World Cup stadium strike was narrowly averted: how resilient are your critical suppliers? 

Key takeaways

• A threatened strike by around 2,000 food and beverage workers at SoFi Stadium was narrowly averted days before the venue hosted World Cup matches. 
• The incident shows why critical supplier risk cannot be treated as a one-time onboarding exercise. 
• Supplier resilience depends on understanding the services a supplier supports, the risks that could disrupt delivery and the contingency plans available if the supplier fails. 
• Regulators are increasingly focused on operational resilience, important business services, third-party dependencies and evidence-based self-assessment. 
• The practical question for enterprise teams is simple: if a critical supplier came under pressure tomorrow, would you know the impact, the owner, the controls, the escalation route and the backup plan? 

Introduction: What happened at the 2026 World Cup?  

Days before the World Cup began, a supplier issue at one of the tournament’s highest-profile venues was narrowly avoided. Reuters reported that a union representing around 2,000 food and beverage workers at SoFi Stadium reached a tentative agreement with Legends Hospitality only days before the tournament. AP described the agreement as averting a planned strike ahead of the U.S. men’s opening World Cup match. 

The strike was avoided through a tentative contract agreement. According to Reuters, the agreement included major wage increases, limits on subcontracting, restrictions on new automation technology and privacy protections linked to worker accreditation for major events. UNITE HERE Local 11 said the deal covered around 2,000 food and beverage workers and secured wage increases, job protections and privacy rights.  

Kurt Petersen, Co-President of UNITE HERE Local 11, described the outcome plainly: 

“In short, we won every major issue that we brought to the table.” 

Legends Global also confirmed the agreement. In a statement reported by AP, the company said it was pleased to reach an agreement with workers and looked forward to providing “an outstanding hospitality experience” at the World Cup matches in Inglewood. 

The timing mattered. SoFi Stadium, renamed Los Angeles Stadium for the tournament, is scheduled to host 8 World Cup matches. This was not a minor back-office service issue. It related to food and beverage operations at a major venue during one of the world’s most watched sporting events. 

The dispute was resolved before disruption occurred. However, it still gives enterprise teams a useful warning. Critical suppliers often sit quietly in the background until a disruption makes them visible. Looking beyond football, the question is simple: how resilient are the suppliers your organization depends on? 

Why does this matter for enterprise risk? 

The SoFi case was a near miss. But other organizations have seen what happens when a critical supplier does fail.  

For example, in June 2024, Synnovis, a pathology services provider used by NHS organizations in south-east London, suffered a ransomware attack. NHS England said the attack significantly reduced Synnovis’ capacity to process tests and caused delays to over 11,000 outpatient and elective procedure appointments. 

The disruption quickly moved beyond the supplier itself. It affected hospital operations, patient appointments and the wider ability of NHS trusts to deliver services. The Synnovis CEO acknowledged the scale of the impact, saying:  

“We are very aware of the impact and upset this incident is causing to patients, service users and frontline NHS colleagues, and for that I am truly sorry.” 

Mark Dollar, CEO, Synnovis  

The impact was not limited to the supplier itself. It affected hospital operations, patient appointments and the wider ability of NHS trusts to deliver services. That is the point for enterprise risk teams. When a supplier supports a critical service, its failure can quickly become your operational resilience issue. 

This is why third-party risk management cannot sit separately from operational resilience. Large organizations depend on suppliers for core operations across technology, facilities, logistics, security, customer service, data, payments, transport and outsourced services. The more critical the service, the more important it is to understand whether the supplier can continue operating under pressure. 

The data supports this concern. The Business Continuity Institute reported that 43.6% of organizations experienced supply chain disruption due to third-party failures, making it the most frequent reason for disruption in its report. The World Economic Forum’s Global Cybersecurity Outlook 2026 also found that 65% of large companies by revenue identified third-party and supply chain vulnerabilities as their greatest cyber resilience challenge. 

But supplier disruption does not need to be a cyberattack to matter, as seen with the latest world cup. It can come from labor unrest, subcontractor failure, extreme weather, financial stress, geopolitical disruption, litigation, cyber incidents or operational capacity constraints. The common thread is dependency. If a supplier supports a critical service, supplier risk can become operational risk very quickly. 

How do you know which suppliers are truly critical? 

Not every supplier carries the same level of risk. A supplier becomes critical when its failure could disrupt an important business service, harm customers, affect market integrity, create regulatory exposure or materially interrupt operations. That means criticality should not be judged by contract value alone. A low-spend supplier can still support a high-impact service if the organization depends on it to keep a key process running. 

