive or negative impact on the achievement of objectives or the integrity of resources. Chance is the source of risk, and in some contexts, it is associated with the term "risk factor" [14,15,19,20]. Uncertainty is the "state generated by the deficiency of information to understand or know an event, its consequences, and probability of occurrence" [16,19,20]. Vulnerability is the condition of design, location, or operation that makes an asset, organism, product, service, process, or system susceptible to an attack [14,15,19,20]; its reduction can be assessed in terms of the proportion or percentage of reduction of the risk level, as indicated by Equation (1) [11], where DismVul denotes the percentage decrease in vulnerability after implementing antirisk measures, Poi and Goi are the initially assessed possibility and gravity, respectively, and Pfi and Gfi are the final possibility and gravity after adopting the planned measures, respectively.
The decisions cycle plays a fundamental role in the activities of any organization. This cycle includes the intelligence cycle, as it considers the phases of capturing information, classifying it, analyzing it, and understanding its context and behavior to guide decision-making [13].
Energies 2020, 13, 5579 5 of 43 In the intelligence cycle, identification, analysis, and evaluation must be integrated into risk assessments. The union of the two cycles brings together know (understand), reason, decide, and act with intelligence, linking "intelligence" with decision-making and the orientation of actions with reliable information and the criteria for analyses of the matter to be decided. Thus, with the intelligence of the information, it is possible to reduce the uncertainty linked to decisions. The result or impact of R/O is the effect an event can have on the integrity of the resources and objectives. As the impact or consequences can be economic, personal, or missionary, R/O management brings together "the coordinated actions to direct and control the organization concerning its risks and opportunities" [14,17], which focus on reducing their possibility of occurrence and impact, or enhancing opportunities, thereby leading to the creation or protection of value.
Resilience is the adaptive capacity of an organization in a complex and changing environment [14,15,18]. The US Department of Homeland Security [19], expands this definition as a "systems' capacity, infrastructures, government, companies, and citizens to resist, absorb, recover from, or adapt to an adverse event that may cause harm, destruction, or loss of national importance," or the "capacity of an organization to recognize threats and dangers and make adjustments that improve future protection efforts and risk reduction measures." Threat [19] is a natural or man-made phenomenon generated by people, entities, or an action that has or projects potential damage to life, information, operations, the environment, or property. It considers the conditions of intent or unintentionality of the threat. The scenario corresponds to a hypothetical situation composed of hazards, an entity affected, and the associated conditions, including consequences when appropriate [19]. An incident is a natural or man-made phenomenon, or an action that has or projects potential harm to damage life, information, operations, the environment, and/or property.

Scope of Risk Management in Society and Companies
Many companies today face the difficulties of the market, competition, and sustainability, and see problems related to water, air, soil, energy, natural resources, global warming, and biosecurity. There are also multiple financial, social, and macroeconomic dangers related to the increase in interest rates, tax burdens, and the strengthening of the prevailing currencies. Thus, doing business is an increasingly difficult mission [12][13][14][15].
Changes in customs, habits, ways of doing business, and technological developments and restrictions on access to ICT also generate vulnerability. With this spectrum of adversities, the future of entrepreneurs and project leaders is marked by the need to make intelligent decisions that allow them to respond appropriately to adverse situations, opportunities, and contingencies.
Therefore, it is essential to apply risk management and foresight in strategy and operational dynamics [12][13][14][21][22][23][24]. Thus, it is necessary to determine the tools and guides necessary for the application of the good management practices that underlie each component of CMS QHSE3+: For Component Q, associated with the strategic and quality risks, the best practices of ISO 9001: 2015 and ISO 9000 family of standards, support this approach [25]. For the HS component linked to occupational health and safety risks, the best practices of ISO 45001: 2018 and the ISO 45000 family of standards, also support this approach [26]. For Component E of the environment related to risks due to contamination and deficiencies in environmental performance, ISO 14001: 2015 and the ISO 14000 family of standards, support the planning and application of best practices [27]. For the energy efficiency component (E2), the best practices of ISO 50001: 2018 and the ISO 50000 family of standards, support a management approach which reduces the vulnerability associated with the use, consumption, and performance of energy [28]. The sign (+) at the end of the abbreviation corresponds to any other reference that may be applicable to, or required by the organization, such as ISO 22000: 2018. "Food safety management systems", or ISO 27001: 2013 "Information Security Management Systems" [29,30]. At this point, the risks related to corporate social responsibility can be considered part of the additional risks "plus (+)", as well as the risk of not taking actions that contribute to sustainable development [31].

Principles of Risk Management
Risk Management must be based on the application of several principles that support its application in the processes and functions of the organization in the context of a business culture that focuses on continuous improvement, the integral generation of value, and sustainable success. Figure 2 presents the principles of ISO 31000: 2018 [14] within a model in which its perspective is broadened, taking into account the critical factors that underlie the approaches of the previous paragraph regarding the scope and importance of the Management of Risks in companies and in society.
For this reason, the illustration uses three versions of "La Danse", a famous work by Henri Matisse [49], to highlight the holistic and social nature of Comprehensive Risk Management and its principles. Six basic perspectives are considered for its classification: Management and Leadership, Talent and Culture, Processes, Stakeholders, Decisions and Improvement.
Energies 2020, 13, x FOR PEER REVIEW 6 of 44 Risk Management must be based on the application of several principles that support its application in the processes and functions of the organization in the context of a business culture that focuses on continuous improvement, the integral generation of value, and sustainable success. Figure 2 presents the principles of ISO 31000: 2018 [14] within a model in which its perspective is broadened, taking into account the critical factors that underlie the approaches of the previous paragraph regarding the scope and importance of the Management of Risks in companies and in society.
For this reason, the illustration uses three versions of "La Danse", a famous work by Henri Matisse [49], to highlight the holistic and social nature of Comprehensive Risk Management and its principles. Six basic perspectives are considered for its classification: Management and Leadership, Talent and Culture, Processes, Stakeholders, Decisions and Improvement.
In a similar way to dashboards or strategy maps, Figure 2 is structured in terms of its perspectives, from the bottom up, in such a way that the foundations of the management of principles and values are based on Leadership and the example of the Management Team, which are reflected in Human Talent, Culture and capacities, to develop Processes, in interaction with Stakeholders, and are projected in the Decisions of the entire organization, to ensure Improvement, and Comprehensive Management of Risks on the factors associated with the dynamics of change.

Basic Principles and Management Approach for E2
Given that organizations require energy resources for the operation of their processes and interactions with stakeholders, continuous and systematic improvement of energy performance is imperative from strategic and operational standpoints, based on the best practices of the ISO 50000 family of standards, considering (See Figure 3, and Figure A5):  [13,14,50,51]. In a similar way to dashboards or strategy maps, Figure 2 is structured in terms of its perspectives, from the bottom up, in such a way that the foundations of the management of principles and values are based on Leadership and the example of the Management Team, which are reflected in Human Talent, Culture and capacities, to develop Processes, in interaction with Stakeholders, and are projected in the Decisions of the entire organization, to ensure Improvement, and Comprehensive Management of Risks on the factors associated with the dynamics of change.

