Reinventing rail compliance: how South Western Railway kept obligations under control through re-nationalization

Contracts change. Ownership changes. Reporting lines change. However, what does not change is the impact risk can have on a business. Obligations must be tracked, updated, evidenced, and reported. And if your Governance, Risk & Compliance (GRC) platform cannot flex with the business change, teams fall back to outdated methods; spreadsheets, inbox chasing and hoping nothing gets missed. 

South Western Railway (SWR) is a prime example; during its shift from private ownership to nationalization, the contractual framework that underpinned day-to-day compliance completely changed. The team needed a practical way to manage the influx of new obligations without losing access to historic commitments that still mattered for audit, continuity and reassurance. 

CoreStream GRC worked alongside SWR, a long-standing client, to keep compliance workable in the middle of the chaos of structural change, with a system that stayed intuitive for occasional users and beneficial for leadership reporting.

”I’ve used other systems before when I’ve worked in other places, and this is by far the best and most intuitive one I’ve used.” 

James Ball, Head of Government Partnership at South Western Railway 

About SWR

Industry: Passenger rail transport  

Staff: over 5,000 full-time employees  

Demand: Approximately 165.6 million passenger journeys according to 2025 stats 

CoreStream GRC customer: 9 years

Challenge

When business changes, compliance systems either adapt or they break.

Rail compliance is not theoretical. It is constant delivery, reporting, and public accountability. SWR’s role includes managing the contractual relationship with the Department for Transport and making sure all obligations are met. 

“I manage the contractual relationship between SWR and the Department for Transport, making sure we comply with all our obligations under any agreement we’ve got with them and doing what we’re asked of taxpayers money.”  

James Ball, Head of Government Partnership at South Western Railway 

Before nationalization, SWR had a long, detailed contract and a structured way to manage obligations in CoreStream GRC since 2017. Obligations were stored with owners, evidence, and visibility into where things stood. 

“You could see evidence that we’d submitted against them and could easily pick out 1 obligation, know who in the business was responsible for it, and where it got up to.” 

James Ball, Head of Government Partnership at South Western Railway 

Then, when the business changed, the contract changed also. SWR had a transition period internally, trying to map out and understand the changes, where they went back to manual work for the new contract. 

“Before we put the new contract on CoreStream GRC it was an absolute nightmare because we were just basically going back to using Excel and pen and paper and trying to make sure nothing got dropped.” 

James Ball, Head of Government Partnership at South Western Railway 

That “nothing gets dropped” problem is the real risk, and one we see often at CoreStream GRC. When obligation management becomes spreadsheet-led, 2 things happen fast: 

1. The work becomes fragile and dependent on a small number of people holding it together. 
2. Senior stakeholders get overwhelmed with noise, and the signal gets missed 

SWR felt that spreadsheet fragility. 

“We had this huge spreadsheet… you’re always petrified that you’d end up deleting something off it.” 

James Ball, Head of Government Partnership at South Western Railway 

Solution

Purpose-built technology streamlined compliance requirements and provided assurance

Working with the CoreStream GRC implementation and customer success team, SWR was able to adjust and design their existing instance around the new contract and its many obligations. The key theme of the sessions was not “more features.” It was day-to-day usability. How do you make obligation tracking something the business can actually sustain, period after period, without the compliance team acting as the bottleneck? 

1) The admin load dropped, and the chasing stopped 

In most organizations, compliance teams waste time doing the same 3  things on loop: nudging, collecting updates, and rebuilding reports. 

SWR cut that cycle. 

“The CoreStream GRC platform takes a lot of the admin-heavy stuff out of our job. We don’t have to chase people or remind people what our obligations are.”

James Ball, Head of Government Partnership, SWR  

Instead, obligation owners update directly in the system. 

And because many users only log in once per rail period, the system has to be obvious, not fragile. 

“A lot of the business now can just self-serve… put an update in themselves.”  

“We’ve never had an issue with anyone not being able to use the system. People do seem to work it out for themselves… I’ve never had formal training on it.” 

This ease of use is something Alice Stoodley, Senior Government Partnership Management, called out too: 

“The CoreStream GRC interface is easy to use which has been noted by many stakeholders and admin side of things, easy to update and check back for audit.” 

