The UK Hospitality Risk Toolkit 2026

Kitchens, Floors, Allergens and Licences — A Working Operator’s Reference

An Apex Insurance Brokers publication — 2026 Edition


Foreword from Apex

Hospitality is a business where the operating risk and the insurance risk are the same conversation. A kitchen with a clean TR/19 record, a slip register kept honestly, a Designated Premises Supervisor who runs the bar properly and an allergen process that catches the every-day exceptions is, almost by definition, a hospitality business that is also insurable.

This toolkit is written for the people who actually run the floors and the kitchens — the independent operator with two pubs, the gastropub MD with three sites, the hotel general manager with a hundred and forty rooms, the restaurant owner who finally has a chef they trust. It is not written for a corporate risk function or a head office compliance lead. It assumes you do the rota, you sign off the kitchen check, you handle the difficult complaint, and you read the renewal report.

It is also not a fire-safety manual, a food hygiene course, or a substitute for your designated competent person on H&S. It is a broker’s view of where the operating risks meet the insurance, the regulations and the case law that shape them, and the housekeeping that makes the difference at renewal and at claim. Where we cite legislation we have tried to be specific. Where we have generalised, we have flagged it.

This is general guidance — not regulated advice. For specific advice on cover, claim or compliance, speak to your insurance broker, your environmental health officer, your licensing solicitor and your food safety advisor.

— The team at Apex Insurance Brokers, Bristol


Chapter 1 — Kitchen Fire Prevention and the Fire Safety Regime

Why this chapter matters. Kitchen fires are the single largest cause of catastrophic property claims in hospitality. The regulations are clear and the housekeeping is mostly behaviour.

The Regulatory Reform (Fire Safety) Order 2005

The Regulatory Reform (Fire Safety) Order 2005 (the “Fire Safety Order” or RRO) is the principal fire safety legislation for non-domestic premises in England and Wales. Article 3 designates a “responsible person” — typically the employer, the person in control of the premises, or the owner — who carries the substantive duty. Article 9 requires a suitable and sufficient fire risk assessment. Articles 11 to 22 set out the substantive duties: fire safety arrangements, elimination or reduction of risk, fire-fighting and detection, emergency routes and exits, maintenance, safety training.

The Fire Safety Act 2021 amended the RRO to clarify its application to the structure, external walls and individual flat entrance doors of buildings containing two or more domestic premises (relevant for hotels and serviced accommodation with mixed-use elements). The Building Safety Act 2022 introduced additional duties for higher-risk buildings (broadly residential buildings of 18m or more, or seven storeys), which can include some hotel structures.

For hospitality, the practical takeaway is that the Fire Risk Assessment must be reviewed regularly, must reflect the actual use of the building, must address the kitchen and back-of-house specifically, and must be documented in a form an enforcement officer can read.

Ventilation duct cleaning to TR/19

TR/19 is the technical specification published by the Building Engineering Services Association (BESA) governing the internal cleanliness of ventilation systems, including kitchen extract ductwork. Insurers and fire risk assessors routinely require kitchen extract systems to be cleaned to TR/19 standards, with certificates retained.

The TR/19 cleaning frequency depends on cooking volume: heavy cooking premises (high-volume frying, charcoal cooking, wok cooking) typically require quarterly cleaning, medium-volume premises six-monthly, light-volume premises annually. The certificate from the cleaning contractor should specify which parts of the system were cleaned, how thoroughly, and what areas were inaccessible.

A common gap: the canopy and the first run of ductwork are cleaned, but the long horizontal ducts and the riser to the roof are not. Fire travels along grease — and grease accumulates exactly where the cleaner cannot reach.

[Kitchen risk-zone diagram showing canopy, ductwork, riser, deep fryers, gas appliances, walk-in fridge motor, with annotation of typical fire-origin points.]

Fire Safety Risk Assessment for sleeping accommodation

Hospitality premises with sleeping accommodation (hotels, B&Bs, hostels, serviced apartments) carry additional fire risk because evacuation involves sleeping guests. The Home Office’s Fire safety risk assessment: sleeping accommodation (originally published by DCLG, updated through Home Office iterations) is the relevant guide. It covers compartmentation, fire detection in bedrooms, escape routes, refuge arrangements, staff training and the management of the fire safety regime.