This is the logic behind the FCA’s operational resilience framework. Firms are expected to identify their important business services and consider whether they can remain within impact tolerances during disruption. In practice, that means organizations need to understand which suppliers support which services, where those suppliers operate, what systems or data they access, whether there are concentration risks and how easily the supplier could be replaced if something went wrong. 

“The better question is not “How much do we spend with this supplier?” It is “What happens if this supplier cannot perform?” That shift matters because supplier resilience is about impact, not just procurement value.” 

Paul Cadwallader, GRC Strategy Director, CoreStream GRC  

Why are onboarding checks of critical suppliers not enough? 

Many third-party risk processes are strongest at the point of onboarding. The supplier is assessed, approved and added to the system. But once the supplier is live, the level of scrutiny can drop, even though the risk continues to change. 

The SoFi example shows why that matters. A supplier relationship that may have looked stable in advance became a live operational issue close to a critical delivery window. The same principle applies across enterprise environments. A supplier that passed onboarding checks 12 months ago may later face workforce pressure, financial stress, cyber exposure, subcontractor changes, ownership changes, litigation, sanctions exposure or service performance issues. 

That is why static due diligence needs to be supported by ongoing monitoring and issue management. Organizations need clear triggers for reassessment, including contract changes, incidents, external news, regulatory warnings, service failures, cyber risk changes and changes in subcontracting. A clean onboarding assessment tells you what was true at a point in time. Resilience depends on knowing what has changed since. 

The FCA’s operational resilience observations make the same wider point: operational resilience is not static. Firms need to keep reviewing their resilience measures as the external environment evolves. For critical suppliers, that means moving beyond one-off onboarding checks and building a process that can spot, escalate and evidence changes in risk over time. 

If not onboarding, where does supplier resilience usually fail? 

If onboarding is only the starting point, the next question is where supplier resilience usually breaks down. In many organizations, the issue is not a lack of effort. It is a lack of connected visibility. 

Common examples include: 

• Poor supplier mapping: teams cannot quickly identify which suppliers support which critical services. 
• Weak ownership: there is no clear accountable owner when supplier risk changes. 
• Siloed data: procurement, risk, compliance, legal, cyber and operations each hold different parts of the supplier risk picture. 
• Inconsistent criticality scoring: suppliers are classified differently across teams, making it harder to prioritize the highest-risk relationships. 
• Weak monitoring: risk signals are identified manually, inconsistently or too late. 
• Limited scenario testing: teams have not tested what would happen if a critical supplier failed during a high-pressure period. 
• Poor evidence: the FCA’s operational resilience observations show continued focus on board engagement, frameworks and evidence-based self-assessment. Yet many teams still struggle to prove what was reviewed, approved, escalated or remediated. 

What should organizations be asking about their critical suppliers? 

A stronger approach starts with better questions. Organizations need to know which suppliers support their most important business services and which suppliers have no realistic short-term substitute. 

To build a clearer picture of supplier resilience and prioritize your vendors, organizations should be asking: 

• Which suppliers support our most important business services? 
• Which suppliers have no realistic short-term substitute? 
• Which suppliers rely on subcontractors we do not fully understand? 
• Which suppliers have access to sensitive systems, data or customer operations? 
• Which contracts contain clear continuity, notification, audit and exit rights? 
• Which supplier risks are being monitored after onboarding? 
• Which internal owner is accountable if risk changes? 
• What evidence can we provide to show action was taken? 

These questions go beyond a simple assessment of whether a supplier has passed due diligence. They help organizations understand the nature of the dependency, the potential impact of disruption and the effectiveness of their ongoing oversight. 

Good critical supplier resilience in practice 

Good critical supplier resilience starts with a clear supplier inventory. That inventory should identify the supplier’s criticality, the services it supports, its risk rating and the accountable internal owner. Due diligence should then be proportionate to the supplier’s importance, with more scrutiny applied where supplier failure could disrupt critical services, affect customers or create regulatory exposure. 

Ongoing monitoring is also essential. As the FCA puts it,  

“Operational resilience is not static. The external environment continues to evolve and scenarios that seemed implausible in the past may now be more likely. This underscores the importance of firms taking a dynamic approach including regularly reviewing operational resilience measures. “ 

Operational resilience: insights and observations one year on | FCA 

In practice, that means organizations need defined escalation routes when supplier risk changes. They need contractual clarity around business continuity, exit rights, audit rights, breach notification and subcontracting. They also need scenario testing for supplier failure, cyber incidents, labor disruption, location disruption and service outages. 