Basic Principles and Management Approach for E2
Given that organizations require energy resources for the operation of their processes and interactions with stakeholders, continuous and systematic improvement of energy performance is imperative from strategic and operational standpoints, based on the best practices of the ISO 50000 family of standards, considering (See Figures 3 and A5): consumption, trends in parameters, flows, and losses are analyzed, and areas of significant use are determined. This is the starting point to register, prioritize, and formalize the possible fronts for improvement with relevant strategic impact [52].
2.2.2. Aspects Related to the Execution of the Plans and the Operation of the EnMS Aspects Related to the execution of the plans and the operation of the EnMS include the execution of plans and provisions, and the implementation of established best practices, which also include the promotion of culture for energy management and the application of operational control (i.e., the management of the components of processes) through which it is possible to control parameters and address risks associated with energy efficiency (i.e., methods, competencies, maintenance, tuning, control of purchases, materials and contracts, and energy supply, among others).

Aspects Related to EnMS Feedback
Aspects related to EnMS feedback include articulated feedback from the management of energy performance indicators (EnPI), the LBEn energy baseline, understood as the "quantitative reference that provides the basis for the comparison of performance in a given period," the measurement with "energy models" to summarize and analyze the energy consumed by the system, monitoring, and other feedback and auditing mechanisms. 2.2.4. Aspects Related to the Maintenance, Adjustment, and Improvement Actions of the EnMS Aspects related to the maintenance, adjustment, and improvement actions of the EnMS include actions for the adjustment, correction, maintenance, or improvement in energy performance, which also include lessons learned and the projection of decisions and challenges resulting from management reviews and determining the future of the organization in terms of energy efficiency management.

Developments Related to the Optimization and Improvement of EnMS
Although there has been a fairly broad spectrum of technological developments and advances in the optimization and improvement of the rational and efficient consumption of energy, works related to awareness raising and EnMS are highlighted, e.g., works carried out by J. Wu, B. Cheng, M. Wang and J. Chen, as well as those related to ISO TC 301, and those of other researchers such as R. Uriarte and J. Cosgrove [52][53][54][55][56][57][58][59]. See also Figure A5.  In this section, advances, and developments in four areas which are associated with governance and the need for a comprehensive management model, i.e., risks, biosecurity and biosafety, business continuity, and strategic prospective, are provided.
In recent decades, the development of knowledge in risk management and biosecurity + biosafety has become vital for various fields and for technological development. This is reflected in the proliferation of management standards, such as the developments of the ISO TC 292 Technical Committee, that lead International Standards on Security and Resilience, including incident management, emergencies, contingency plans, and business continuity, e.g., ISO 22301: 2019, ISO 22313: 2020, and ISO 22317: 2015 [51,65,66].
Management for biosecurity and biosafety is a factor of mandatory consideration within CRM, for not only companies, but also for laboratories and the food chain, given the current context associated with COVID-19. The scope of biosecurity and biosafety management covers all processes, facilities, and products, and applies to workers or third parties who perform activities on behalf of companies and users who interact with them.
The ILO, WHO, and other researchers have developed guides, standards, and resolutions of mandatory applications. These developments in technology, regulation, and knowledge are associated with the multiplication of potential risk factors determined by acute moments of economic depression and geopolitical crisis, terrorist attacks, biological weapons, and other critical events, such as COVID-19.
With technological developments and regulations in the field of health, work, and well-being, management systems point toward integrality to support businesses; they require global management of intelligence in interactions with relevant parties and comprehensive management protection, which includes biosecurity and biosafety, with a transversal scope that covers ICT and generational change [67][68][69][70][71][72][73][74][75]. Figure A6 provides further information on www.sra.org (Society for Risk Analysis) and www.eird.org/americas/indexeng.html (UN Office for Disaster Risk Reduction) as sources that contribute to safety, care, and protection in operations and projects through developments, tools, and information at the service of stakeholders. These references are complemented with articles, publications, and developments in the foundations and strategic and operational dimensions of risk management, resilience, and reliability [35,37,38,40,76,77].
It is a challenge for companies to choose the right tools to address the transformation of their processes and businesses under a CRM umbrella. This implies ensuring the relevance of services and processes and in a transversal way, self-care, care, protection, containment, and creative forms of response to the conjugation of contingencies which are maintained in crises under the premise of sustainability, health, and well-being [78][79][80][81].
In terms of strategic foresight, the developments have been led by French schools since 1990 by generating manuals, computer applications, and tools at the service of the community [82][83][84][85].
Despite these improvements and those mentioned in the preceding paragraphs, SMEs do not have simple and comprehensive tools that are grouped under the umbrella of strategic management, risk management, energy efficiency, business continuity plans, and response to potential and real crises such as COVID-19. In addition, they are mostly unaware of the best practices of the recognized international standards and guides [44][45][46][47][48]50,51] to respond to the basic needs that, for a CMS, and with regards to energy efficiency and biosafety, must apply to a company. Figure 4 illustrates that under contingency conditions, companies must attend to a systematic plan for different types of incidents, which may be associated with a business strategy, quality, safety and regulatory requirements of products and services, aspects of health, safety, and impact on the environment, energy efficiency, information security, networks, and communications, or any other types of combined or independent risks [44,47,48,50,65,66]. The materialization of risks translates into incidents with potential implications in terms of vulnerability due to the interruption of operations, the supply chain, or business continuity. Then, business continuity plans [50,65,66] must address incidents by prioritizing their impact and potentiality.
Incidents, regarding their occurrence and association with QHSE3+ components, generate crises and situations associated with their implications and the collateral implications of the measures adopted to respond to them.
The governance of these crises should be included in the organization's management through the crisis management command bridge from where particular scenarios located in the "red" zone with the greatest probability, and their consequences, should be prioritized, and contingency plans should be formulated.
Importantly, within the QHSE3+ framework, the objectives of comprehensive biosafety management with its business continuity and contingency plans for crisis scenarios include: Protecting the health and well-being of people and the organization with an emphasis on self-care; Adapting the promise of value and the product/service to the conditions of the situation, and complying with excellence; and Guaranteeing the continuity and sustainability of the business, supply, and supply chain (See also Figure A6).
Incidents, regarding their occurrence and association with QHSE3+ components, generate crises and situations associated with their implications and the collateral implications of the measures adopted to respond to them.
The governance of these crises should be included in the organization's management through the crisis management command bridge from where particular scenarios located in the "red" zone with the greatest probability, and their consequences, should be prioritized, and contingency plans should be formulated. Importantly, within the QHSE3+ framework, the objectives of comprehensive biosafety management with its business continuity and contingency plans for crisis scenarios include: Protecting the health and well-being of people and the organization with an emphasis on self-care; Adapting the promise of value and the product/service to the conditions of the situation, and complying with excellence; and Guaranteeing the continuity and sustainability of the business, supply, and supply chain (See also Figure A6).

