General This Standard was prepared by a security risk assessment (SRA) committee of API to assist the petroleum and petrochemical industries in understanding conducting SRAs. The standard describes the recommended approach for assessing security risk widely applicable to the types of facilities operated by the industry and the security issues the industry faces. The standard is intended for those responsible for conducting SRAs and managing security at these facilities. The method described in this standard is widely applicable to a full spectrum of security issues from theft to insider sabotage to terrorism. The API SRA methodology was developed for the petroleum and petrochemical industry@ for a broad variety of both fixed and mobile applications. This Standard describes a single methodology rather than a general framework for SRAs@ but the methodology is flexible and adaptable to the needs of the user. This methodology constitutes one approach for assessing security vulnerabilities at petroleum and petrochemical industry facilities. However@ there are other risk assessment techniques and methods available to industry@ all of which share common risk assessment elements. Ultimately@ it is the responsibility of the user to choose the SRA methodology and depth of analysis that best meet the needs of the specific operation. Differences in geographic location@ type of operations@ experience and preferences of assessors@ and on-site quantities of hazardous substances are but a few of the many factors to consider in determining the level of SRA that is required to undertake. This standard should also be considered in light of applicable laws and regulations. Overview Users should manage security risks by first identifying and analyzing the threats@ consequences@ and vulnerabilities facing a facility or operation by conducting a formal SRA. A SRA is a systematic process that evaluates the likelihood that a given threat factor (e.g. activist@ criminal@ disgruntled insider@ terrorist) will be successful in committing an intentional act (e.g. damage@ theft) against an asset resulting in a negative consequence (e.g. loss of life@ economic loss@ or loss of continuity of operations). It can consider the potential severity of consequences and impacts to the facility or company itself@ to the surrounding community@ and on the supply chain. The objective of conducting a SRA is to assess security risks as a means to assist management in understanding the risks facing the organization and in making better informed decisions on the adequacy of or need for additional countermeasures to address the threats@ vulnerabilities@ and potential consequences. The API SRA methodology is a team-based@ standardized approach that combines the multiple skills and knowledge of the various participants to provide a more complete SRA of the facility or operation. Depending on the type and size of the facility or scope of the study@ the SRA team may include individuals with knowledge of physical and cyber security@ facility and process design and operations@ safety@ logistics@ emergency response@ management@ and other disciplines as necessary. Sequential Activities The API SRA methodology includes the following five sequential steps. 1) Characterization-Characterize the facility or operation to understand what critical assets need to be secured@ their importance@ and their infrastructure dependencies and interdependencies; 2) Threat Assessment-Identify and characterize threats against those assets and evaluate the assets in terms of attractiveness of the targets to each threat and the consequences if they are damaged@ compromised@ or stolen. 3) Vulnerability Assessment-Identify potential security vulnerabilities that enhance the probability that the threat will successfully accomplish the act. 4) Risk Evaluation-Determine the risk represented by these events or conditions by determining the likelihood of a successful event and the maximum credible consequences of an event if it were to occur; rank the risk of the event occurring and@ if it is determined to exceed risk guidelines@ make recommendations for lowering the risk. 5) Risk Treatment-Identify and evaluate risk mitigation options (both net risk reduction and benefit/cost analyses) and reassess risk to ensure adequate countermeasures are being applied. Evaluate the appropriate response capabilities for security events and the ability of the operation or facility to adjust its operations to meet its goals in recovering from the incident.