A practical procedure for running a four-zone risk audit — what to inventory, what signals to look for in each zone, how to score severity and what to do with the findings.
A modern online presence audit is a structured procedure that maps how a brand appears across four risk zones — search, AI systems, media and social, and review platforms and produces a severity-ranked list of exposures that leadership can act on. This is a different audit from a marketing audit. The parent piece in this series: The Online Presence Audit Most Companies Don't Run — explains why the distinction matters and what the four zones mean. This article picks up where that one leaves off and walks through the procedure step by step.
If you skipped the parent piece, the short version is this: the marketing audit measures whether your marketing is working. The risk audit measures where your brand is exposed. Resolver's 2024 Reputational Risk Report found that 78% of executives acknowledge late response to digital risk will harm their brand, while only 17% maintain an active plan. The procedure below closes that gap with a structured walkthrough that takes one focused day, or three to four working sessions across a week, depending on depth.
If you skipped the parent piece, the short version is this: the marketing audit measures whether your marketing is working. The risk audit measures where your brand is exposed. Resolver's 2024 Reputational Risk Report found that 78% of executives acknowledge late response to digital risk will harm their brand, while only 17% maintain an active plan. The procedure below closes that gap with a structured walkthrough that takes one focused day, or three to four working sessions across a week, depending on depth.
Before you start: What to set up
The audit produces noise if it isn't scoped. Spend twenty minutes here and the rest of the procedure runs cleanly.
1. Define the object of analysis. A company audit and a founder audit are different audits. List exactly what you're auditing — the company brand, one product, one executive, or a combination. Audit each object on its own pass. Mixing them produces a report nobody can act on.
2. Define the audit window. Most audits look at the present state, with a six-month trailing window for trajectory. Pre-event audits — before an IPO, a Series C, a regulatory filing, a leadership announcement — extend the trailing window to eighteen months because diligence teams will.
3. Use an incognito or private browsing session. Your normal search history personalizes results. A diligence team or AI assistant doesn't see your personalized SERP. Run all search-based steps in a clean session.
4. Set up a single output document. One spreadsheet or document with four tabs, one per zone. Each row is one signal, with columns: source, what it shows, severity (Low / Medium / High), and recommended action. Resist the temptation to write a narrative — the value of the audit is in the structured list.
5. Block the time. A serious audit is three to four hours per zone for a mid-sized company, longer for executives with long public profiles. Don't try to do it in fifteen-minute fragments between calls. It's a focused-attention task.
1. Define the object of analysis. A company audit and a founder audit are different audits. List exactly what you're auditing — the company brand, one product, one executive, or a combination. Audit each object on its own pass. Mixing them produces a report nobody can act on.
2. Define the audit window. Most audits look at the present state, with a six-month trailing window for trajectory. Pre-event audits — before an IPO, a Series C, a regulatory filing, a leadership announcement — extend the trailing window to eighteen months because diligence teams will.
3. Use an incognito or private browsing session. Your normal search history personalizes results. A diligence team or AI assistant doesn't see your personalized SERP. Run all search-based steps in a clean session.
4. Set up a single output document. One spreadsheet or document with four tabs, one per zone. Each row is one signal, with columns: source, what it shows, severity (Low / Medium / High), and recommended action. Resist the temptation to write a narrative — the value of the audit is in the structured list.
5. Block the time. A serious audit is three to four hours per zone for a mid-sized company, longer for executives with long public profiles. Don't try to do it in fifteen-minute fragments between calls. It's a focused-attention task.
For a structured pass that takes minutes rather than hours
Free Risk Check by Reputation House
runs the four Risk Constellation zones automatically and returns a Composite Risk Score, Issues Detected with severity labels and competitor benchmarking.
Step 1 — Inventory: List the entities to audit
The audit covers four zones, but the object it audits is always specific. Begin by listing every entity that needs its own pass.
For a mid-sized company, the typical inventory looks like this:
For a personal audit — founder, beneficial owner, executive — the inventory is the individual plus any previous companies, any board seats, and any name variants in the public record.
Each entity gets its own audit pass through Steps 2–5. The output is one structured report per entity, not one combined report.
For a mid-sized company, the typical inventory looks like this:
- Company brand name (the official legal name and the trading name if different)
- Primary domain
- Two or three top products (if product brands are searched independently)
- CEO and key executives (CFO, COO, CTO depending on profile)
- Major investors or board members with public profile
For a personal audit — founder, beneficial owner, executive — the inventory is the individual plus any previous companies, any board seats, and any name variants in the public record.