Integration of CMS QHSE3+ Requirements and HLS
CMS QHSE3+ is a harmonious integration of the elements required to develop a management model that focuses on complying with agreements, requirements, and applicable legislation, preventing failures and risks, and having a proactive approach that shows the causes of failures and leads to continuous improvement in business performance. Since the end of the last century, a common structure has been envisioned in the required standards on management systems led by several standardization secretariats, such as BSI-England and AENOR-Spain, which generated UNE 66177:2005 and PAS 99:2012 [86,87], respectively.

Integration of CMS QHSE3+ Requirements and HLS
CMS QHSE3+ is a harmonious integration of the elements required to develop a management model that focuses on complying with agreements, requirements, and applicable legislation, preventing failures and risks, and having a proactive approach that shows the causes of failures and leads to continuous improvement in business performance. Since the end of the last century, a common structure has been envisioned in the required standards on management systems led by several standardization secretariats, such as BSI-England and AENOR-Spain, which generated UNE 66177:2005 and PAS 99:2012 [86,87], respectively.
See also, in Figure A7, under a holistic approach, the chronology corresponding to the historic development of the QHSE3+ Standards in correlation with the milestones of technology and the expression of man, throughout the ages.
In 2013, HLS was defined to guide these standards since 2015. This reference became the "Appendix SL" of the Supplement to the ISO/IEC Directives on the hierarchical structure of management systems standards [86][87][88][89][90]. Figure 5 summarizes the HLS approach under the PDCA cycle with which the requirements and mandatory basic structure of the management systems standards are defined and integrated; this approach meets the requirements from Chapters 4 to 10, given that initials 1 to 3 are intended for Scope (1), Normative References (2), and Terms and Definitions (3). Chapters 4 to 7 with a yellow background belong to the P for Planning and include 4. Context of the Organization, 5. Leadership, 6. Planning, and 7. Support. In the H of Doing with a green background, Chapter 8. Operation; In V of Verify with a light red background, the feedback topics under Chapter 9. Performance Evaluation; and in A of Act with a light blue background, Chapter 10. Improvements are outlined. point of view, as well as for each service line and the supply chain.
ISO 9001:2015 has requirements specific to this component identified with a blue letter (Q): planning of changes (Numeral 6.3) requirements for products and services (Numeral 8.2), design and development (Numeral 8.3), control of externally supplied processes, products and services (Numeral 8.4), production and service provision (Numeral 8.5), release of products and services (Numeral 8.6), and control of nonconforming outputs (Numeral 8.7).  In Figure 5, under the criteria of affinity with risks and planning, numeral 8.2 Plans to Respond to Emergencies has been placed as part of the planning in numeral 6.1, i.e., Actions to address R/O. In its application, best practices for business continuity are considered both from a global strategic point of view, as well as for each service line and the supply chain.
ISO 9001:2015 has requirements specific to this component identified with a blue letter (Q): planning of changes (Numeral 6.3) requirements for products and services (Numeral 8.2), design and development (Numeral 8.3), control of externally supplied processes, products and services (Numeral 8.4), production and service provision (Numeral 8.5), release of products and services (Numeral 8.6), and control of nonconforming outputs (Numeral 8.7).
The ISO 50001: 2018 standard also includes particular requirements identified with the green letter petroleum (E2), the numerals: 6.3 energy review, 6.4 energy performance, 6.5 energy baseline, and 6.6 planning for the collection of energy data, as well as design (Numeral 8.2) and acquisitions (Numeral 8.3). To facilitate the comprehensive application of these requirements and additional ones such as ISO 27001: 2013, the authors provided reference [13], an excel application that is included in the approach of the structure of Figure 6, a checklist of common and uncommon requirements of the QHSE3+ standards in the support portal. letter petroleum (E2), the numerals: 6.3 energy review, 6.4 energy performance, 6.5 energy baseline, and 6.6 planning for the collection of energy data, as well as design (Numeral 8.2) and acquisitions (Numeral 8.3). To facilitate the comprehensive application of these requirements and additional ones such as ISO 27001: 2013, the authors provided reference [13], an excel application that is included in the approach of the structure of Figure 6, a checklist of common and uncommon requirements of the QHSE3+ standards in the support portal.

Fundamental Purpose of the Research. Methodology
The research that supports the results presented in this paper focuses on contributing to the effectiveness and sustainability of Entrepreneurship Projects and the Implementation of

Fundamental Purpose of the Research. Methodology
The research that supports the results presented in this paper focuses on contributing to the effectiveness and sustainability of Entrepreneurship Projects and the Implementation of Comprehensive Management Systems QHSE3+, SMEs, and the business sector in general, through the design and preliminary application of instruments and tools that enable the understanding, implementation, and application of Good Practices for sustainable success, and, in the future, its massification, from a holistic perspective for the strategic and operational management of risks and opportunities (R/O).
The following are the specific objectives in the field of Comprehensive Risk Management: the design of the Model and Reference Framework, the development of tools for the identification and classification of R/O, the parameterization of the Risk Management Process, and the initial application of the Model and its Tools in goods and services companies. The methodology used combined both applied and qualitative research: The approach of the logical framework methodology developed by ECLAC and the IDB was applied in the formulation of this research project [92][93][94]. The configuration of the model was carried out in a global and particular way for its main components, adapting the developments of the systemic design to the particular case of the functional, ergonomic, and formal design of a model of CMS [95,96]. The applied research took place during consulting exercises in which the model and tools were validated and adapted to six cases of companies between 2014 and 2019, with positive results and the ratification of the approach. In 2020, with the contingency of COVID-19, there was the opportunity to incorporate biosafety and business continuity plans into the model in the design and deployment of the governance plan in one of the six reference companies (See Section 2.3, Section 2.4, Section 3.2 and Figure 4, and the summary of the strategic and operational approach in Figure A6).   On the horizontal axis, there are four levels of planning and action: (a) directive planning, (b) operational planning (including projects, product development, and processes), (c) contingency and emergency plans, and (d) responsibility and response actions (i.e., containment and correction, feedback, and lessons learned).
The model matrix and its functional elements are analyzed below:

Strategic R/O Management.
Intelligence, context monitoring and decision making to consolidate and build the future of the organization. Product and business developments. R/O follow-up on strategy management. Reformulation of projects and definition of contingency actions, as necessary.

Culture, values and human talent for R/O management.
Deployment and appropriation of the Principle corresponding to "R/O -BASED THINKING".

Operational Planning for R/O management.
Technical management to determine R/O QHSE3+, and formulate control measures, in projects and operational and support processes.

R/O Management and Knowledge, Innovation and Improvement Axis.
Lessons learned, Innovation and Improvement on the performance and approach of Comprehensive Risk Management. Risk Management during Innovation and Improvement activities.

Innovation and Improvement
Requirements and Environment Conditions. Risks Resources, Information.