For hotels, the FRA should be a structured, regularly-reviewed document; staff training, including the night shift, should be evidenced; and the fire alarm and detection system should be on a planned maintenance programme with documented testing.

Gas safety — Gas Safe and the 1998 regulations

The Gas Safety (Installation and Use) Regulations 1998 require gas installation and maintenance work in commercial premises to be carried out by a Gas Safe registered engineer (until 2009 the scheme was CORGI). Commercial catering gas equipment carries additional requirements under the regulations and under specific guidance published by the HSE.

Annual gas safety checks for commercial catering equipment, with certificates retained on file, are standard practice and insurer expectation. The annual check covers appliance condition, flue and ventilation, gas-tightness and safety devices.

F-gas regulations for refrigeration

The Fluorinated Greenhouse Gases Regulations 2015 (as retained in UK law post-Brexit, with separate UK and EU regimes from 2021) regulate the use of F-gases in refrigeration and air-conditioning equipment. Hospitality premises with commercial refrigeration — walk-in fridges, chest freezers, blast chillers, ice machines, air-conditioning systems — must use F-gas certified engineers for installation, servicing, leak checks and decommissioning, and must maintain equipment records.

Leak checks at prescribed intervals are mandatory for systems containing 5 tonnes CO₂ equivalent or more. For most hospitality operators this means the walk-in fridge and the bar cellar cooling — equipment that is operationally critical and often the source of business interruption claims.

[Broker’s view sidebar — “When a kitchen fire claim lands, the first three documents the insurer asks for are the Fire Risk Assessment, the latest TR/19 duct-cleaning certificate, and the gas safety check certificate. The strength of a claim is often determined in the first hour after the loss adjuster sees those three documents. Keep them findable.”]

Common mistake: the false-positive duct certificate

[Common mistake call-out — “Accepting a TR/19 certificate that says ‘cleaned to TR/19 standard’ without inspecting what was actually cleaned. The certificate is a contractor’s self-statement. A reputable contractor will provide before-and-after photographs, identify inaccessible sections, and recommend access improvements. If yours doesn’t, ask why.”]


Chapter 2 — Slips, Trips and the Liability Record

Why this chapter matters. Slip and trip claims are the highest-frequency PL exposure in hospitality. The defence is in the documentation, not the floor surface.

The Workplace Regulations and the HSE position

Regulation 12 of the Workplace (Health, Safety and Welfare) Regulations 1992 requires every floor in a workplace to be of a construction suitable for the purpose, kept free from obstructions and from any article or substance which may cause a person to slip, trip or fall. The substantive duty is on the employer.

The HSE’s guidance on slips and trips, including its Slips and Trips Assessment Tool (STAT), and the HSE FAQ on liability claims, is the operational reference point. Insurers expect to see evidence of routine slip-risk assessment, appropriate floor surface selection, contamination control, and incident recording.

Slip-test data and the Pendulum Test Value

The Pendulum Test Value (PTV), measured using a portable skid-resistance tester (the BS 7976 pendulum), is the industry-standard measurement of floor slip resistance. PTV of 36 or above (in the wet) is considered low slip risk; below 24 is high risk. For new floor specifications, particularly in kitchens and food-service areas, ask for PTV data from the manufacturer or commission a test.

Common high-risk hospitality flooring includes glazed ceramic in wet areas, polished concrete in entrance lobbies, smooth timber on dance floors, and any sealed surface that has worn beyond its original slip-resistant finish.

The BLOPS book and contemporaneous reporting

The Body Located On Premises (BLOPS) record, sometimes called the incident book or accident book, is the contemporaneous record of accidents, near-misses and incidents on the premises. For hospitality, the BLOPS record is the single most useful piece of evidence in a slip-and-trip claim — it shows whether the operator was aware of the risk, what was done about it, and what the contemporaneous account of any specific incident was.

The discipline is simple: every incident, however minor, is recorded at the time, with date, time, location, names of witnesses, description of the event, and what was done. The record is signed off by a manager. If the incident is later subject to a claim, the record is the operator’s primary defence.

Data protection considerations apply: the record must be GDPR-compliant in its handling of personal data, with retention period (typically three to six years for liability claim purposes, longer if a claim is intimated) and access controls.