Each entity gets its own audit pass through Steps 2–5. The output is one structured report per entity, not one combined report.
For a structured pass that takes minutes rather than hours
Free Risk Check by Reputation House
runs the four Risk Constellation zones automatically and returns a Composite Risk Score, Issues Detected with severity labels and competitor benchmarking.
Step 2 — Audit the SERP zone
This zone covers how your search results form first impressions. In methodology language, this is SERP Control: who owns the top of the page, where complaints sit, and how much of the first impression the brand actually controls.
What to check
What signals exposure
Severity rule of thumb
What to check
- The first ten organic results for the brand name. Categorize each result: brand-owned (your site, your social profiles), neutral third-party (industry directories, news coverage that's positive or neutral), or critical (complaints, lawsuits, negative reviews, hostile forum threads).
- The first ten results for the CEO's name. Same categorization. A CEO whose first page is dominated by third parties is a different exposure than a CEO whose first page is mostly LinkedIn and bylined articles.
- Brand name + common modifiers. Try "brand name + review," "brand name + complaint," "brand name + lawsuit," "brand name + scam." Each modifier is a query a procurement officer or investor may run. What surfaces for these is your real first impression in a serious due-diligence cycle, not your branded query.
- People Also Ask box for the brand. What questions does Google associate with the brand? These are questions the buyer or partner is being shown next.
- Image search. What pictures appear when someone searches the brand or the CEO? Old, mislabeled, or unflattering images sit at the top for many brands and most executives have never checked.
What signals exposure
- A complaint cluster (Trustpilot, Reddit, complaint sites) ranking above brand-owned pages.
- A lawsuit or regulatory action visible in the top ten, especially if it's resolved but the resolution isn't visible.
- Third-party listings outranking your About page or your investor relations page.
- Image results that include uncontrolled photos, old leadership photos, or mislabeled assets.
Severity rule of thumb
- High: critical content in positions 1–5.
- Medium: critical content in positions 6–10, or neutral content that should be brand-owned.
- Low: critical content beyond position 10 but visible in branded modifiers.
For a structured pass that takes minutes rather than hours
Free Risk Check by Reputation House
runs the four Risk Constellation zones automatically and returns a Composite Risk Score, Issues Detected with severity labels and competitor benchmarking.
Step 3 — Audit the AI Perception zone
This is the newest zone and the one no marketing audit covers. In methodology language, this is AI Distortion: divergence between your actual positioning and the description AI systems return.
The check is structurally different from search. AI systems don't return a list — they return a paragraph. The audit is reading that paragraph carefully.
What to check
What signals exposure
Severity rule of thumb
The check is structurally different from search. AI systems don't return a list — they return a paragraph. The audit is reading that paragraph carefully.
What to check
- Ask the major systems directly. Run the same set of questions across ChatGPT, Perplexity, Gemini, Claude, and Google AI Overviews. Use neutral phrasings: "What does company X do?", "Who is the CEO of X?", "Is X a reliable supplier?", "What controversies has X been involved in?"
- Read the answer in three layers: factual accuracy (is the description correct?), recency (is it current or anchored on outdated information?), positioning (does it describe what makes the brand distinct, or flatten it into a generic category description?).
- Check for anchored sources. Many AI systems show citations or sources. If the same outdated article or single critical source appears across multiple systems, that source is doing disproportionate work in shaping the AI description.
- Compare to a competitor. Ask the same questions about a closest competitor. If the AI gives a sharper description of them than of you, that's a positioning exposure regardless of whether your branded marketing is performing.
What signals exposure
- AI assistants citing a 2019 or 2020 article as canonical when newer authoritative coverage exists.
- Descriptions that mix the brand up with another similarly-named entity.
- AI outputs that lead with a regulatory issue, lawsuit, or controversy that has since been resolved — without acknowledging the resolution.
- Generic descriptions that read as if the AI didn't know the brand and synthesized something plausible from category-level information.
- Inconsistency across AI systems (one accurate, one outdated, one wrong) — this is itself a signal that the underlying source set is fragmented.
Severity rule of thumb
- High: factual error, unresolved controversy framing, or wrong entity match in multiple systems.
- Medium: generic flattening that fails to distinguish the brand, or anchoring on a single outdated source.
- Low: minor inaccuracies that don't affect the buying or investing decision.
Note: AI descriptions update on different cycles. A finding today may shift in three months as language models retrain. The audit captures the current state; it does not predict the next state. This is one of the reasons quarterly cadence matters for this zone in particular.