Business Intelligence and
Good Practices Good Practices Good Practices Good Practices  In

Integrity Control -Comptroller (Corporate Audit vs COSO Internal Control
Step (9), the effectiveness of the plan was evaluated, and incidents and events related to the R/O of CMS QHSE3+ were monitored. In Step (10), the residual risk and the changes in vulnerability were evaluated, and the cycle was resumed and reformulated according to the changes in the context.

General Achievements and Benefits of the Research
The research gave rise to the following innovative products that contribute to entrepreneurship which is available to companies and stakeholders:


The presentation of the concepts related to security and with the processes of risk management and intelligence for decision-making, through a graph that correlates, orders, and explains them, facilitating their study and analysis, in the context of management systems (See Figure 1, and Section 2.1.1).  The explicit incorporation of the comprehensive biosafety management and contingency and business continuity plans to the model (See numeral 2.3 with the comprehensive approach and concepts; Figure 4 with governance in crisis; Figure 6 with the application of the integration of requirements to biosecurity and biosafety; and continuity management and response to the pandemic in Figure A6).  The presentation of the requirements of ISO 50001 and the ISO QHSE3+ standards as best practices, whose application contributes to reducing vulnerability and enhancing energy improvement and efficiency. For this purpose, the HLS was applied, and illustrated by a diagram that allows us to appreciate its logic and integration, and the blocks of particular requirements for each component See Sections 2 and 3, and Figures 3, 5, and A4, as well as the reference support portal [13] with a comprehensive checklist of best practices QHSE3+.


The generation of six matrices that present the thematic structure, approach, and projections of the ISO 31000 families of standards, and QHSE3+, which include ISO 50000. In each matrix,  Figure 10. Parameterization of the application of the comprehensive R/O management model.

General Directory of R/O Topics Regarding QHSE3+
One of the greatest difficulties that organizations may have in terms of R/O management is associated with the competencies of people to determine and unify the criteria for classifying R/O in their operations and interactions with different interest groups. Given this circumstance, an investigation of the R/O taxonomy was carried out, not only from the point of view of the families of the QHSE3+ norms and their approaches, but also from the perspective of management schools and the cases of companies that have a longer track record of risk management.
The conclusions reached by the work team after the two analyses, and later, during 2020, with the explicit incorporation of the topic of Biosafety, are as follows [13,23,24,35,38,48,51]: To facilitate the application of the model, it is convenient to prepare a Matrix-Directory, which brings together the blocks of general topics associated with the R/O Management of companies. In this way, each company specifies its basic strategic R/O matrix and processes, based on the blocks of topics, which become a support tool. There may be R/O simultaneously related to several QHSE3+ components, or external and internal topics. In the same way, for the integral biosafety management component that is part of the plus (+), it may be presented in many external and internal categories, such as strategy, culture, quality, safety, environment, infrastructure, financial elements, and even other specialized topics depending on the type of organization.
Figures A8-A14 detail the topics related to the layers and particular items presented in Figure 7, for external R/O, and Layers I to IX of the internal R/O.

Conceptual Model for Comprehensive R/O Management Applicable to CMS QHSE3+
This section presents the approach of the model configured through the application of systemic design [11,91,95,96], taking into account the structural and functional elements, which are described in Sections 3.3.1 and 3.3.2, and their parameterization in Section 3.4. Figure 7 illustrates the set of the Comprehensive R/O Management Model, taking as a starting point the basic elements of the CMS QHSE3+ described in Table 2. There may be R/O simultaneously related to several QHSE3+ components, or external and internal topics. In the same way, for the integral biosafety management component that is part of the plus (+), it may be presented in many external and internal categories, such as strategy, culture, quality, safety, environment, infrastructure, financial elements, and even other specialized topics depending on the type of organization.
Figures A8 to A.14 detail the topics related to the layers and particular items presented in Figure  7, for external R/O, and Layers I to IX of the internal R/O.

Conceptual Model for Comprehensive R/O Management Applicable to CMS QHSE3+
This section presents the approach of the model configured through the application of systemic design [11,91,[95][96], taking into account the structural and functional elements, which are described in Sections 3.3.1 and 3.3.2, and their parameterization in Section 3.4. Figure 7 illustrates the set of the Comprehensive R/O Management Model, taking as a starting point the basic elements of the CMS QHSE3+ described in Table 2. Table 2. Basic elements of the CMS QHSE3+ Model [11,91].

PARTS DESCRIPTION 1. Management Core
"I decide with business intelligence on the aspects of management" The core of management represents the central component from where the strategic direction is developed, including business intelligence associated with the strategic decisions for differentiation and specialization based on the development of products and services for sustainable success with innovation.

Heart of Talent and Culture
"I deploy the philosophy of R/O and develop skills and culture" This represents human management, associated with talent, competencies, and knowledge management. Culture addresses the dynamics of identification, appropriation, and experience of principles.

"I decide with intelligence and technique the operational aspects."
This brings together information intelligence and operational decision-making with the planning of prevention, mitigation, contingency, emergency, and R/O control measures for each component with the management of purchases and infrastructure.
"I decide with business intelligence on the aspects of management" The core of management represents the central component from where the strategic direction is developed, including business intelligence associated with the strategic decisions for differentiation and specialization based on the development of products and services for sustainable success with innovation. There may be R/O simultaneously related to several QHSE3+ components, or external and internal topics. In the same way, for the integral biosafety management component that is part of the plus (+), it may be presented in many external and internal categories, such as strategy, culture, quality, safety, environment, infrastructure, financial elements, and even other specialized topics depending on the type of organization.

Heart of Talent and Culture
Figures A8 to A.14 detail the topics related to the layers and particular items presented in Figure  7, for external R/O, and Layers I to IX of the internal R/O.

Conceptual Model for Comprehensive R/O Management Applicable to CMS QHSE3+
This section presents the approach of the model configured through the application of systemic design [11,91,[95][96], taking into account the structural and functional elements, which are described in Sections 3.3.1 and 3.3.2, and their parameterization in Section 3.4. Figure 7 illustrates the set of the Comprehensive R/O Management Model, taking as a starting point the basic elements of the CMS QHSE3+ described in Table 2. Table 2. Basic elements of the CMS QHSE3+ Model [11,91].

PARTS DESCRIPTION 1. Management Core "I decide with business intelligence on the aspects of management"
The core of management represents the central component from where the strategic direction is developed, including business intelligence associated with the strategic decisions for differentiation and specialization based on the development of products and services for sustainable success with innovation.

Heart of Talent and Culture "I deploy the philosophy of R/O and develop skills and culture"
This represents human management, associated with talent, competencies, and knowledge management. Culture addresses the dynamics of identification, appropriation, and experience of principles. There may be R/O simultaneously related to several QHSE3+ components, or external and internal topics. In the same way, for the integral biosafety management component that is part of the plus (+), it may be presented in many external and internal categories, such as strategy, culture, quality, safety, environment, infrastructure, financial elements, and even other specialized topics depending on the type of organization.

R/O Management, Intelligence, and Operational
Figures A8 to A.14 detail the topics related to the layers and particular items presented in Figure  7, for external R/O, and Layers I to IX of the internal R/O.

