$103.00 $206.00
  • Revision:1st Edition, May 2013
  • Published Date:May 2013
  • Status:Active, Most Current
  • Document Language:English
  • Published By:American Petroleum Institute (API)
  • Page Count:124
  • ANSI Approved:Yes
  • DoD Adopted:No

  • General

    This Standard was prepared by a security risk assessment (SRA)committee of API to assist the petroleum and petrochemicalindustries in understanding conducting SRAs. The standard describesthe recommended approach for assessing security risk widelyapplicable to the types of facilities operated by the industry andthe security issues the industry faces. The standard is intendedfor those responsible for conducting SRAs and managing security atthese facilities. The method described in this standard is widelyapplicable to a full spectrum of security issues from theft toinsider sabotage to terrorism.

    The API SRA methodology was developed for the petroleum andpetrochemical industry, for a broad variety of both fixed andmobile applications. This Standard describes a single methodologyrather than a general framework for SRAs, but the methodology isflexible and adaptable to the needs of the user. This methodologyconstitutes one approach for assessing security vulnerabilities atpetroleum and petrochemical industry facilities. However, there areother risk assessment techniques and methods available to industry,all of which share common risk assessment elements.

    Ultimately, it is the responsibility of the user to choose theSRA methodology and depth of analysis that best meet the needs ofthe specific operation. Differences in geographic location, type ofoperations, experience and preferences of assessors, and on-sitequantities of hazardous substances are but a few of the manyfactors to consider in determining the level of SRA that isrequired to undertake. This standard should also be considered inlight of applicable laws and regulations.


    Users should manage security risks by first identifying andanalyzing the threats, consequences, and vulnerabilities facing afacility or operation by conducting a formal SRA. A SRA is asystematic process that evaluates the likelihood that a giventhreat factor (e.g. activist, criminal, disgruntled insider,terrorist) will be successful in committing an intentional act(e.g. damage, theft) against an asset resulting in a negativeconsequence (e.g. loss of life, economic loss, or loss ofcontinuity of operations). It can consider the potential severityof consequences and impacts to the facility or company itself, tothe surrounding community, and on the supply chain.

    The objective of conducting a SRA is to assess security risks asa means to assist management in understanding the risks facing theorganization and in making better informed decisions on theadequacy of or need for additional countermeasures to address thethreats, vulnerabilities, and potential consequences.

    The API SRA methodology is a team-based, standardized approachthat combines the multiple skills and knowledge of the variousparticipants to provide a more complete SRA of the facility oroperation. Depending on the type and size of the facility or scopeof the study, the SRA team may include individuals with knowledgeof physical and cyber security, facility and process design andoperations, safety, logistics, emergency response, management, andother disciplines as necessary.

    Sequential Activities

    The API SRA methodology includes the following five sequentialsteps.

    1) Characterization-Characterize the facility oroperation to understand what critical assets need to be secured,their importance, and their infrastructure dependencies andinterdependencies;

    2) Threat Assessment-Identify and characterize threatsagainst those assets and evaluate the assets in terms ofattractiveness of the targets to each threat and the consequencesif they are damaged, compromised, or stolen.

    3) Vulnerability Assessment-Identify potential securityvulnerabilities that enhance the probability that the threat willsuccessfully accomplish the act.

    4) Risk Evaluation-Determine the risk represented bythese events or conditions by determining the likelihood of asuccessful event and the maximum credible consequences of an eventif it were to occur; rank the risk of the event occurring and, ifit is determined to exceed risk guidelines, make recommendationsfor lowering the risk.

    5) Risk Treatment-Identify and evaluate risk mitigationoptions (both net risk reduction and benefit/cost analyses) andreassess risk to ensure adequate countermeasures are being applied.Evaluate the appropriate response capabilities for security eventsand the ability of the operation or facility to adjust itsoperations to meet its goals in recovering from the incident.