For a structured pass that takes minutes rather than hours
Free Risk Check by Reputation House
runs the four Risk Constellation zones automatically and returns a Composite Risk Score, Issues Detected with severity labels and competitor benchmarking.
Step 4 — Audit the Media & Social zone
This zone covers how external parties shape the narrative around your brand. In methodology language, this is Narrative Hijackability: how susceptible the brand story is to capture by voices outside the company.
What to check
What signals exposure
Severity rule of thumb
What to check
- Recent news coverage (six months back, eighteen for pre-event audits). Sort by source authority, by tone, by topic clustering. Does the coverage track your positioning, or does it drift toward themes the company didn't initiate?
- Industry forums and community spaces where the brand is discussed — Reddit, Hacker News for tech, Drugs.com or patient forums for pharma, specialist trader communities for fintech. Look for emerging negative threads and whether they're isolated or part of a pattern.
- Glassdoor and employer review sites for narrative pressure from inside. Persistent themes in employee reviews show up in journalist research and in diligence calls. Look at trajectory, not just averages.
- NGO, advocacy, and watchdog mentions in your industry. These shape regulatory and political narrative even if the audience is small.
- Coordinated activity signals. A burst of similarly-worded negative reviews or social posts in a short window is a different signal than steady negative drift. Pattern matters as much as content.
What signals exposure
- A negative narrative cluster forming in a forum that ranks high for industry research.
- Employee voices contradicting positioning — especially when concentrated by team or geography.
- Activist or NGO attention that previously didn't appear in brand-related research.
- Journalist coverage drift from the messaging the company controls.
Severity rule of thumb
- High: coordinated activity, named-journalist negative coverage, regulator-adjacent NGO attention.
- Medium: persistent employee narrative or forum pattern, drift in news coverage tone.
- Low: isolated negative posts without amplification.
For a structured pass that takes minutes rather than hours
Free Risk Check by Reputation House
runs the four Risk Constellation zones automatically and returns a Composite Risk Score, Issues Detected with severity labels and competitor benchmarking.
Step 5 — Audit the Trust Volatility zone
This zone tracks the brand state across Review and Rating platforms. The audit is about trajectory, not snapshot — a steady 4.6 average with a six-month decline tells a different story than a fresh 3.8 that's been stable for two years.
What to check
What signals exposure
Severity rule of thumb
What to check
- Public review platforms relevant to your category: Trustpilot, G2 and Capterra for SaaS, Yelp and Google Reviews for consumer, App Store and Play Store for products, Glassdoor and Indeed for employer.
- Trajectory of average rating over six months. A drift downward is more revealing than the current number.
- Review velocity. A platform that normally gets ten reviews per month and suddenly gets fifty is a signal — whether positive or negative.
- Language patterns in recent reviews. Sets of reviews with unusually similar phrasing or vocabulary suggest coordination — incentivized reviews, gaming, or coordinated negative campaigns.
- Response coverage. What percentage of reviews — especially critical ones — have a brand response? Procurement teams read response patterns as a signal of how the company treats customers.
What signals exposure
- A six-month decline in a platform that buyers actually check.
- A burst of negative reviews in a short window.
- Critical reviews with no brand response visible.
- A pattern of identical-sounding positive reviews — this hurts more than helps, because diligence teams notice.
Severity rule of thumb
- High: declining trajectory on a buyer-facing platform, coordinated negative review burst, regulatory-adjacent complaint surfacing in a public review.
- Medium: stable but below-category-average rating, unresponded critical reviews.
- Low: minor variance within normal review noise.
For a structured pass that takes minutes rather than hours
Free Risk Check by Reputation House
runs the four Risk Constellation zones automatically and returns a Composite Risk Score, Issues Detected with severity labels and competitor benchmarking.
Step 6 — Score and Rank
After all four zones are documented, the audit produces three deliverables. This is the part most amateur audits skip — they document signals but never structure them into something a leadership team can act on.
A composite picture. Across the four zones, how many High-severity findings exist, how many Medium, how many Low? A useful audit gives a single-page summary at this level — not as a vanity score, but as a way for leadership to see whether the exposure is concentrated in one zone or spread.
A severity-ranked action list. Take every High and Medium finding from all four zones and rank them by severity, then by ease of action. The action list is what the audit is actually for. Severity answers what matters. Ease answers what's worth doing first.
A baseline for the next audit. Save the report. The next audit's primary purpose is to compare against this one. Trajectory is the most informative thing an audit produces over time, and trajectory only exists if you keep the baseline.