Conceptual Model for Comprehensive R/O Management Applicable to CMS QHSE3+
This section presents the approach of the model configured through the application of systemic design [11,91,[95][96], taking into account the structural and functional elements, which are described in Sections 3.3.1 and 3.3.2, and their parameterization in Section 3.4. Figure 7 illustrates the set of the Comprehensive R/O Management Model, taking as a starting point the basic elements of the CMS QHSE3+ described in Table 2.

Management Core
"I decide with business intelligence on the aspects of management" The core of management represents the central component from where the strategic direction is developed, including business intelligence associated with the strategic decisions for differentiation and specialization based on the development of products and services for sustainable success with innovation.

Heart of Talent and Culture
"I deploy the philosophy of R/O and develop skills and culture" This represents human management, associated with talent, competencies, and knowledge management. Culture addresses the dynamics of identification, appropriation, and experience of principles.  These are the axes that ensure the dynamics of the model. Axis 9 brings together the MMAE, audit, and management review to analyze performance and pose challenges. Axis 10 corresponds to improvement, innovation, and response accordingly to incidents, nonconformities, and opportunities to generate greater value with corrective and preventive actions in full alignment with the requirements of the context and strategic purposes.

Structural Elements of the Comprehensive R/O Management Model in CMS QHSE3+
The following elements make direct reference to risk management:  The management nucleus has the first level of strategic risk management with product and business developments.  "I apply what was planned in each component." These symbolize the QHSE3 elements from which the strategic and operational planning is applied. In each arm, the R/O per component is managed, associated with nonconformities, incidents, potential uses, improvements, or greater value generation.

and 10. Feedback Axes and Model Improvement
Energies 2020, 13, x FOR PEER REVIEW 15 of 44

4-8. Five Arms of QHSE3+
"I apply what was planned in each component." These symbolize the QHSE3 elements from which the strategic and operational planning is applied. In each arm, the R/O per component is managed, associated with nonconformities, incidents, potential uses, improvements, or greater value generation.

and 10. Feedback Axes and Model
Irovement "Through Monitoring, Measurement, Analysis, and Evaluation (MMAE), I learn, innovate, and improve". These are the axes that ensure the dynamics of the model. Axis 9 brings together the MMAE, audit, and management review to analyze performance and pose challenges. Axis 10 corresponds to improvement, innovation, and response accordingly to incidents, nonconformities, and opportunities to generate greater value with corrective and preventive actions in full alignment with the requirements of the context and strategic purposes.

Structural Elements of the Comprehensive R/O Management Model in CMS QHSE3+
The following elements make direct reference to risk management:  The management nucleus has the first level of strategic risk management with product and business developments.  "Through Monitoring, Measurement, Analysis, and Evaluation (MMAE), I learn, innovate, and improve". These are the axes that ensure the dynamics of the model. Axis 9 brings together the MMAE, audit, and management review to analyze performance and pose challenges. Axis 10 corresponds to improvement, innovation, and response accordingly to incidents, nonconformities, and opportunities to generate greater value with corrective and preventive actions in full alignment with the requirements of the context and strategic purposes.

Structural Elements of the Comprehensive R/O Management Model in CMS QHSE3+
The following elements make direct reference to risk management: The management nucleus has the first level of strategic risk management with product and business developments. The operational planning QHSE3+ is carried out from the Operational Planning Breastplate of the Model, and includes planning processes, identification of R/O and determination of controls. The Five QHSE3+ Arms apply what is planned and respond to incidents and moments of truth. This layer is divided into sublayers of change management to guarantee the integrity of the system, and a second sublayer to plan strategies according to each level:   Another complement is related to the development of competencies to make decisions and react appropriately and in timely manner to events that lead to the presence of risk factors and dynamic opportunities, involving decisions in moments of truth or critical moments of change. With the tools associated with the QHSE3+ risk types directory (Figures A8-A14) and the R/O management conceptual model for CMS QHSE3+ with its functionality matrix (Figures 7 and 8), significant progress is made in the visualization of R/O. However, its generalized application requires a logical tool that facilitates its application, updating, and management in the processes, the strategic field, and the components in which this is required. Figure 9 contains the flow that illustrates the step-by-step to the parameterization of the R/O management process associated with the model. From this parameterization, diagrammed with machine language identifying reports and outputs, it is possible to structure computer applications that are very useful for companies in terms of the transversal, agile, and systematic application of R/O management under unified criteria, support guides, listings, reports, and statistics.

Parameterization of the Comprehensive R/O Management Model
In Figure 9, the parameterization considers 10 Steps (column on the left) in which the application context is initially defined, taking into account the definition of the scope of the system or exercise Energies 2020, 13, 5579 21 of 43 (Step 0), the components under analysis, and the list of objectives and processes (Step 1), and then proceeds to determine the priority processes based on the analysis of their incidence in the fulfillment of the requirements, obligations, strategic objectives, and the performance and success of the business (Steps 2,3, and 4).
Next, the applicable R/O directory was determined by starting from the tool indicated in Section 3.2 and from each component, thus generating the list of the types of external and internal (R/O) by component QHSE3+ (Step 5). Based on the typology, a list of strategic R/O and QHSE3+ was determined and individualized, including those related to biosecurity and biosafety (Step 6). In Step 7, an assessment of the R/O was carried out, which generates the R/O map and proceeds to establish the contingency plans, business continuity, and, in general, the plan of treatment, which takes into account the layers of prevention, control, reaction, mitigation, and change management (Step 8). The Plan must be monitored in terms of its execution and results. In Step (9), the effectiveness of the plan was evaluated, and incidents and events related to the R/O of CMS QHSE3+ were monitored. In Step (10), the residual risk and the changes in vulnerability were evaluated, and the cycle was resumed and reformulated according to the changes in the context. Figure 10 represents an alternative set of criteria with which to perform the assessment of risks and opportunities R/O.

General Achievements and Benefits of the Research
The research gave rise to the following innovative products that contribute to entrepreneurship which is available to companies and stakeholders: The presentation of the concepts related to security and with the processes of risk management and intelligence for decision-making, through a graph that correlates, orders, and explains them, facilitating their study and analysis, in the context of management systems (See Figure 1, and Section 2.1.1). The explicit incorporation of the comprehensive biosafety management and contingency and business continuity plans to the model (See numeral 2.3 with the comprehensive approach and concepts; Figure 4 with governance in crisis; Figure 6 with the application of the integration of requirements to biosecurity and biosafety; and continuity management and response to the pandemic in Figure A6). The presentation of the requirements of ISO 50001 and the ISO QHSE3+ standards as best practices, whose application contributes to reducing vulnerability and enhancing energy improvement and efficiency. For this purpose, the HLS was applied, and illustrated by a diagram that allows us to appreciate its logic and integration, and the blocks of particular requirements for each component See Sections 2 and 3, and Figures 3, 5 and A4, as well as the reference support portal [13] with a comprehensive checklist of best practices QHSE3+.
The generation of six matrices that present the thematic structure, approach, and projections of the ISO 31000 families of standards, and QHSE3+, which include ISO 50000. In each matrix, explicit reference is made to the best practices which are most related to the integral management of risks for each component (Figures A1-A5). The matrix "General Directory of topics for R/O QHSE3+", which is a very useful and practical tool to make the inventory for R/O of companies.  The validation of the parametrization flow of the model as a base instrument with which to structure computer applications that support the administration of R/O comprehensive management in organizations. See Section 3.4 and Figures 9 and 10. The model and its tools had were tentatively applied in six companies, where their practical utility and the benefit of their simple and logical approach were ratified to visualize and understand their structure, functionality, and operation. With one of the companies, it was possible to apply the model, considering the strategic and operational components in relation to business continuity and COVID-19. See Paragraph 3.6 and Figure A7.
The achievements and results obtained will determine the course of research and subsequent actions to expand the generated instruments and promote sustainable success.

