This research in progress paper introduces a research initiative focusing on bank employee risk behaviour to mitigate IT operational risks in Austrian banks. The study focuses on the role of IT risk culture and internal controls in relation to employee risk behaviour and the effectiveness of different awareness building practices in banking companies in response to international banking regulation. We offer a short introduction to central theoretical concepts, main research assump-tions and a two-staged methodological design to conduct the underlying study. The indicative findings suggest important properties of awareness building methods and guidelines to create a proactive IT risk culture.