[Incident timeline diagram: T+0 incident → T+5 minutes BLOPS entry → T+30 minutes CCTV preserved → T+1 day risk reviewed → T+1 week any claim notified to broker.]

CCTV preservation — the 31-day standard

The Information Commissioner’s Office (ICO) guidance on CCTV in commercial premises recommends that footage be retained for the minimum period necessary for the stated purpose. For hospitality premises, a 31-day retention period is common practice — long enough to capture most incident-to-claim windows, short enough to be GDPR-compliant.

When an incident occurs, the relevant CCTV footage should be preserved separately (saved to a labelled file or removable media, with access logged) so that it survives the standard 31-day overwrite cycle. A documented CCTV preservation protocol, applied consistently, is a significant defensive asset.

RIDDOR — over-7-day and over-3-day reporting

The Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013 require reportable incidents to be notified to the HSE. The categories relevant to hospitality:

Hospitality common RIDDOR triggers include deep-fryer oil burns, knife injuries above the specified-injury threshold, falls from height (especially during cellar deliveries and external maintenance), and gas-leak dangerous occurrences.


Chapter 3 — The Licence and the Licensing Act 2003

Why this chapter matters. The Premises Licence is the operating asset. Loss or restriction of the licence usually ends the business — and the insurance has limited reach there.

The four licensing objectives

The Licensing Act 2003 (and equivalent regimes in Scotland under the Licensing (Scotland) Act 2005 and Northern Ireland under the Licensing (Northern Ireland) Order 1996) governs alcohol, regulated entertainment and late-night refreshment in England and Wales. The Act is structured around four licensing objectives:

  1. The prevention of crime and disorder
  2. Public safety
  3. The prevention of public nuisance
  4. The protection of children from harm

All licensing decisions — grant, review, variation, suspension, revocation — are made by reference to whether the application or operation promotes these objectives. They are the bar against which an operator’s conduct is judged.

The Designated Premises Supervisor

Every Premises Licence authorising the sale of alcohol must specify a Designated Premises Supervisor (DPS). The DPS must hold a Personal Licence and must be the person with day-to-day responsibility for the premises. The DPS does not need to be the licence holder, but is the named accountable individual for the alcohol-sale function.

A change of DPS requires immediate notification to the licensing authority and a transfer application. Operating without a DPS, or with a lapsed DPS, is a route to immediate enforcement action.

Mandatory licensing conditions — Schedule 4

Schedule 4 of the Licensing Act 2003 contains the mandatory licensing conditions that attach to every Premises Licence authorising alcohol sales. These include:

Failure to comply with mandatory conditions is an offence and a basis for licence review. The mandatory conditions sit alongside any additional conditions imposed by the licensing authority specific to the premises.

Challenge 25

The Challenge 25 protocol requires staff to challenge any customer who appears to be under 25 to produce acceptable proof of age (passport, photographic driving licence, PASS-approved card) before sale. Adopting and operating Challenge 25 is the default UK industry standard for proxy-purchase prevention and underage sale prevention.

Insurers expect operational evidence: staff training records, refusal logs (refusals to sell recorded with date, time, reason), and CCTV-supported test purchase performance where applicable.

Section 19 closure powers

Section 19 of the Criminal Justice and Police Act 2001 gives the police the power to close licensed premises immediately for up to 24 hours where there is disorder or a likelihood of disorder, or excessive noise causing public nuisance. The closure can be extended by application to a magistrates’ court.

Section 19 closure is a serious operational event and is, almost always, the precursor to a licence review under the Licensing Act 2003. The combination — closure and review — can result in restriction of operating hours, additional conditions, or revocation of the licence.

[Diagram: licensing objectives at the top, mandatory conditions below, with arrows showing how breach of conditions or harm to objectives triggers section 19, licence review, and the consequences.]

Personal Licence holder training — BIIAB and BII

Personal Licence holders must hold an accredited qualification — typically the Award for Personal Licence Holders (APLH) delivered by recognised awarding bodies including the BIIAB. The BII (British Institute of Innkeeping) operates a wider professional development framework for licensees including the BII Professional Licensee Hospitality (PLH) programme, which goes beyond the statutory minimum into operational competence.

