The Governance Gap Nobody Talks About
Most associations choose their CMS platform based on features and cost. Should we use WordPress or Drupal? Which platform can handle AMS integration? Which supports member portals? These are important questions, and the answers matter. But they only tell part of the story. The real problem shows up after you choose the platform and launch the website.
The governance questions nobody asks first: Who gets to publish content? Who approves changes before they go live? How do you prevent the homepage chaos that happens when multiple departments treat the website as their personal bulletin board? How do you track who changed what and when? You can buy the best CMS on the market. You can implement it perfectly. But without governance it becomes a free-for-all. And governance requires more than just good intentions. It requires roles with specific permissions. It requires editorial workflows that force review before publishing. It requires a document that everyone agrees to follow. Most associations skip this. They go live, assume people will figure it out, and spend the next two years managing chaos.
Role-Based Permissions: WordPress vs. Drupal
WordPress built-in roles: WordPress has five built-in roles: Administrator, Editor, Author, Contributor, and Subscriber. These roles sound like they offer flexibility, but they're blunt instruments. An Editor in WordPress can edit any page and any post. They can delete content. They can manage plugins. They can change site-wide settings. Your events manager shouldn't have the same access as your IT administrator. An Author can create and publish their own content but can't edit others' work. A Contributor can create content but can't publish — someone else has to approve and publish for them. This is progress toward governance, but it still doesn't give you the granularity that multi-department organizations need.
WordPress solves this limitation with permission plugins like User Role Editor and Members, which let you create custom roles with granular capabilities. You can create a role called "Events Manager" that can create and publish event pages but can't touch the member portal or news articles. You can create a role called "Communications Editor" that can edit any news article but can't publish — only "Communications Director" can approve and publish. This is powerful. It's also complex. The configuration is not intuitive, and mistakes happen. Cost for these plugins: $100 to $300 annually, plus the labor to configure permissions correctly.
Drupal permissions: Drupal handles permissions natively, and its permission system is more granular than WordPress's. You can specify: can create content type X, can edit own vs. all content of type X, can publish vs. only save as draft, can access specific menu items, can manage specific taxonomies. For a multi-department association, Drupal's built-in permission system is superior. The tradeoff is that the configuration is complex and requires deeper Drupal knowledge. A Drupal site built without governance is just as much of a free-for-all as WordPress. The tool doesn't solve the problem automatically. You have to build the governance structure.
Mapping Content Ownership by Department
Content ownership framework: Every piece of content on your website needs an owner. This isn't about ego. It's about clarity. When a policy page needs to be updated, who decides when that happens and who publishes the change? When a committee page has outdated information, whose responsibility is it to fix it? When the events calendar has broken links or incomplete event details, who notices and who fixes it?
Create a simple content ownership map for your departments:
Communications owns news articles, blog posts, homepage banners, media galleries, and press releases. Events owns event listings, registration pages, conference materials, speaker bios, and schedule pages. Membership owns member portal content, member directory pages, renewal workflows, and member status pages. IT/Web owns infrastructure pages, security documentation, technical support articles, core CMS updates, and integrations. Education/Continuing Education owns the course catalog, certification tracking pages, learning resources, and compliance documentation.
Each department should own only their content. Communications doesn't need to touch the member portal. Events doesn't need admin access to infrastructure pages. Membership doesn't need to publish news articles. This separation reduces accidents. It keeps the website organized. It also makes permissions easier to manage — you're not giving broad access. You're giving specific access to specific content.
Editorial Workflows Prevent Chaos
The workflow that works: The workflow that prevents the cancelled event banner from going live is simple: Draft → Review → Approve → Publish. Nobody publishes directly to the live website without review. This doesn't require expensive tools. WordPress has editorial workflow plugins (PublishPress, Edit Flow). Drupal has Content Moderation built into core.
Here's how it works in practice: An events coordinator creates a new event page and saves it as Draft. The page is not visible to members. An editor from the communications team reviews the page, checks for broken links, consistent branding, accurate event information, and correct pricing. If something is wrong, they save notes in the draft as comments: "Event location is wrong — is this the DC office or the Baltimore office?" The events coordinator sees the feedback, fixes the issue, and marks the review comment as resolved. Once all issues are resolved, a communications director (a role with higher approval authority) gives final approval. The page moves from Draft to Published. Members see the event immediately.
If the event is cancelled, the communications director can unpublish the page and set it back to Draft status. The page is hidden from members immediately. No need to delete it. No need to search through the website trying to take down content. This workflow adds process, which some organizations resist. Process feels slow. It feels like bureaucracy. But it's the only thing that prevents your homepage from promoting cancelled events, outdated pricing, and wrong locations. The approval step catches mistakes that would otherwise go live.
Content Lifecycle Management: Who Cleans Up?
The dead content problem: Without governance, association websites accumulate dead content at a scary rate. Over three years, the average association website is 30–40% dead content. Outdated policies that were replaced two years ago but never removed from the site. Past event pages that are still appearing in search results and navigation. Abandoned committee sections that nobody maintains. Broken links to resources that no longer exist. Archive pages that make your organization look inactive.
Assign a content owner for each section with annual review responsibility. Your governance document should say: "Communications reviews all news and blog posts annually. Events archives past conference pages and removes outdated event listings. Membership audits the member portal annually and removes expired resources. IT removes outdated infrastructure documentation." Don't just suggest this. Make it a requirement. Include it in people's job descriptions. Make content audits part of the annual planning cycle.
Your One-Page Governance Document
What goes in the document: Every association website should have a governance document. This doesn't need to be long. A single page is often enough. It answers specific questions that prevent chaos:
Who can publish content? Break this down by role and content type. Your Communications Editor can publish news articles. Your Events Manager can publish event pages. Your IT Manager can publish infrastructure pages. Who approves before publishing? For news articles, the Communications Director approves. For event pages, the Events Director approves. For infrastructure pages, the IT Director approves.
What's the review cycle? Do committees review quarterly? Do news articles get reviewed weekly? Do policies get reviewed annually? How do you handle emergencies? If the association office needs to post an urgent update at 6 PM on Friday, does that have to go through the normal review process, or is there an emergency override? Most organizations need an emergency process for time-sensitive updates.
Who has admin password access? The answer should be: more than one person. At minimum, your web coordinator, your IT manager, and your executive director should have access. Never let one person be the only person with access. If that person leaves or gets hit by a bus, you're stuck. Also document how you'll handle password changes and access revocation when staff leaves.
What You Walk Away With
We'll help you build a CMS governance framework specific to your departments, your workflow, and your platform choice. You'll walk away with a permissions map showing who can create, edit, and publish which content. You'll have an editorial workflow that catches mistakes before they go live. And you'll have a governance document that prevents the "nobody knows who changed what" problem and keeps your website clean and current.
Link: Drupal vs. WordPress for Trade Associations → /blog/drupal-vs-wordpress-trade-associations
Link: Outsourcing Website Management → /blog/outsourcing-website-management-trade-associations
Link: Association Webmaster Services → /blog/association-webmaster-services-what-included