Pharmaceutical
Laboratory.  The profile includes the comprehensive approach of the Management System, the status of accreditation or certification of its QHSE3+ components, and the existence of Business Continuity Plans or Emergency and Contingency Plans.

CATEGORIES OF ANALYSIS
All the companies have CMS based on the certified quality component and a strategic approach, which determines the priorities of each business directed to address strategic and operational R/O, giving priority to accreditation in the health sector in the case of the hospital and clinic, and in all cases, to the QHSE3+ risk components and the regulatory obligations of each sector.
Although no company is certified in E2, 1 is certified in HS, and 3 are certified in the environmental component E, all made positive progress in the application of best practices and decided to be certified in the components indicated in Figure 11, according to their priorities and market interests.
Particularly, in the "+" component of additional risks, all companies applied good information security practices and the physical and logical security of their platforms, under the R/O ICT approach in accordance with ISO 27001:2013. On the other hand, two were certified in the BASC component, and 1 in ISO 22000:2018. o

Presentation and Analysis of the Results Obtained
The reduction in vulnerability is calculated as the percentage of risk reduction after the application of the measures in the period to be calculated, as indicated in the algorithm of the definition in Section 2.1.1, which is set out again below:

Family Compensation
Fund.

IMPACT OF THE MANAGEMENT OF OPPORTUNITIES IN THE ACHIEVEMENT OF THE STRATEGIC OBJECTIVES.
(Includes examples of addressed opportunities).

REDUCTION OF VULNERABILITY FOR STRATEGIC RISKS.
(Includes the Q component of Quality)

EXAMPLES OF HS SAFETY AND HEALTH HAZARDS
AT WORK, RELEVANT AND WITH A GREATER REDUCTION OF VULNERABILITY.

REDUCTION OF VULNERABILITY IN "E" RISKS
ASSOCIATED WITH ENVIRONMENTAL MANAGEMENT.

REDUCTION OF VULNERABILITY IN "E2" RISKS
ASSOCIATED WITH ENERGY EFFICIENCY.

EXAMPLES OF RELEVANT "E2" RISKS WITH GREATER REDUCTION OF VULNERABILITY.
(Risks due to inefficiency and energy losses).

EXAMPLES OF SIGNIFICANT RISKS WITH GREATER REDUCTION OF VULNERABILITY, IN THE "+"
COMPONENT OF "OTHER SPECIALIZED RISKS".

Information security
Loss of information due to physical damage to Hardware and affectation of Software.

Food safety
Risks of cross contamination due to non-application of Good Practices 14.8% 1. Obsolescence of equipment and infrastructure. 2. Vulnerability due to the absence of control mechanisms and disciplinary provisions for energy saving Figure 12. Indicators of vulnerability reduction and incidence of opportunity management in the achievement of strategic objectives: Companies 1, 2, and 3.
Energies 2020, 13, x FOR PEER REVIEW 24 of 44 recovery, noncompetitive rates and costs, low call and market response, infection risks, and the high incidence of patients who migrate. Figure 13. Indicators of vulnerability reduction and incidence of opportunity management in the achievement of strategic objectives: Companies 4, 5, and 6.

D. Vulnerability Reduction for HS Risk (Rows of Items 4 and 5)
o The reduction of vulnerability in the risks of the HS component was between 8.7% and 16.5%. The related risks include chemical products, noise levels, exposure to chemical, physical, and biological agents, contaminated waste management, particulate material, work at heights and in confined spaces, and thermal discomfort.

E. Reduction of Vulnerability for Risks E. (Rows of Items 6 and 7)
o The reduction of vulnerability in the risks of component E was between 9.4% and 23%. The risks include consumption of natural resources such as raw materials, consumption and

REDUCTION OF VULNERABILITY IN "E" RISKS
ASSOCIATED WITH ENVIRONMENTAL MANAGEMENT.

REDUCTION OF VULNERABILITY IN "E2" RISKS
ASSOCIATED WITH ENERGY EFFICIENCY.

EXAMPLES OF SIGNIFICANT RISKS WITH GREATER REDUCTION OF VULNERABILITY, IN THE "+"
COMPONENT OF "OTHER SPECIALIZED RISKS".   In companies in which prevention and ROBT were adopted as a fundamental principle and value, it was much easier to ensure systematic continuity in the application of the model.

B. Incidence of Opportunity Management in the Achievement of Strategic Purposes (Rows in
The indicator of the incidence of opportunity management in the achievement of the objectives was valued from the different processes and positions with direct responsibility in the projects and associated actions from the estimated average percentage of the incidence of each relevant opportunity considered with evaluations agreed upon between the management and specific managers. o The average of the indicator of incidence was between 12% and 36% in the six companies.
The opportunities related to ICT innovation and updating, the development of new products, new markets and businesses, renovation and investment in equipment, infrastructure and new facilities, development of new alliances, and human talent.

C. Vulnerability Reduction for Strategic and Quality Risks Q (Rows of Items 2 and 3) o
The reduction in vulnerability is calculated as the percentage of risk reduction after the application of the measures in the period to be calculated, as indicated in the algorithm of the definition in Section 2.1.1, which is set out again below: where DismVul denotes the percentage decrease in vulnerability after implementing antirisk measures, Poi and Goi are the initially assessed possibility and gravity, respectively, and Pfi and Gfi, are the final possibility and gravity, respectively, after adopting the planned measures. o The reduction of vulnerability was between 8.5 and 27% in terms of strategic and quality risks related to vulnerability due to new requirements of corporate clients, liquidity and portfolio recovery, noncompetitive rates and costs, low call and market response, infection risks, and the high incidence of patients who migrate.

D. Vulnerability Reduction for HS Risk (Rows of Items 4 and 5)
o The reduction of vulnerability in the risks of the HS component was between 8.7% and 16.5%. The related risks include chemical products, noise levels, exposure to chemical, physical, and biological agents, contaminated waste management, particulate material, work at heights and in confined spaces, and thermal discomfort.

