Source: www.cgma.org

Just based on intuition, yes I would assume that many, perhaps most nonprofits are not involved or sufficiently involved in risk management.  The article states that nonprofits should follow a framework:

“Follow a risk management framework. The 2004 ERM Framework created by the Committee of Sponsoring Organizations of the Treadway Commission (COSO, which includes the AICPA), is one such framework. The International Organization for Standardization’s ISO 31000 is another.”

But considering the length and complexity of the COSO and ISO 31000 materials, many nonprofits might want to consider following a more direct framework such as my 1-page outline which you will find in the About section of my blog at http://tatetalk.com.

The most important thing is to get started – start small or reasonable identifying and addressing the most pressing risks and build up from there.