Business Challenge

The client was experiencing an increase in security incidents across its operating region and required a structured, risk-based approach to evaluate vulnerabilities and strengthen its security approach. Although the organization had security measures in place, there was no standardized methodology for assessing threats or prioritizing mitigation. A formal Security Risk Assessment (SRA) protocol was required to evaluate risks at a typical facility and provide a scalable framework that could be applied to other sites across the region.

Objectives & Success Criteria

The client sought to:

• Conduct a Security Risk Assessment for a standard facility within the operating area.
• Identify key security threats, vulnerabilities, and risk mitigation strategies.
• Develop a repeatable, standards-based methodology for future SRAs.
• Improve the security team’s ability to allocate resources based on risk.

Success was measured through the delivery of a comprehensive, API 780–aligned SRA, clear recommendations applicable to multiple facilities, and a framework enabling the client’s internal security team to conduct future assessments independently.

PMO Solution (What We Did)

PMO conducted the SRA using the American Petroleum Institute Standard 780 (API 780), an industry-recognized, risk-based and performance-based methodology designed for petroleum and petrochemical operations. This structured approach enabled PMO to assess security holistically while producing actionable and scalable recommendations. The SRA examined the facility’s assets, threats, vulnerabilities, and overall risk profile and identified appropriate risk treatments aligned with operational realities. PMO documented the findings and mitigation options in a comprehensive report, highlighting both site-specific recommendations and region-wide security improvement opportunities. PMO also ensured the client received a clear, repeatable framework aligned with API 780, enabling its internal team to conduct future SRAs consistently and effectively.

Key Components / Activities

• Application of API 780 Security Risk Assessment methodology
• Review of historical security incidents at the facility and within the region
• Characterization of facility assets and critical functions
• Thre at assessment tailored to regional operating context
• Vulnerability assessment across physical, operational, and procedural domains
• Risk evaluation using structured risk criteria
• Identification and prioritization of mitigation strategies
• Development of a repeatable SRA framework for internal use
• Delivery of a detailed SRA report summarizing findings and recommended actions

Outcomes & Impact

PMO delivered a comprehensive SRA that enabled the client to better understand security risks within its operating environment. The assessment identified vulnerabilities and recommended targeted risk treatments applicable not only to the assessed facility but also to multiple sites across the region. The client gained a clear, standardized framework for conducting future SRAs internally, improving consistency, strengthening security governance, and enabling more effective risk-based resource allocation. 

Lessons Learned / Challenges Overcome

One of the key challenges involved ensuring that the selected facility was representative of the broader operating region so that findings could be generalized. PMO addressed this through careful site selection and by identifying common themes and systemic vulnerabilities. A key lesson was the value of using a performance-based standard like API 780, which allowed risk treatments to be tailored to individual facility configurations while still supporting region-wide consistency.

Value Proposition Summary

PMO delivered a technically rigorous, API 780–aligned SRA that strengthened the client’s security posture and established a repeatable assessment methodology for future use. By combining industry best practices with practical, site-specific insights, PMO provided the client with actionable recommendations and a durable framework for ongoing security risk management across its operating region. This project demonstrates PMO’s capability to deliver high-value, risk-based security assessments for critical energy infrastructure.