E. Reduction of Vulnerability for Risks E. (Rows of Items 6 and 7)
o The reduction of vulnerability in the risks of component E was between 9.4% and 23%. The risks include consumption of natural resources such as raw materials, consumption and contamination of water, noise and vibrations, hydrocarbon spills, generation of dumping and contaminated waste, handling and manipulation of chemicals and hazardous waste stand out.

F. Reduction of Vulnerability in Terms of E2 (General-Rows of Items 8 and 9)
o The reduction of vulnerability in the risks of component E2 was between 9.4% and 16.4%.
The risks concern losses and higher consumption due to the non-optimal management of heat and cold, loss, and greater consumption due to the lack of lighting savings, high consumption of fuel, and energy in logistics operations of the supply chains (see Section H).

G. Reduction of Vulnerability in other components of Additional R/O (+) (Row 10)
In this block, three factors stand out: Information security: Physical damage to hardware, deterioration of software, limitations in availability, access, and integrity of information, cyberattack on networks and channels, inconsistencies and deactivation of computer applications, and infrastructure.

Conclusions
We present a conceptual model for comprehensive R/O management and the tools to facilitate its application. This includes the results obtained and references to best practices for the deployment and application of the model, from Appendices A.1-A.8.
The concepts associated with intelligence for decision-making and security were incorporated into the conceptual and principles framework of the model, from the perspective of the US Department Homeland Security lexicon (Section 2.1), as well as the concepts and best practices related to biosafety management and business continuity plans (Section 2.3). In this way, the perspective was broadened, adjusting the approach to the dynamic context. The integration of model requirements was carried out from the identification of the requirements common to each component according to the approach of the HLS [87][88][89][90], as illustrated in Figure 6 (Section 2.4), where the additional specific topics of each component were identified, and an analysis of the application of these requirements to the comprehensive biosafety management was carried out. On the reference support portal [13], the authors provided a checklist associated with these requirements in terms of best practices available to the public.
The model was configured using graphic illustration and a matrix, which present the structural and functional design of each component, considering the different levels of planning and action, and the layers in which ROBT is deployed within CMS QHSE3+ (Section 3.2).
Two key tools were designed to support and facilitate the application of the CRM Model: the matrix-directory for the classification of risk topics, and the parameterization of the ten stages of the process, i.e., definition of the context, determination of the scope, prioritization vs. objectives and processes, identification and assessment of R/O, formulation, execution, and follow-up in the execution of the plan, evaluation of residual risk and restart of the cycle.
Holistic and strategic management gives an integral character to the system, which is not a simple combination or addition of components. CMS QHSE3+ is the harmonious integration of an organization's processes and projects focused on the achievement of the strategic purposes of the business in the path toward sustainable success. For this purpose, the comprehensive management of R/O is a fundamental tool. The importance of the management of competencies and culture is highlighted to promote and advance the individual and collective appropriation of the values related to the alignment between thought, conscience, and action, i.e., to take care of yourself, take care, and protect the integrity of resources and the health of people and the organization.
The development of culture and competencies must translate into the management of energy efficiency, biosafety, and the development of products, businesses, and processes being systematically reflected in the business continuity plans, maps, and R/O management plans of the business lines, corporate projects, and processes of the organization, and therefore, in the axes and strategic and tactical actions of the organization.
With the application of the model and its tools, the results described in Section 3.4 were obtained, which confirmed the validity of the approach, its applicability and contribution to any type and size of organization, and the need to face the challenges of the future.
A community of consultants, teachers, entrepreneurs, workers, and researchers related to CMS QHSE3+ will continue to develop tools and strategies to particularize the progress already made in a sectorial way and promote the massification and generalized use of best practices for project management, energy efficiency, and comprehensive management for sustainable success.
In practice, the application of the model and its effective implementation is limited by the need to particularize and detail the tools for different sectors of the business activity, which constitute possible Energies 2020, 13, 5579 28 of 43 future lines of research. Another limitation is associated with the development of creative, analytical, and abstract thinking, and with the strengthening of the discipline, culture and organization of leaders and process managers, who become key actors in intelligence management and the strategic and operational decision making of businesses.
From a technological point of view, there are also limitations generated by the difficulties of compatibility between interfaces of the information systems and process control, and the changes in priorities in the strategic approach to ICT developments.
Notwithstanding the above, the figures and results show that in SMEs, this is possible. The facts support and confirm that investment and efforts are recovering significantly, also observing that there may be a behavior curve where the reduction of vulnerability is greater in the first periods.

Conflicts of Interest:
The authors declare no conflict of interest.

Appendix A
In Figure A1, the characteristics and structure of the family of ISO 31000 standards are presented, which include: The ISO IEC 73 Guide with the vocabulary, supplemented by Section 3 of ISO 31000:2018, which also contains, as the main axis of the family, the principles and guidelines, the frame of reference, and the process for risk management. As complementary standards, reference is made to the ISO TR 31004:2013 Implementation Guide and the ISO 31010:2019 Guide. Figures A2-A5, cut to August 2020, present a logic similar to that indicated here, adding in some cases the standards that are in the process of development, given their relevance in terms of the contribution in best practices for planning and risk management in QHSE3+ components. Figure A5 includes the ISO 50000 Family on E2, and in Appendix F, the illustration of the crisis management approach and strategic business continuity plan for the case of a family compensation fund in the event of the contingency generated by confinement and COVID-19. Figure A6 presents the global approach for governance, biosafety + biosecurity, and the business continuity plan. In Section 2.3 and Figure 4, the concepts, scope, and needs related to the objectives of comprehensive biosafety and biosecurity management are illustrated. In numerals 2.4 and 3.1, it is observed how this management is articulated within the components of CMS QHSE3+, and the typology of related risks. In the description of the comprehensive R/O management model (Section 3.2, an implicit reference is made to the strategic, operational, and human management for biosafety + biosecurity, contingencies, and business continuity plans. Figure A6 illustrates the strategic and operational approach in one of the 6 companies in which the model was validated: The Family Compensation Fund. Figure A7 presents the chronological and historical milestones related to the development of technology, QHSE3+ standards, and musical and artistic expression.

2.
Be structured and exhaustive, to measure progress continuously. 3. Adapt to the context and be intimately related to the objectives. 4. Inclusive to involve the parties with direct information. 5. Dynamic, to anticipate and respond to changes. 6. Build on the best information available. Respect confidentiality. 7. Consider internal and external human and cultural factors. 8. Promote and direct continuous improvement, based on learning and the knowledge that experience gives.

.2 Risk
Objective: To provide guidelines for the selection and application of systematic techniques for risk assessment, considering the specific reference to other international standards, where the concept and application of techniques are described in greater detail. This standard is not intended for purposes of certification, nor for regulatory or contractual uses. The document has been very well accepted and widely used, due to its clarity and didactics in the annexes.

OBJECTIVE:
The ISO 31000: 2018 Standard aims to provide guidelines for managing risk in organizations.
The application of these guidelines is adapted to any organization and its context. It can be used in any activity, considering decision-making at all levels. Includes in section 3. Terms and Definitions, with adjustments and simplification of vocabulary.