For multi-site operators, a documented training matrix showing Personal Licence status, refresher training and PLH-equivalent competence is a useful renewal and audit asset.


Chapter 4 — Allergens, Natasha’s Law and Food Information

Why this chapter matters. The Owen Carey inquest and Natasha’s Law reframed allergen practice in UK hospitality. The legal landscape is unforgiving and the operational discipline is the defence.

The 14 declared allergens

The Food Information Regulations 2014 (implementing Regulation (EU) No 1169/2011 in UK law, retained post-Brexit) require food businesses to declare the presence of 14 specific allergens when they are used as ingredients:

Celery, cereals containing gluten, crustaceans, eggs, fish, lupin, milk, molluscs, mustard, nuts (tree nuts), peanuts, sesame seeds, soybeans, sulphur dioxide and sulphites (at concentrations above 10mg/kg or 10mg/L).

The declaration must be made for both pre-packed food (on labels) and non-pre-packed food (in writing, by signage, menu notes, allergen folder, or other reliable means).

Natasha’s Law — Food Information (Amendment) (England) Regulations 2019

The Food Information (Amendment) (England) Regulations 2019, commonly known as Natasha’s Law after the death of Natasha Ednan-Laperouse from an allergic reaction to a sesame-containing baguette, came into force in October 2021. The law requires food prepacked for direct sale (PPDS) — food packaged before sale, on the premises where it will be sold, for direct sale to the consumer — to carry a full ingredient label with allergens emphasised.

The PPDS category catches hospitality items like pre-prepared sandwiches, salads, cakes and bakery items displayed for self-service, grab-and-go items at hotel breakfasts and meeting venues, and any item that is packaged before the customer orders it. Items prepared to order in front of the customer (a made-to-order sandwich, a cooked meal) are not PPDS, but still require allergen information under the 2014 Regulations.

The Owen Carey inquest and FSA training expectations

Owen Carey, who died in 2017 after an allergic reaction to a chicken dish at a restaurant chain, was the subject of an inquest whose findings (and the family’s advocacy) drove a step-change in Food Standards Agency expectations on allergen training and operational discipline.

The FSA’s expectation, reinforced through training resources, industry guidance and enforcement practice, is that hospitality operators maintain documented allergen training for all front-of-house and kitchen staff, operate clear allergen communication protocols at order-taking, and maintain an allergen matrix or folder accessible to staff and inspectable by environmental health officers.

[Visual: 14-allergen panel with a PPDS labelling example showing ingredients, allergen emphasis, and date label.]

The operational discipline

The defence in an allergen claim — whether civil, regulatory or coronial — is operational documentation:

[Broker’s view sidebar — “The PI element of an allergen claim — where consultancy advice or recipe development is the alleged source of the harm — is a growing line. If your business model includes recipe consultancy, brand licensing of menus, or franchisee menu development, your PI cover needs to recognise this exposure explicitly. Standard restaurant package policies do not.”]


Chapter 5 — GDPR, Guest Data and Payment

Why this chapter matters. A hotel or restaurant holds more personal data per cover than most consumer-facing businesses realise. Cover, controls and retention all need to align.

What hospitality actually holds

A modern hospitality business is a personal-data processor of significant scale: guest names and contact details from bookings, payment card data, loyalty programme histories, dietary and accessibility data (special category data under UK GDPR), CCTV footage, Wi-Fi network logs, marketing consent records, and (for hotels) passport details and immigration register entries.

UK GDPR (the retained version of EU GDPR, supplemented by the Data Protection Act 2018) governs this processing. The ICO is the supervisory authority.

Article 30 records and the controller obligations

Article 30 of UK GDPR requires controllers to maintain records of processing activities. For hospitality, the Article 30 record should cover: the purposes of processing for each category of data; the categories of data subjects; the categories of personal data; the recipients of personal data; international transfers (relevant for franchise and group hotel chains); retention periods; and a general description of the technical and organisational security measures.

The Article 30 record is not just a compliance artefact — it is the operational map of what data the business holds and why. Insurers, particularly on cyber cover, increasingly ask for it at quotation.