Good resilience also depends on remediation workflows with clear deadlines, owners and evidence. If an issue is identified, the organization should be able to show who reviewed it, what decision was made, what action was assigned and whether that action was completed. 

Board and committee reporting should then bring this together. Leaders need visibility over critical supplier exposure, control performance, unresolved actions, exceptions and emerging risks. The FCA reinforces this point clearly: 

“Strong governance makes decision-making clear and aligned with regulatory expectations. This protects consumers and markets even during the most severe disruptions. “ 

Operational resilience: insights and observations one year on | FCA 

The practical test is simple. If a critical supplier failed tomorrow, could the organization quickly identify the affected services, the accountable owner, the contingency plan, the open issues and the evidence trail? If not, supplier resilience is still too dependent on assumptions. 

How can technology help supplier management? 

Technology should never replace supplier judgment. Critical supplier resilience still depends on people making good decisions, understanding context and applying proportionate oversight. However, technology can make third-party risk management more visible, consistent and auditable. 

As GRC analyst Michael Rasmussen put it on LinkedIn, “Third-party risk management is not simply vendor management. It is governance of the extended enterprise.” 

 That distinction matters. Suppliers, vendors, service providers and outsourcing partners are not just names in a procurement system. Many are embedded in business processes, customer delivery, data flows, technology dependencies, regulatory obligations and operational resilience. 

A connected governance, risk and compliance platform can help teams bring supplier information into one place and link it to the wider risk picture. Instead of treating a supplier record, risk assessment, contract, control, incident, issue and remediation action as separate pieces of information, teams can see how they connect. That matters because supplier failure rarely affects only one team. A change in supplier risk may affect procurement, legal, cyber, compliance, operations, finance and the business owner responsible for the service. 

In practice, this means a critical supplier can be linked to the services it supports, the risks associated with that dependency, the controls in place, the policies that apply, the incidents reported and the issues still open. Automated workflows can then route approvals, reassessments, escalations and remediation actions to the right owners. If a supplier’s risk profile changes, the process does not depend on someone remembering who to email or where the latest spreadsheet is saved. 

Dashboards also give leadership a clearer view of supplier exposure. Teams can see critical suppliers, overdue actions, risk ratings, control gaps, unresolved issues and resilience status in one place. That makes it easier to spot where supplier risk is building and where intervention may be needed. 

Helio Correa, Head of Risk at Pool Re, described the reporting impact clearly:  

“On a quarterly basis, I would say I’m probably saving a week or more just by having less data manipulation, fewer workarounds, and getting the data I need in a consistent format. For the ExCo, I don’t think I need to produce any reports anymore. They get everything they need from the dashboards. That alone saves us a lot of time because of CoreStream GRC.” 

Audit trails are just as important. Boards and regulators increasingly expect evidence, not just policy. The FCA’s operational resilience observations point to the importance of governance, self-assessment and ongoing review. For supplier management, that means being able to show what was reviewed, who approved it, what was escalated, what action was taken and whether the issue was resolved. 

The value of technology is not more supplier paperwork. It is a clearer view of dependency, ownership and action. 

What can risk leaders learn from the World Cup’s potential SoFi strike? 

The SoFi strike was averted, but the lesson remains. Supplier resilience is often tested under pressure, not during a planned review. A supplier can appear stable during onboarding and still become a live operational risk when circumstances change. 

Organizations need to know which suppliers matter most, what could disrupt them, who owns the response and what evidence exists. That requires more than a completed questionnaire. It requires visibility over critical dependencies, ongoing monitoring of risk signals, clear escalation routes, action tracking and defensible evidence. 

Supplier resilience also supports a broader value-based approach to GRC. As Paul Cadwallader, GRC Strategy Director at CoreStream GRC, explains: 

“Value-based GRC empowers an organization to achieve the right objectives with confidence.” 

The strongest third-party risk programs are not built around supplier assessments alone. They are built around the ability to understand change and respond quickly when supplier risk becomes operational risk. 

For enterprise teams, the practical question is simple: if a critical supplier came under pressure tomorrow, could you identify the affected services, the accountable owner, the contingency plan, the open actions and the evidence trail? 

Strengthen your critical supplier resilience 

Download our Third Party Risk Management RFP template to identify the questions, workflows and evidence requirements that matter when assessing critical supplier resilience. 

Frequently asked questions on World Cup stadium strike & critical supplier resilience