2) Leadership reporting became fast, visual, and value-driven

The truth is that when reporting is complex, it often becomes slow, and then inevitably there are delays, and it becomes late. And when it’s late, leaders stop trusting it. 

CoreStream GRC helped SWR show progress quickly, in a format directors actually engage with:

“More recently we had a big update which really helped the way we report and need to review compliance.” 

Alice Stoodley, Senior Government Partnership Management

3) Legacy obligations were archived properly, so the live contract stays clean 

This was not a tidy-up exercise.  

This was the difference between a system people use and a digital mess people avoid. 

SWR separated the old contract from the new one. It stayed accessible when needed, but stopped weighing down day-to-day work. That change removed overload immediately: 

“You’re not battling through the thousands of obligations from that contract whilst also looking at the current contract. There’s a secure archive space for the old work, which we can reference back to, but it’s clean and intuitive for employees and new starters.”  

James Ball, Head of Government Partnership at South Western Railway 

Results

Fewer points of failure, better continuity, and real capacity back

SWR’s outcomes were operational. Less admin. better governance. More resilience. 

“It probably saves at least one FTE in my team from just having to manage that repository.”  

1) Better continuity and less “single point of failure” risk 

If compliance depends on fragile spreadsheets, you are one mistake away from losing trust and losing control. 

CoreStream GRC gave SWR confidence that the record would hold up even under disruption. 

“If we ever did have a real catastrophic IT failure, we’d be able to just open up CoreStream GRC, and it would still be all there. It’s idiot proof… no one can go on there and mess with it and move things around.”  

2) Clearer risk control tied to business objectives. 

When risk control operates in a silo and does not have the overall business values embedded within it, it becomes a burden to organizations and their staff. People see it as extra admin, leadership gets noise instead of insight, and the work drifts back to spreadsheets and inbox chasing. 

SWR’s experience with CoreStream GRC is the opposite. For them, contract and compliance management is directly tied to how the business runs: staying on top of obligations, avoiding missed deliverables and accurately proving what’s been done without burning time. 

At a practical level, which meant the platform became a control mechanism that the business could actually operate day to day, not a repository that only a specialist team understands. 

As James Ball puts it. 

“The platform allows us to clearly track our obligations and make sure they don’t get forgotten about. That mitigates one of our big governance risks.”  

The efficiency points matter in a public service context. When admin effort drops, the organization can focus on resources where they actually belong. 

 “It is all about risk management and efficiency for us. It means we’re reducing the amount of taxpayer support we need because I’m not having to have a whole team of people wasting time.” 

James Ball, Head of Government Partnership at South Western Railway 

What SWR’s GRC team would advise  professionals choosing a GRC platform 

SWR’s advice is grounded in the real failure pattern they’ve seen across organizations: platforms that look impressive in a demo but end up usable only by a few technical experts within the team. 

“Make sure you’re getting a system that can be adapted and is easy to use.”  

“Make sure you’re not getting something that only you and a select couple of others can use, because otherwise you’re baking in inefficiency.”  

Usability is not cosmetic here. It’s what drives adoption as responsibilities shift across the business, new owners take on obligations, and teams change over time. 

“You don’t want to be having to give people day-long training every time a new business owner joins.” 

Want to see how the CoreStream  GRC platform would work in your environment? 

If you manage large volumes of obligations, deal with contract change, or want effective GRC leadership reporting without inbox overload, this is the exact problem pattern CoreStream GRC can solve. 

About CoreStream GRC: the flexible, no-code solution for GRC success

CoreStream GRC is a dynamic, flexible platform that revolutionizes governance, risk, and compliance (GRC) management. Built to be scalable and intuitive, CoreStream GRC empowers organizations to design and implement their ideal GRC solution with ease, supported by a team of experts. With a user-friendly, no-code interface and customizable features, CoreStream GRC is the perfect tool for businesses that need efficiency and flexibility without the complexities of traditional software.

CoreStream GRC’s platform is trusted by global organizations such as the BBC, Deloitte, NHS, PwC Middle East, and Shell Energy, delivering real, measurable value to help companies manage their risks and compliance requirements. Want to see the GRC platform in action?

Request a demo here, or speak to our team here.