
Using email for approvals is not a decision most organisations made. It is a habit they drifted into. The cost of that drift is larger than it appears.
The Default That Became the System
No operations leader ever decided that the organisation’s approval process would be managed through Reply All chains and forwarded attachments. It happened gradually, in the space between tools that were not quite right for the job. A contract needed approval. The easiest path was an email. The email worked. The next contract got the same treatment. The email-as-approval-system was never designed. It was accumulated.
Years later, the organisation’s most critical governance decisions, who approved what, on which version of a document, at what point in time, with what authority, are distributed across thousands of inboxes that belong to individuals rather than to the organisation. The approval record is not in a system. It is in a person’s email account, and it is only as findable as that person’s willingness and ability to search for it.
Research from EY, cited in Compliance and Risks 2025, found that 82 percent of compliance leaders identify data fragmentation as a significant operational challenge. The fragmentation is not random. It is the predictable result of using a communication tool, email, as a governance tool, which it was never designed to be.
What Email-Based Approvals Cannot Provide
Email is an excellent tool for communication. It is a poor tool for governance. The gap between these two functions becomes consequential when organisations rely on email for approvals.
1. A reliable audit trail
An email approval proves that an email was sent. It does not prove that the recipient read it, that the document attached was the version that was subsequently used, that the approval was given by someone with the appropriate authority level, or that the approval has not since been superseded. A system-generated audit trail provides all of these. An email thread provides none of them reliably.
2. Version certainty
Email approval processes almost always involve version ambiguity. Multiple versions of the document travel across email threads as different reviewers make edits. The version that receives the final approval is not always the version that was last edited. The version that gets implemented is not always the version that was approved.
3. Automatic escalation
When an email approval is overdue, the only mechanism for escalation is for a human to notice the delay and send a follow-up. There is no system-generated alert. There is no automatic escalation path. The delay is invisible until someone manually identifies it and acts.
4. Organisational record ownership
An approval that exists only in an individual’s email account belongs to that individual, not to the organisation. When the individual leaves, the approval record may be inaccessible. When the individual’s inbox reaches capacity and older emails are deleted, the record is lost. When the individual is the subject of an investigation, access to their inbox is legally complicated.
| The approval record that lives in an inbox is not an organisational asset. It is a personal asset that the organisation is borrowing, and the borrowing arrangement ends without notice. |
The Compliance Event You Have Not Prepared For
The true cost of email-based approvals is not visible in ordinary operations. It becomes visible at the moment a regulator, an auditor, or a counterparty asks the organisation to produce the complete approval history for a specific document or decision.
The response that most organisations give in this situation is not confident retrieval from a centralised system. It is a search through multiple inboxes, a comparison of email timestamps, a conversation with the people who were involved to reconstruct what was decided and when, and an honest admission that some of the record may not be recoverable. This response is not a failure of the people involved. It is the predictable consequence of a governance system that was never designed to produce this kind of evidence.
Research from Lytho on email-based approvals in financial services, found that reconstructing approval history from inboxes is manual, inconsistent, and error-prone, and that auditors typically expect clear documentation that email cannot reliably deliver. The teams that discover this gap during an audit, rather than before one, are the ones paying the highest price for the original drift.
The Version Problem That Nobody Notices Until It Matters
In email-based approval processes, the version of a document that receives the final approval is frequently not the version that all reviewers saw. Changes are made between reviews. Attachments are replaced without notice. The final email in a thread may say ‘approved’ without specifying which version is being approved.
In regulated industries, this ambiguity is not a minor procedural concern. A pharmaceutical company whose clinical trial authorisation email thread contains three versions of the document, with approval language that does not specify which version it applies to, has a document integrity problem that may not surface until an FDA audit requests the complete version history. At that point, the ambiguity becomes a compliance gap.
What a System Provides Instead
An approval system does not change the people involved in the approval decision or the quality of the decision they make. It changes the infrastructure through which the decision travels and is recorded. The document exists in a single version at any point in time. The routing of the approval request is automatic and traceable. The approver’s decision is recorded with a timestamp, an identity link, and a reference to the exact version of the document they approved. The record is owned by the organisation, not by any individual’s inbox.
Flowmono replaces email-based approval chains with structured, system-governed routing that produces a complete, tamper-evident audit record for every decision. See what governed approval looks like on Flowmono.
![]()