1.
Reference is also made to the ISO 31000 standards on Risk Management, and to the ISO 31010 standard on Risk Assessment Techniques, which contain definitions that are also useful. 2. Legislation on occupational health and safety issued by the ministries and regulatory entities of the different countries also provides developments and definitions adopted from OHSAS documents and from ILO Library on Occupational Safety and Health OSH documents.

REQUIREMENTS ISO 45001: 2018
Occupational Health and Safety Management Systems.

Requirements with guidelines
For your application.

GUIDELINES (General Guidelines)
Due to its process approach, structural clarity and simple handling of the subject, this is one of the best guides that have been had in the matter of guidelines to interpret the requirements and implement an OHSMS, in the last twenty years, maintaining the international standard approach. It was developed under the coordination of BSI by the OHSAS project, with the participation of different standardization and certification institutions from Latin America, Asia, Africa, Australia, and entities from France, Spain, Holland, Sweden, Norway and England throughout Europe. (Germany, the United States, Canada, China and Italy were conspicuous by their absence). See also: 1. Annex A of ISO 45001, which presents guidelines and guidance on the interpretation of the requirements.

2.
The progress that TC 283 has on the "" Implementation Handbook "" assigned to the WG3 Working Group. 3. The Medical Standards in Health, specifically associated with the different risk factors considered, which in many cases give the technical guidelines to follow in terms of prevention, measurement and control measures.
As of the closing date of this state-of-the-art study, unlike the majority of Committees, TC 283 has not submitted its Business Plan or its strategic approach for public review. There are also no significant advances regarding the ISO 45001 Implementation Manual, as a task assigned to the WG3 working group.      Appendix A.7

OTHER GENERAL AND SPECIALIZED STANDARDS OF RECENT PUBLICATION OR
Timeline in Technology Development, QHSE3+ Standards and expression By observing the chronological development of different techniques of know-how and their deployment in daily life and work, construction, or manufacturing, or by analyzing the development of schools of control, quality assurance, and total quality, among others, the emergence of a large number of standards on management systems can be observed.
In all cases, what has been standardized or established as the best solution at scale and concerted is fundamentally a set of requirements, which are named as best practices, the key tricks to develop activities with a lower possibility of failure.
At the beginning, these good practices are the best-kept secrets of families and transmitted from parents to children by oral tradition. Later, they become the teachings of artisans in the family or the teacher to the apprentice and finally become the knowledge and know-how or the heritage of a conglomerate, an ethnic group, or a particular group.
The reality is that, in one way or another, this knowledge has always been consolidated as a set of best practices that focus on reducing the different types of risks linked to failures, noncompliance's, malfunctions, or ineffective performance, or conditions of vulnerability. Figure A7 summarizes the chronological milestones in the development of energy, knowledge, techniques, and concepts of quality (Q-ISO 9001, Family 9k), occupational health and safety (HS-ISO 45001, Family 45k), environmental management (E-ISO 14001, Family 14k), energy efficiency (E2-ISO 50001, Family 50k), risk management (ISO 31000 Family 31k), and standards on business continuity plans.
This illustration comprehensively takes into account relevant actors, milestones, and parallel axes of significant events in the history of humanity, and with it, the history of art, music, technology, and mega-projects. The development of best practices is also associated with risk management in the history of mankind, the development and expansion of the frontier of knowledge, expression, significance, and the development of administrative thinking.
In Figure A7, this approach is illustrated in detail, considering the chronology of the development of management systems in correlation with key milestones in the history of energy, humanity, and artistic expression, and combined with the projections, the convergent developments in NBICE technology [13,100] and its implications for businesses are on the horizon.
Most of the approaches formulated in each of the requirements and best practices standards had a foundation generated well before the publication of the reference models in question, and this was taken into account directly and indirectly when formulating the concepts, definitions, blocks of terms and requirements, and guidelines for application and specific topics that lead the topics within the TC ISO Technical Commissions. This is illustrated in the lower right area referring to each TC of the families of standards (See Figures A1-A5), which develop each component of the QHSE3+ model and indicate the years in which the successive reviews were carried out.
The ISO 22313: 2020 Standard have been added (guide for the application of ISO 22301: 2018 on business continuity management) as well as ISO 22320: 2018 on incident management, developed from TC 292, Security and Resilience, given its importance to support management systems and respond to crises and contingencies associated with COVID-19 or other types of emergencies.   Figure A7. Timeline in the development of QHSE3+ standards in correlation with the milestones of humanity [13,100].

E.1. Market and Competition
Fluctuations and variations in the market associated with supply, demand, competitors, participation and portfolio acceptance.

E.2. Geopolitical
Implications linked to conflicts, new trends, political, economic and military relations between countries, groups or regions.

E.3. Legal
Variations in the legal and regulatory provisions related to the operation and the portfolio of the organization.

E.4. Macroeconomic
Fluctuations in inflation, exchange rates, monetary policies and interest rates at the local, regional and global levels.

E.5. Technology
Safe emergence of new tools, applications, platforms and technological developments for services and operations.

E.6. Natural phenomena
Possible occurrence of natural phenomena and non-anthropic disasters with an impact on the operation and on the supply/demand.

E.8. Contingencies. Epidemics
Implications in the behavior of the context, due to the irruption of contingencies, plagues or epidemics.

E.9. Other External Topics
Other types of external R / O with relevant impact on the organization and its sustainability.

E.1. Market and Competition
Fluctuations and variations in the market associated with supply, demand, competitors, participation and portfolio acceptance.

E.2. Geopolitical
Implications linked to conflicts, new trends, political, economic and military relations between countries, groups or regions.

E.3. Legal
Variations in the legal and regulatory provisions related to the operation and the portfolio of the organization.

E.4. Macroeconomic
Fluctuations in inflation, exchange rates, monetary policies and interest rates at the local, regional and global levels.

E.5. Technology
Safe emergence of new tools, applications, platforms and technological developments for services and operations.

E.6. Natural phenomena
Possible occurrence of natural phenomena and non-anthropic disasters with an impact on the operation and on the supply/demand.

E.8. Contingencies. Epidemics
Implications in the behavior of the context, due to the irruption of contingencies, plagues or epidemics.

E.9. Other External Topics
Other types of external R / O with relevant impact on the organization and its sustainability.

Topics related to External R/O External General
Block.

E.7. Security and Public Order. Relationship with stakeholders
Public order and relationship with external interest groups that have impact on the operation, image and results of the organization.      Conditions related to Talent and Behavior for Energy Efficiency.

Conditions related to Generation and Cogeneration.
Technical management for heat and cold management.

Conditions related to Financial Leverage
Resources.    Conditions related to Talent and Behavior for Energy Efficiency.

Conditions related to Generation and Cogeneration.
Technical management for heat and cold management.

Conditions related to Financial Leverage
Resources.
Obsolescence, Contingencies and Contingencies of the Infrastructure for Energy Efficiency.