In the Risk Constellation methodology, these outputs map to Composite Risk Score (the aggregate), Issues Detected (the structured list), and severity labels (Low / Medium / High). Structured tools produce these automatically; a manual audit gets to the same destination with a spreadsheet.
A composite picture. Across the four zones, how many High-severity findings exist, how many Medium, how many Low? A useful audit gives a single-page summary at this level — not as a vanity score, but as a way for leadership to see whether the exposure is concentrated in one zone or spread.
A severity-ranked action list. Take every High and Medium finding from all four zones and rank them by severity, then by ease of action. The action list is what the audit is actually for. Severity answers what matters. Ease answers what's worth doing first.
A baseline for the next audit. Save the report. The next audit's primary purpose is to compare against this one. Trajectory is the most informative thing an audit produces over time, and trajectory only exists if you keep the baseline.
In the Risk Constellation methodology, these outputs map to Composite Risk Score (the aggregate), Issues Detected (the structured list), and severity labels (Low / Medium / High). Structured tools produce these automatically; a manual audit gets to the same destination with a spreadsheet.
For a structured pass that takes minutes rather than hours
Free Risk Check by Reputation House
runs the four Risk Constellation zones automatically and returns a Composite Risk Score, Issues Detected with severity labels and competitor benchmarking.
Step 7 — From Audit to Action
The audit's value isn't the report. It's what changes after.
The action plan that follows a useful audit has three categories.
Immediate fixes. Things that can be addressed in days. A SERP gap where a brand-owned page could outrank a third-party listing. A mislabeled image in image search. An unresponded critical review on a buyer-facing platform. A factual error in an AI description that traces to a single fixable source.
Structural improvements. Things that take weeks to months. Building authoritative content to shift AI sources. Addressing the underlying patterns behind employee review trajectory. Working with media to provide context for resolved regulatory issues. These are not one-off tasks; they are programs.
Watch items. Things flagged but not yet actionable. An emerging forum thread that may or may not amplify. A drift in coverage tone that hasn't yet crossed a threshold. Trust Volatility signals that need another month of data to be interpretable.
Most audits surface five to ten Immediate fixes, two to four Structural improvements, and a similar number of Watch items. If the report has fifty Immediate items, the severity threshold was set too low. If it has zero, the audit wasn't thorough.
The action plan that follows a useful audit has three categories.
Immediate fixes. Things that can be addressed in days. A SERP gap where a brand-owned page could outrank a third-party listing. A mislabeled image in image search. An unresponded critical review on a buyer-facing platform. A factual error in an AI description that traces to a single fixable source.
Structural improvements. Things that take weeks to months. Building authoritative content to shift AI sources. Addressing the underlying patterns behind employee review trajectory. Working with media to provide context for resolved regulatory issues. These are not one-off tasks; they are programs.
Watch items. Things flagged but not yet actionable. An emerging forum thread that may or may not amplify. A drift in coverage tone that hasn't yet crossed a threshold. Trust Volatility signals that need another month of data to be interpretable.
Most audits surface five to ten Immediate fixes, two to four Structural improvements, and a similar number of Watch items. If the report has fifty Immediate items, the severity threshold was set too low. If it has zero, the audit wasn't thorough.
For a structured pass that takes minutes rather than hours
Free Risk Check by Reputation House
runs the four Risk Constellation zones automatically and returns a Composite Risk Score, Issues Detected with severity labels and competitor benchmarking.
Cadence: how often to run this
A baseline audit once a quarter is the standard for most companies. Three additional triggers warrant an extra audit cycle:
Companies under permanent regulatory scrutiny — pharma, fintech, regulated SaaS — typically maintain continuous monitoring through a structured platform rather than running discrete audits. The audit becomes the risk diagnostic entry point into ongoing risk management, not a standalone exercise.
- Pre-event: any strategic event — fundraising, M&A, IPO, major regulatory filing, leadership announcement — should be preceded by an audit run no more than thirty days before the event.
- Post-incident: any reputational incident — coverage spike, regulator action, leaked communication, executive change under pressure — warrants an audit within the following month, to capture how the incident shifted the digital surface.
- Annual deep cycle: once a year, an extended audit that goes back eighteen months on trajectory data and includes competitor benchmarking, not just self-assessment.
Companies under permanent regulatory scrutiny — pharma, fintech, regulated SaaS — typically maintain continuous monitoring through a structured platform rather than running discrete audits. The audit becomes the risk diagnostic entry point into ongoing risk management, not a standalone exercise.
