There is a persistent belief in many organisations that compliance training is something to be endured rather than engaged with. Staff click through slides, pass a test and move on. Boxes are ticked, records are filed, and nothing fundamentally changes. The regulation is satisfied, but the culture is not.

This is a problem that has plagued the compliance training industry for years. It is also one that VinciWorks has spent considerable effort trying to solve. So when GB Railfreight (GBRf), one of the UK's largest rail freight operators, came to us with a challenge that went well beyond completion rates, we recognised that the work ahead required more than a platform and a content library.

It required a genuine rethink of what compliance training is actually for.

 

A safety-critical environment, a growing risk landscape

GBRf moves 20% of the UK's rail freight, running over 2,000 trainloads a week with 99% reliability. Its client list includes Network Rail, EDF and E.ON. In an industry regulated by the Office of Rail and Road (ORR) and the Rail Safety and Standards Board (RSSB), compliance is not a back-office concern – it is fundamental to how the business operates every single day.

By 2023, GBRf's Learning & Development Manager, recognised that the existing approach was not keeping pace. Training had been delivered in departmental silos, with no common standards, no shared oversight and no auditable picture of compliance across the business. Teams booked their own courses. Tracking was done in spreadsheets, or left to individual managers. Completion rates sat at around 60%.

The risk landscape, meanwhile, was growing, with spanning cyber threats, data protection, harassment, ESG reporting and a forthcoming DfT security inspection. The training was not growing with it.

They needed a solution that didn't just tell people what to do; it needed to show them, engage them, and make them want to learn more.

That last part is what matters most. Making people want to learn.

 

Thinking in years, not modules

One of the decisions that set this programme apart from the start was planning for the long term. Rather than selecting a library of courses and pushing them out, GBRf worked with VinciWorks to build a structured three-year compliance learning roadmap.

Year 1 was about laying the foundations: anti-bribery, cybersecurity, GDPR, modern slavery, phishing awareness, banter and sexual harassment in the workplace, and ESG basics. Critically, compliance training was embedded into onboarding from the outset, so the right mindset takes root from a new employee's first days.

Year 2 shifts from awareness to application: ESG practicals, unconscious bias, and a more deliberate focus on building a speak-up culture across the business.

Year 3 focuses on retention and depth: knowledge recaps to reinforce earlier learning, neurodiversity, ransomware awareness and supply-chain due diligence – areas where risks continue to evolve most quickly.

This is a progressive roadmap, not a one-off exercise. The goal was to deepen knowledge over time, ensuring that compliance learning grew alongside GBRf's business needs rather than remaining static as the risk landscape evolved. Topics were selected based on live risks and regulatory developments, with L&D, Legal and IT meeting quarterly to review and update priorities.

 

A different kind of partnership

GBRf partnered with VinciWorks in late 2023, deploying the VinciWorks Portal and in-browser editor across 1,400 staff. The rollout began as a 400-person pilot in December 2023 and scaled company-wide by March 2024.

The Portal gave GBRf centralised access to a course library of over 800 modules, covering compliance, information security, DEI and sustainability. What made the difference, though, was not the size of the library. It was the degree of operational control built into the technology.

Before the VinciWorks partnership, GBRf's cyber awareness training had been US-centric in tone and disconnected from the rest of the organisation’s learning. Different teams used different platforms with separate logins and no consolidated reporting. The L&D and IT teams knew that for training to reach everyone and change behaviour, it had to live in one place and feel relevant to the workforce using it.

Using VinciWorks’ in-browser editor, the L&D team could update language and policies in real time, add GBRf branding, insert custom content and assign courses for internal review without relying on external vendors for any amendments. If a policy changed on a Friday, staff could be trained by Monday. That agility matters in a regulated environment where requirements shift without notice.

Content was delivered through a mix of full-length, short-form and film-based formats, with varying elements. Courses covered anti-bribery, modern slavery, GDPR, cybersecurity, sexual harassment, and ESG, with formats and lengths adapted to the realities of different roles across the business.

That last point deserves some attention. GBRf's workforce includes over 900 operational staff, many of whom are train drivers working on safety-critical schedules. Compliance training that demands uninterrupted hours at a desktop is not realistic for that population. The approach had to be designed around how people actually work.

In this case, operational staff didn’t need to be drowned in eLearning right before they drive a train.

Because modules were accessible on iPads as well as laptops, staff could pause and resume training throughout their shifts. Short, digestible content blocks meant that operational staff were not excluded from the programme – they were part of it.

The implementation was seamless. VinciWorks gave GBRf hands-on support every step of the way. It meant GBRf could roll out the training with complete confidence.

 

The shift in numbers and in culture

The headline figure is striking: course completion rates rose from approximately 60% to 100% across 1,400 staff, achieved and sustained over two quarters. In L&D, that is rare, especially for compliance training. Reaching full completion at this scale, in a workforce that includes frontline operational staff,speaks to something beyond enforcement.

Employees voluntarily returned to GBRf's learning platform to take additional modules. That is not the behaviour of people treating compliance as an obligation to be discharged. It is the behaviour of people who found the training genuinely useful.

Staff feedback reflects this. “Really useful tool and engages your way of thinking,” one employee noted. “Good module. Recommend to all,” said another. These were unsolicited responses. Nobody asked for them.

That’s when you know it’s not a tick-box anymore.

 

Measurable business outcomes

The cultural shift translated into outcomes that reach well beyond the training log.

ISO 27001 accreditation was a strategic goal for GBRf. Achieving it requires demonstrable evidence of cyber awareness across an organisation - not just policy documentation, but proof that staff understand and act on what they have learned. The cybersecurity and information security training delivered through VinciWorks, together with the audit trail provided by GBRf's learning platform, gave auditors exactly the evidence they needed. Certification followed.

ESG credentials have become a genuine commercial asset. ESG training evidence now accounts for around 5% of scoring in tenders. Network Rail’s feedback specifically highlighted GBRf’s EDI practices and commitment to tackling modern slavery. Where a client asks for evidence of ESG in practice, GBRf can point to completed ESG training, policies, and active training cycles. What began as a compliance programme has become a business development tool.

 

The lesson here is not about technology

There is a temptation to credit the platform solely. The VinciWorks Portal is intuitive. The in-browser editor gives GBRf genuine autonomy over their training. The course library is broad, and the content quality is high. All of that matters.

But the deeper lesson from GBRf's journey is what compliance training must achieve before technology comes into the picture at all. It has to be relevant to the person completing it. It has to fit around the realities of their working day. It has to reflect the organisation they work for. And it has to treat people as capable of genuine engagement, not just as compliant with instructions.

Tick-box training treats the certificate as the goal. That is a low bar, and it tends to produce low results. Organisations that get compliance right ask a harder question: how do we build a programme that people engage with because it is worth engaging with?

GBRf asked that question, and answered it through a structured three-year plan, operationally intelligent content delivery, genuine customisation and a technology partner prepared to offer hands-on support throughout.

“VinciWorks is ahead of the curve. Their content, especially the video production, is among the best I've seen. They don't just deliver training; they help you build a culture that drives real, measurable change,” said GBRf’s L&D Manager.

While a 100% completion rate is something to be proud of, a workforce that understands why compliance matters and acts accordingly is the ultimate goal.

 

Shmuli Goldberg 

CMO at VinciWorks