Purpose of this content

To help you identify if you have the right governance structures and roles in place to measure and manage cost-effective online delivery.

To set out your responsibilities as a business owner or manager of an online product or service.


Agencies should have, or establish, governance functions around online delivery.

A key recommendation of Rethink Online was that government agencies appoint staff to key roles to inform effective online governance. It recommended a senior manager be appointed to be responsible for online strategy for the agency, and an online champion be appointed as a skilled advocate of good practice online.

Chief executives of government agencies are ultimately responsible for their agency’s online channel, and can expect assurance that their investment in it is efficiently managed.

If necessary, agency staff responsible for online services should promote the benefits of formal online governance structures at senior levels, to

  • strengthen a strategic approach to their agency’s overall web presence
  • foster good practice across the spectrum of online disciplines, from privacy and security, to usability and accessibility, to information and data management
  • seek linkages with other online initiatives in their sector or in wider government, to maximise efficiencies and optimise the user experience
  • ensure training programmes are in place that provide staff with the skills required to manage online products in accordance with required standards such as security and privacy management and accessibility.


For every online product that an agency operates, agencies should have clearly defined accountabilities and responsibilities defined by their online governance bodies.

The responsibilities of product owners

The product owner is a business manager who carries the accountability for a given system and ensures it is fit for purpose from a business viewpoint and is fit to operate on the public web.

If you are business owner of an online product you are responsible for:

  • assurance and formal acknowledgement that the product meets required standards in security and privacy management through a programme of periodic testing and assessment
  • assurance and formal acknowledgement that the product meets required standards in accessibility and usability through a programme of periodic testing and assessment
  • assurance that product meets the requirements of the Public Records Act
  • monitoring the costs of operating the online product
  • ensuring there are measurement, monitoring and reporting frameworks, and their associated performance targets, to provide on-going assurance that the product continues to meet both user and agency needs, and continue to justify investment
  • engagement with users as appropriate, to assess the ongoing usability of the product
  • ensuring adequate budget is available for on-going development / continuous improvement throughout the product’s lifecycle, in response to changes in user expectations or technology
  • managing the level of funding to allow for technical maintenance that can respond to changes in technology and the online threat landscape
  • ensuring system managers and publishers receive adequate training, according to their need, in accessibility, privacy management and security.

The responsibilities of product managers

Product managers take responsibility for the day-to-day operations of an online product and are responsible for maintaining its operational readiness online.

If you are a manager of an online product you are responsible for:

  • monitoring and reporting the metrics to enable business owners to provide assurance that the online product remains fit for purpose and continues to justify investment
  • maintaining the required suite of documentation for the product, which should include:
    • standard operating procedures
    • incident response procedures
    • risk register
    • system security plan
    • security risk management plan
    • accessibility risk management plan
  • managing periodic reviews, testing or assessment of compliance with required security, accessibility and privacy management standards
  • ensuring maintenance procedures are carried out in accordance with SLAs with hosting providers (internal or external).
  • ensuring publishers and administrators of sites or services maintain appropriate levels of knowledge of accessibility, security and privacy management.