When to move from manual to structured tooling
A manual audit by the procedure above is genuinely useful. It surfaces most of what a serious audit should surface, especially for smaller companies and individual executives. There are three moments when the manual approach stops being enough.
Scale. When the inventory includes a brand plus three products plus five executives plus regional sub-entities, a quarterly manual audit consumes weeks of someone's attention. Structured tooling collapses that to a single workflow.
Cross-language scope. A brand operating across the US, EU, and Gulf is auditing across three or more language environments. Each language has different source structures, different review platforms, different AI training distributions. Manual audit at this scope is unreliable.
Continuous mode. A quarterly snapshot is appropriate for most companies. For brands under permanent scrutiny — those whose regulators, investors, or partners check digital exposure continuously — quarterly is too coarse. Continuous monitoring is needed, and the audit transitions from a procedure to a platform output.
For a structured pass that takes minutes rather than hours, Risk Check by Reputation House runs the four Risk Constellation zones automatically and returns a Composite Risk Score, Issues Detected with severity labels, and competitor benchmarking. It produces the same artifact this manual procedure produces, faster and with cross-validated entity matching that filters out the false-positive noise that plagues name-match-only tools.
For continuous coverage, the Risk Control Center platform turns this audit into an ongoing system rather than a one-off exercise.
Scale. When the inventory includes a brand plus three products plus five executives plus regional sub-entities, a quarterly manual audit consumes weeks of someone's attention. Structured tooling collapses that to a single workflow.
Cross-language scope. A brand operating across the US, EU, and Gulf is auditing across three or more language environments. Each language has different source structures, different review platforms, different AI training distributions. Manual audit at this scope is unreliable.
Continuous mode. A quarterly snapshot is appropriate for most companies. For brands under permanent scrutiny — those whose regulators, investors, or partners check digital exposure continuously — quarterly is too coarse. Continuous monitoring is needed, and the audit transitions from a procedure to a platform output.
For a structured pass that takes minutes rather than hours, Risk Check by Reputation House runs the four Risk Constellation zones automatically and returns a Composite Risk Score, Issues Detected with severity labels, and competitor benchmarking. It produces the same artifact this manual procedure produces, faster and with cross-validated entity matching that filters out the false-positive noise that plagues name-match-only tools.
For continuous coverage, the Risk Control Center platform turns this audit into an ongoing system rather than a one-off exercise.
For a structured pass that takes minutes rather than hours
Free Risk Check by Reputation House
runs the four Risk Constellation zones automatically and returns a Composite Risk Score, Issues Detected with severity labels and competitor benchmarking.
Frequently Asked Questions
How long does an online presence audit take?
A focused manual audit using this procedure takes one full day for a mid-sized company, or three to four working sessions across a week. A pre-event audit covering executives and multiple sub-entities can take a working week. A structured-tool pass takes minutes. The variable isn't only the tooling — it's also the depth of the inventory and how recent the last audit was.
Can I conduct an online presence audit myself?
Yes — the seven-step procedure above is self-conductable. The limits of a manual audit are scale (large inventories become time-consuming), cross-language reach (each language environment is its own audit), and consistency over time (manual scoring drifts). For board-level reporting or pre-deal diligence, a structured tool produces a more defensible artifact.
What's the difference between this audit and a marketing audit?
A marketing audit measures whether marketing is working — site speed, SEO performance, social engagement, conversion. This audit measures where the brand is exposed — what investors, regulators, and procurement teams encounter when they research the company independently. Both are useful. The procedure above describes the second. The first is well-served by standard marketing tools.
Why does the audit include AI Perception?
Because AI systems have become a primary research vector for the audiences that matter — investors, procurement officers, regulators, journalists. A buyer who asks Perplexity about a vendor before a meeting is forming an impression that the company's own marketing doesn't control. An audit that ignores AI perception leaves the largest emerging exposure category unchecked.
How do I score severity if I'm not sure what counts as High?
The severity rule of thumb in each step gives a starting threshold. The faster heuristic: a finding is High if a serious counterparty (investor, regulator, large customer) would form a negative or wrong impression from it without further context. Medium if it requires explanation but doesn't disqualify. Low if it would only matter in aggregate with other findings.
For the methodology and zone definitions behind this procedure, see the parent article: The Online Presence Audit Most Companies Don't Run. To run a structured four-zone diagnostic in minutes rather than hours, Risk Check by Reputation House returns the same severity-ranked output this manual procedure produces.