Does my organization have appropriate website oversight?

Co-written By: Cheryl R. Olson and Kurt Deutscher

While the website is an extension of a nonprofit organization’s brand, it also has some important compliance functions. Every organization struggles with the right balance of oversight in many areas, but here are three areas that organizational staff could consider for sufficient website oversight.

Accountability. There needs to be an employee at a nonprofit organization who has the responsibility for website oversight, and this responsibility should be documented in the position description. This employee is the leader, or champion, who provides direction, establishes goals, provides the necessary tools, and allocates the appropriate resources and budget. Information Technology is usually responsible for the hardware, software, security and other technical infrastructure. The functions of building, developing and maintaining the website are delegated to multiple people and often include third-party providers/contractors. However, the oversight responsibility cannot be delegated outside the organization.

The ultimate accountability for the website needs to rest with one person, while multiple people may have website responsibilities within an organization. Each nonprofit will need to identify the most appropriate role. The people most commonly involved are staff or volunteers in Marketing/Communications, Program, Information Technology, or Administration. In a perfect world, Information Technology staff are part of all significant communications and plans to monitor and maintain the website to ensure alignment with the strategy and capabilities. Since staff in various departments in all types of organizations provide current content and can request changes as needed, clear roles and responsibilities between all that are involved are required.

Policies and Procedures. Is the staff person with the overall accountability aware of what types of things need to be monitored, and are they delegating to internal or external experts for review? Are there written procedures and protocols that all staff have access to? Here are some oversight areas to keep in mind beyond the uptime and visitor monitoring information:

Senior Management

• Is your website’s domain registered in the name of your organization?
• Is your domain name registration set to automatically renew when payment is due?  If not, have you identified someone to be responsible for making payment?
• Is your organization’s domain name registration company located in the United States?
• Is all the contact and ownership information associated with your organization’s domain(s) up-to-date and reviewed annually?
• Do you have Human Resource policies and procedures in place to remove former employees’ and volunteers’ website credentials (username and password and/or publishing/editing access) immediately upon termination?
• Is your organization compliant with laws and regulations related to donations, links to other entities, access by children, privacy rules, etc.?

Information Technology

• Have the required and reasonable accommodations been made with the coding of your website to serve audiences using adaptive technologies to view your website? Does it meet basic accessibility standards?
• Do you update an employee’s website, web hosting and software service credentials upon reassignment within the organization?
• Does your organization have a system in place for annually removing abandoned and out-of-date software, files, databases and scripts from the website’s hosting account(s)?
• Does your organization remove all data from hard drives before recycling computers, especially those that have been used to update the website?
• Do appropriate staff have a current list of your vendors, such as hosting company(ies), software licenses, software-as-a-service providers, consultants, online donation processors and other web service providers, to help avoid getting caught up in scams, over billing, and unexpected service interruptions due to outstanding balances?

Marketing/Communications

• Is the website easy to navigate?
• Does your website provide some sort of feedback system, so that concerned visitors may alert your organization to potential website issues?
• Can visitors easily find your location and contact information?
• Is there brand consistency in appearance and tone between pages?
• Is information current and consistent with your marketing materials?

Record Retention. Every organization needs a record retention policy with clear guidelines on what needs to be kept and for how long and should include document destruction protocols. The website records should be held to the same retention standards as traditional records. Various court cases have shown that online content may be requested in e-discovery, litigation, or audit situations. As a matter of practicality, it is both time and cost prohibitive to keep records of everything every day, so decisions of “what” and “how often” will be based on business needs and risk areas identified in your risk management plan.

These decisions could include creating a stand-alone copy or snapshot of all content pages on the site at a particular time. At a minimum, keep copies of the main landing page and the page of each click through one-level down once a year, along with your written procedures on managing the site and logging changes. You could accompany the snapshot with a site map that shows the relationship of those pages to each other. Most likely, you are already using a content management system (CMS), which is a web application with features to add, edit, update and compile information for overall website management. The most important consideration is how your organization will maintain or restore content in case of equipment failure or disaster, which will be based on if you are using the screen shots, web server back-up software or an Internet-based service.

In addition to senior management, information technology, and marketing/communications staff, website oversight is a great conversation to have with your webmaster, risk management champion and external financial and legal advisors to ensure the organization is protected.

Cheryl R. Olson, CPA, CGMA - Nonprofit Solutions Strategist at Clark Nuber.

Kurt Deutscher - Founder and Principal Consultant at NetRaising.