Since the financial crisis of 2007, construction companies in the Netherlands have seen shrinking profit margins, due to for instance project and process success criteria that have been extended beyond economic objectives to include environmental and social requirements, increasing stakeholder requirements, disrupted supply chains due to global shocks, increased material costs and labor shortages. As part of the call for the continued professionalization of internal business processes, aimed at increased transparency and improved accountability, a holistic approach to risk management at the enterprise level has been on the rise to deal with cross-company risk. Enterprise Risk Management (ERM) is the leading paradigm for holistic company-wide risk management as it aims to bridge the traditional company silos and connect risk management, decision-making, company objectives and control structures.

Designing and developing an ERM system at a construction company requires a customized approach that strikes a balance between top-down and bottom-up information flows and diverse sectional interests while aligning vertical and horizontal risk management (RM) and internal control (IC) structures in order to sculpt an ERM system that is fit-for-purpose. In spite of efforts to the contrary, the academic literature shows however that ERM implementation can often result in decoupling (Arena et al., 2010). When this happens, ERM and RM processes are not integrated into work practices and are perceived as cumbersome tick-the-box exercises, contributing little to core tasks, and are seen as compliance and assurance controls for the benefit of external stakeholders that purport to achieve the “risk management of everything” (Power, 2004) which due to a lack of any real meaningfulness in the minds of practitioners leads in fact to the “risk management of nothing” (Power, 2009).

The integration of existing RM and IC practices into a company wide risk management system is no easy task. External frameworks such as COSO’s Enterprise Risk Management Framework (2004) offer prescriptive, idealized guidance that is difficult to translate to practice. The academic literature shows that contextual factors play a critical role in designing ERM systems and therefore the quality and influence of these factors must be identified and understood in order to shape ERM implementation in a specific setting. This study promotes the argument put forth by multiple authors such as Bresnen et al. (2004), Hsu et al. (2014) and Jack & Kholeif (2007) that the use of domain theory (i.e. theory on ERM and organizational culture) combined with social theory (i.e. theory from the field of sociology and behavioral sciencies) can offer a more complete view of the factors at play in this process. To this end, concepts from Giddens’ Structuration Theory (1984) have been used as sensitizing concepts in the analysis of the data. The central tenet of ST is the ‘duality of structure’ which examines the relationship between the ST idea of ‘structure’ (i.e. organizational structures of meanings, power and norms) and ‘agency’ (i.e. actions of organizational actors). In this study, the examination focuses on how decisions and resulting actions of the board and top management (ST agency) affects company risk culture and the design of formal ERM elements (together ST structures). The outcomes of this feedback loop can be observed in ERM and RM practices at different levels of the company though time. Analyzing ERM implementation in this way offers a view on how ERM and RM practices change or endure and lays bear the mechanisms that contribute to this...