Retention periods — the rough working defaults

There is no single statutory retention period for guest data; the GDPR principle of storage limitation requires data to be kept no longer than necessary for the purpose. Common working defaults in hospitality:

PCI-DSS for payment

The Payment Card Industry Data Security Standard (PCI-DSS) is the industry-mandated framework for payment card data. PCI-DSS compliance is contractual through the acquiring bank and merchant agreement, not statutory, but breach exposure (penalties from the card schemes, plus regulatory and reputational consequences of a payment data breach under UK GDPR) is significant.

For most hospitality operators, the practical position is to use PCI-DSS-validated card-acceptance technology (chip-and-PIN, contactless terminals, hosted payment pages for online bookings) that minimises the cardholder data the business directly handles. The lower the cardholder data the business touches, the lower the PCI-DSS scope and the lower the breach exposure.

Cyber cover and the GDPR-trigger

Standard hospitality package insurance does not provide first-party cyber cover. A stand-alone Cyber policy handles: ransomware (now substantially affecting hospitality through booking-system attacks), business interruption from system loss, breach response costs (forensics, legal, customer notification, ICO liaison), regulatory fine cover where insurable, and (sometimes) PCI-DSS penalty cover.

For multi-site operators with central reservation systems and group loyalty databases, Cyber cover sits alongside Commercial Combined and PL as a core line.

[Data flow diagram: guest booking → CRM → loyalty → CCTV → payment → retention periods, with GDPR controllers and processors flagged at each step.]


Chapter 6 — Manual Handling, Lone Working and Equipment

Why this chapter matters. Cellar work, kitchen prep and lone-working scenarios concentrate musculoskeletal and personal-safety risk. The cover responds to documented practice.

Manual handling — kegs, oil and dishwashers

The Manual Handling Operations Regulations 1992 require employers to avoid hazardous manual handling so far as reasonably practicable, to assess any remaining risks, and to reduce them to the lowest level reasonably practicable. The Regulations apply across hospitality but bite hardest in cellar work and kitchen back-of-house.

Specific hospitality hazards: keg handling (typical 50-litre keg weighs around 75kg full), drum-handling of cooking oil (20-litre drums and waste-oil collection bins), dishwasher rack lifting, glassware crate handling, and the change-out of deep-fryer oil at end of shift. Lifting aids (keg-lifts, drum trolleys, scissor-lift tables, oil-pump systems) are available for most of these tasks and their adoption is the practical compliance route.

Insurers reviewing an EL claim for a back injury sustained in cellar work will ask: was the manual handling risk assessed, what mitigation was in place, was the equipment provided used, and what training was given.

Lone working — HSE INDG73

The HSE guidance INDG73 (Working alone — Health and safety guidance on the risks of lone working) is the operational reference for lone working risk management. The guidance covers risk assessment, communication arrangements, training, supervision, and emergency response.

For hospitality, lone working scenarios include: early-morning kitchen prep before front-of-house arrive, late-night close-down and cashing-up, hotel night porter shifts, single-staff café operations, and delivery acceptance at quiet times. Each scenario should be risk-assessed; a check-in protocol (e.g. a manager call at start and end of shift, panic alarm provision, lone-worker app monitoring) is the standard response.

Post-COVID operating patterns increased lone working in casual-dining and quick-service formats. Where lone working is part of the operating model, the EL underwriter will want to see the risk assessment and the controls.

Gas Safety, electrical safety and PAT testing

Beyond commercial catering gas (Chapter 1), hospitality premises have wider electrical safety obligations. Portable Appliance Testing (PAT) is the colloquial term for the in-service inspection and testing of electrical equipment under the Electricity at Work Regulations 1989. The frequency depends on the equipment and environment; the IET Code of Practice for In-Service Inspection and Testing of Electrical Equipment is the working reference.

For hospitality, the high-risk electrical equipment includes commercial kitchen appliances, hand-held kitchen tools, bar refrigeration, and the staff-area microwave and toaster. A documented PAT regime with records retained is a baseline expectation.

Refrigeration, F-gas and the cellar

The cellar cooling and the kitchen walk-in fridge sit at the intersection of F-gas regulation (Chapter 1), business interruption exposure (refrigeration failure during a heatwave is one of the more common BI claims) and personal safety (CO₂ asphyxiation risk in beer cellars with leaking dispensing gas).

