How to Write a Website Governance Report for the Board | Socialectric

Most Communications Directors have never written a website governance report for their Board. Not because the Board would not benefit from one, but because nobody has asked for it. Website performance sits in a gap between the Communications Director's operational world and the Board's strategic oversight. The Comms Director knows the site intimately but reports on it informally, if at all. The Board sees the website when they visit it themselves, which is rarely, and makes judgments based on personal impression rather than evidence.

The result is that website governance, covering accessibility compliance, content accuracy, security posture, stakeholder experience, and institutional credibility, receives no formal oversight. The Board does not know what is working, what is failing, or what risks the website is creating. And the Communications Director has no mechanism for escalating concerns, requesting resources, or demonstrating the value of their work. The Charity Digital Skills Report 2025 found that 28% of charities now report that their boards have poor digital skills, an 11 percentage point jump from the previous year. This is not just about technical literacy. It means Boards are increasingly being asked to govern digital infrastructure they do not understand, without the reporting structures that would help them do so.

A website governance report fixes both problems. It gives the Board the information they need to provide oversight, and it gives the Communications Director the institutional framework to be heard.

What the Board needs to see

Board members do not need to understand web technology. They need to understand institutional risk, compliance status, and whether the website supports the organisation's strategic priorities. The report should be written in the same language as every other Board paper: clear, evidence-based, and focused on governance implications.

A practical website governance report covers five areas in no more than two pages.

The first is compliance status. Are WCAG AA accessibility requirements being met? Is the GDPR cookie consent implementation current? Are Charity Commission disclosure requirements satisfied? For each area, state whether the site is compliant, partially compliant, or non-compliant, with one sentence explaining the implication of any gap.

The second is content currency. How many pages have been reviewed in the reporting period? Are governance documents (annual report, accounts, trustee information, policies) current? Are programme descriptions accurate? Is there content on the site that is outdated, inaccurate, or no longer represents the organisation? A simple count of pages reviewed, pages updated, and pages flagged for removal gives the Board a concrete picture.

The third is stakeholder performance. What do analytics show about how the site's primary stakeholders are using it? This does not need to be a detailed analytics report. Three numbers are enough: total sessions, top entry pages (which pages are visitors arriving on), and conversion actions (donations started, contact forms submitted, governance documents downloaded). The Board does not need to interpret data. They need to know whether the site is being used by the people it was built for.

The fourth is security and infrastructure. Is the site hosted securely? When was the last security review? Are there known vulnerabilities? Who has admin access? A single paragraph confirming the status, or flagging a concern, is sufficient.

The fifth is recommendations. Based on the above, what should the Board know about, approve, or resource? This is where the Communications Director translates operational findings into governance decisions. "The accessibility audit identified three critical failures on the donation page" is a finding. "Resolving these requires a specialist review, estimated at £X, and I am requesting Board approval to proceed" is a governance request.

How to write it

The report should be no longer than two pages. Board members receive dozens of papers before each meeting. A five-page website report will not be read. A two-page report with clear headings, specific findings, and actionable recommendations will.

Use the same format as other Board papers in your organisation. If your Board papers have a standard template with headings for purpose, findings, risks, and recommendations, use that template. The website governance report should look like every other governance document the Board receives, not like a marketing dashboard or an analytics export.

Write for a reader who is intelligent, time-poor, and not technical. "The site's Largest Contentful Paint score is 4.2 seconds" means nothing to a trustee. "The homepage takes over four seconds to load on mobile, which is slow enough that visitors leave before seeing the content" means everything.

Lead with findings, not process. The Board does not need to know that you ran a Lighthouse audit. They need to know what the audit found and what it means for the organisation. Process belongs in an appendix if anyone asks for it.

State risks explicitly. If there is an accessibility failure that creates legal exposure, say so. If content is outdated in ways that would concern a funder, say so. If the security posture has gaps, say so. The Board's job is to govern risk. They cannot govern what they do not know about.

When to present it

Once a year, aligned with the annual governance cycle, is the minimum. Presenting alongside the annual report and accounts review is a natural fit, because the website should reflect the information in those documents.

Twice a year is better for organisations in periods of change: leadership transitions, major campaigns, funding growth, or platform migrations. During these periods, the website is under more scrutiny and the risks of governance gaps are higher. This is especially important given the leadership volatility in the sector: recent research indicates that one-third of nonprofit CEOs plan to leave their roles within two years, driven by burnout, accountability pressures, and board governance challenges. When leadership changes, the website governance report becomes part of the institutional knowledge that survives the transition.

The report does not need a dedicated agenda item at every meeting. An annual written report submitted as part of the Board pack, with the option for questions, is enough to establish oversight without consuming meeting time.

What this changes

A formal website governance report changes the institutional dynamic around the website in three ways.

It creates accountability. Once the Board has received a report on website compliance, content currency, and security, they have a documented awareness of any risks. This makes website governance a Board responsibility, not just the Communications Director's burden.

It creates a mechanism for resource requests. "I need budget for an accessibility review" is easier to approve when the Board has seen evidence that accessibility failures exist and understand the institutional risk they create.

It elevates the website from operational detail to institutional infrastructure. The Board's attention confers institutional importance. Once the website is a governance item, it is treated with the same seriousness as financial reporting, safeguarding, and programme delivery.

Question 1: What if the Board has never discussed the website before?

Start with a single-page summary covering compliance status, content currency, and one or two specific findings. Frame it as a governance briefing, not a request for input on design or content. The goal is to establish the website as a governance item, not to invite the Board to redesign the homepage.

Question 2: How technical should the report be?

Not at all. Translate every technical finding into its institutional consequence. The Board does not need to know what WCAG 2.1 AA means. They need to know that the donation page is not accessible to screen reader users and that this creates both a legal risk and a credibility risk with funders who assess accessibility compliance.

Question 3: What if the report reveals serious problems?

That is exactly what it is for. A governance report that only contains good news is not a governance report. It is reassurance. If the website has serious problems, the Board needs to know, because they are accountable for institutional risk. Presenting problems with clear recommendations gives the Board the information to act. Not presenting them leaves the organisation exposed without the Board's knowledge.

If you are preparing to present website governance findings to your Board and need a structured assessment to work from, a Blueprint Audit produces a Board-ready report covering compliance, content, stakeholder journeys, and technical infrastructure, with specific findings and prioritised recommendations.