The exciting world of policies and procedures

Policies and procedures may not be the most exciting of topics, but they can help you get things done, avoid legal prosecution and prevent internal politics.

If a younger version of myself could see me writing this post he would be appalled. Back in the 90s web design was all about innovation, creativity and technical challenges. It certainly had nothing to do with policies and procedures.

But things change. Although web design is still full of innovation, the web itself has grown up and become business critical for many organisations. With so much riding on the success of an organisations digital strategy, you cannot leave things to chance. You cannot allow things to slip between the gaps.

As was discussed in the last post of this series, one way of mitigating this risk is to have clear roles and responsibilities. However, that is not the whole story. We also need to consider policies and procedures.

My definition of policies and procedures

The reason my younger self would frown on this article is because he had a specific (and in my opinion inaccurate) view of what policies and procedures were.

Policies and procedures should not be (as I used to perceive) inflexible documents that lay down absolutes that are not open to evolving over time.
They should not be documents that get in the way of innovation, but rather provide a structure for best practice to flourish.

Polices and procedures are not about control and limitations, but about ensuring that nothing is missed and quality is maintained. These are values everybody should get behind. Nobody wants mistakes made and nobody wants a poor quality website.

So with that in mind, what kind of policies and procedures do you need in place to run an effective website?

What policies and procedures do you need?

Unfortunately, there is no one size fits all when it comes to this sort of thing. It is dependant on the nature of your site, audience and organisation. However, generally you need to be looking at three broad areas:

  • Legal
  • Strategic
  • Managerial

Let’s look at each in turn.

Most organisations have certain legal obligations when it comes to their website. The exact nature of these obligations varies depending on the country in which they are based.

Having a policy in place around these legal issues ensures that a) you meet your legal requirements and b) somebody is responsible for handling any issues arising in this area.

Take for example the issue of privacy. Most organisations have legal obligations surrounding how data is held and used. Also in the European Union, companies have requirements surrounding how they monitor users, especially in the use of cookies.

Your privacy policy is not just a statement on the website. It should also include who is responsible for privacy, what is acceptable and how key pieces of legislation are addressed. Finally it should also have a clear procedure about handling complaints.

Handling complaints is also crucial when it comes to accessibility. Over recent years there have been high profile cases of companies being prosecuted over accessibility.

Target Website
The Target accessibility case is a prime example of why having policies in place is so important.

These companies primary failure was in how they handled complaints about the inaccessibility of their site. Instead of addressing the issue, they largely ignored it. There was no policy for dealing with it and so it fell between the gaps.

Of course the best way of dealing with a complaint is to pre-empt it by making sure your site is accessible in the first place. However, what does that actually mean? This will vary from site to site and so you need an accessibility policy with your approach and how you intend to maintain it.

Another privacy related issue is that of email. For example, what is your policy on passing email addresses to third parties? How do you ensure this and other private data is held securely?

But the policy issues surrounding email don’t stop there. You also need to consider how often it is acceptable to contact people. Did you tell users you would only contact them once a week? If so, how are you going to ensure that happens? Also, did they opt-in, and what is your policy on them unsubscribing?

Depending on circumstances there may well be other legal obligations that require a policy position. However, for now lets move on and look at strategic issues.


Not all policies are legal. Some are more strategic in nature.

For example you could argue that the roadmap and business objectives we have already discussed in this series are policies. These documents help define the direction of the site and how decisions are made.

However your strategic policies shouldn’t just focus on these documents, they should also consider the change control procedure surrounding them.

The business objectives and development roadmap are so crucial to a sites success that they need protecting. The last thing the company needs is an opinionated director throwing his weight around, demanding his project is moved to the front of the development schedule.

It helps to have some safeguards in place to prevent this happening. You may decide that position on the roadmap is determined by the criteria I laid out in my previous post. But that still leaves the question; who makes that judgement?

When it comes to business objectives, what is your policy about updating this incredibly important list? Having a policy in place for this might seem over the top, but I have seen this list fluctuate radically based on the current whims of the CEO.

My point here is that well written policies can prevent your website going off track because of circumstances and personalities. This is true both on the strategic level and on the managerial level.


Managerial policies relate to day-to-day practicalities of running an online presence. Just some of the issues they might cover include:

  • Social Media – What is your policy on employees using social networks? How are complaints handled? What guidelines exist surrounding what can and cannot be said on social networks? How are you going to handle libellous and incorrect statements made by others about your brand?
  • Technical – What policies are in place to ensure uptime of your site? How are analytics collected and processed? What is your backup procedure in case of data loss? What security measures are in place to prevent hacking? What browsers do you support? What is your search engine strategy?
  • Branding – What guidelines are in place over the use of your logo? What colour palette is associated with the company brand? How should images be sourced and used? What tone of voice should writing use?
  • Content management – Who can update content on the website? What procedures are there for removing content? What approval process is in place for new content being added?

The last area is one that particularly benefits from having policies in place. Many websites suffer from content bloat, making it hard for users to find the content they want.

This is often due to the distributed nature of content creation. Many individuals across the organisation are uploading content, but rarely remove it.

Often people become very protective of “their” area of the site and are wary of outside interference. It is therefore beneficial to have a policy in place to address the removal of out of date or unused content. This prevents every attempt at removing content from being a battle and instead turns it into simply implementing an agreed policy.

Not as bad as it sounds

I am aware all of this may seem overwhelming and maybe even a bit over the top. However, this does not need to be an onerous exercise. Most of the policies mentioned above may consist of nothing more than a couple of sentences. What matters is that somebody has written those sentences and is responsible for making sure they happen.

You maybe thinking that having this information in your head is enough. It’s not!

First, you might not always be around. It is important this is documented for the next person who takes on your responsibilities. I have seen what happens when it isn’t, and trust me, its not nice.

Second, if it isn’t written down, its not official and others cannot sign off on it. A policy is an agreement across the organisation that things are going to happen in a certain way. Without that written agreement it just sounds like you are making things up as you go along!

Its more powerful to say to an over protective content owner that you are removing their content because of the official policy, than it is to say you are removing it because that is what you think needs doing.

Finally, having a written policy in place means you can demonstrate these issues have been considered if something goes wrong. Frankly this can be important in covering yourself in larger organisations. That is probably not a good thing, but it is the way things are.

Yes, policies can be boring to read and boring to write. However, that doesn’t mean they don’t have a role to play. At least that is my opinion. The question is do you agree with me? What policies does your company have about the web and do you find them useful? Let me know in the comments.

“Drawings rolled in a tube” image courtesy of

Boagworks Boagworld