CO₂ monitor installation in cellars, with linked alarms and ventilation, is the operational control. The HSE has published specific guidance on cellar safety and CO₂ exposure; the cellar should not be entered alone during dispensing-gas changeover or known-leak events.


Chapter 7 — Professional Indemnity and Consultancy Risk

Why this chapter matters. Restaurant brands, recipe consultants and menu developers carry PI exposure that is not in their standard package cover.

Where PI risk emerges in hospitality

For operators running a single restaurant or pub, professional indemnity is not usually a primary line. PI exposure emerges when the business model extends beyond serving the customer in front of you:

Where consultancy or licensing income exceeds a small share of turnover, PI cover should be considered explicitly. The PI underwriter will rate the work mix, the limit, the basis (aggregate vs each-and-every) and the retroactive date as a separate underwriting decision from the operating Commercial Combined.

Brand-licence and franchisee allergen risk

A particular emerging exposure: a brand owner provides menu specifications and allergen matrices to franchisees, a franchisee serves a meal that causes an allergic reaction, and the brand owner is drawn into the resulting claim alongside the franchisee. The allegations may include negligent advice in the menu specification, failure to update the allergen matrix when a supplier changed ingredients, or failure to train.

For brand owners, this is a PI exposure that does not sit comfortably in either the Commercial Combined PL (which covers the operating premises) or the franchisee’s own cover (which covers the franchisee’s operating premises). Stand-alone PI for the brand-owner function is the answer.


Next Steps and About Apex

Where to take this

If you do one thing after reading this toolkit, do this: pull the three documents your kitchen insurer would ask for in a fire claim (Fire Risk Assessment, TR/19 duct-cleaning certificate, gas safety check certificate) and check that all three are current, findable and consistent with your actual operation. The discipline of doing that once a quarter is the difference between a claim that pays and a claim that drags.

For multi-site operators, the GDPR Article 30 record and the allergen matrix are the equivalent quarterly checks for the front-of-house side. If you do not have either, your insurance broker should be your first call.

About Apex Insurance Brokers

Apex Insurance Brokers Ltd is a UK insurance broker based in Bristol, working with hospitality operators across England, Wales and Scotland — restaurants, hotels, pubs, cafés, and multi-site groups. We are an independent firm authorised by the Financial Conduct Authority since 2014.

Contact us: - Telephone: 0117 325 0027 - Email: info@apexinsurancebrokers.co.uk - Web: apexinsurancebrokers.co.uk

Trading address: QCS, 53 Queen Charlotte Street, Bristol BS1 4HQ Registered office: c/o Westcan, 5 Anglo Office Park, Bristol BS15 1NT


Useful Resources

Regulators and bodies

Legislation and key regulations referenced


Important regulatory information

This toolkit is general guidance only — not regulated advice. Always consult your broker on your specific cover and circumstances. Apex Insurance Brokers Limited, FCA FRN 724952, Companies House 07014570.

This toolkit is published by Apex Insurance Brokers Ltd, authorised and regulated by the Financial Conduct Authority. You can verify our regulatory status on the FCA register at register.fca.org.uk. The toolkit is general information based on our experience as an insurance broker. It is not legal, food safety, fire safety or licensing advice and it is not a personal recommendation as to any specific insurance product. Any decision about insurance cover should be taken having regard to your business’s individual circumstances and advice from your own legal, compliance and technical advisors. We do not undertake to update this toolkit to reflect changes in regulation, market practice or law after the version date above.

Apex Insurance Brokers Ltd accepts no liability for any loss arising from reliance on the contents of this toolkit.

Reviewed by Matt Bartlett, Director. Last reviewed: June 2026.

— End of toolkit —

Talk to a specialist broker

Apex Insurance Brokers serves UK professional services firms and commercial businesses. Call 0117 325 0027, email hello@apexinsurancebrokers.co.uk, or request a quotation.

Get a quote
Our service promise. We acknowledge every quote request the same working day. For straightforward risks, indicative terms typically follow within five working days. Complex risks — higher-risk buildings, cladding, mid-term proposals requiring fresh underwriting — may take longer; we’ll send you a progress note by the end of the fifth working day in those cases.
★ 4.0 on Trustpilot (verified)|Listed on the ARB PI broker list|FCA FRN 724952