Introduction to Business Continuity Management

Articles - BCP and IT DR


We all need the support services that we often take for granted to be available to us 24/7 and whenever needed. Right from the telephone that we use to the internet connection, any downtime that this service faces is viewed unfavorably by us. But, given the uncertainties of the 21st century where a minor dislocation somewhere can have a cascading effect on the infrastructure, there is a need for business continuity management.

Simply put, the term denotes the recovery of the business or the service from an outage or disruption. The rapidity with which the service is restored depends on how well the business continuity was planned for and managed during the downtime and subsequent recovery.

Business continuity management has been at the forefront of corporate planning in recent years because of the interconnected and integrated global economy where one outage to one service threatens the whole chain involved.

In recent months, after the Fukushima disaster, business continuity management has become a buzzword for companies and governments alike with increased emphasis on how fast the business or the department recovers in case of disruption. And the example of banks like Citibank and Standard Chartered which have well-planned business continuity programs is a classic case of corporates thinking ahead and planning for emergencies.

For mission critical applications like the software in banks, power stations and airports, the criticality of the service means that there is zero tolerance for downtime. We have seen in the last one year how the automated system at the IGI (Indira Gandhi International Airport) went down throwing the entire airport into chaos and severely impacting the travel plans of thousands of passengers. Hence, it becomes a matter of vital importance that such systems have continuity programs in place which would minimize the downtime and reduce the outage effect.

Business continuity management is not just about having systems in place for backups and to fall back on. There needs to be a mindset change in the employees who operate these systems and hence what is needed is the ability to switch to the backup system or the offshore site and resume operations within no time. For this to happen, the workforce must be adequately trained to react swiftly in case of emergencies and load the backup system or rush to the offsite to ensure uninterrupted service. These abilities call for agility and speed in the workforce and this can be achieved only through mock drills and procedures that stimulate the actual disasters.

Of course, however much corporates plan for emergencies, “when it strikes” the spur of the moment reactions from the workforce and the robustness of the backup systems determine how well the business continuity management program works. To achieve the scalability that is needed and to ensure reliability the corporates must invest in state of the art business continuity programs which manage the downtime well and ensure that the users are not affected in a major way.

In conclusion, business continuity management is not just about people or machines but the combination of both which needs to click in the event of an emergency. The best laid plans go waste if there is no backup hierarchy to manage the continuity program. So, along with the workforce and the systems, astute management and visionary leadership are required.

How to Prepare a Business Continuity Management Program?

Articles - BCP and IT DR


The previous articles have mentioned the need for a business continuity management program and the components of a typical business continuity plan. This article looks at how to prepare your organization for emergencies and the steps that are needed to be taken to prepare for contingencies.

For starters, the business continuity program that your company wishes to put in place must be detailed and exhaustive covering all aspects of the contingency planning.

The key point to note is that attention to detail is paramount because when emergency strikes, the little things make all the difference. For instance, if your backup site does not have adequate power to provide for smooth operation, the whole purpose of the business continuity program is lost. This is just one example of how the finer aspects of the business continuity program make all the difference between success and failure.

The next thing of importance in preparing a business continuity program is to ensure that employees are not left dumbfounded by the emergency. Instead, there must be a mechanism in place to take into account the disaster readiness of the workforce. The overarching thing to note is that the feedback loops and the lines of communication should not breakdown during an emergency. Only when the communication is well oiled and works smoothly can there be an effective response to disasters.

The third point to note about preparing for a disaster is the absence of laid back attitudes and complacency. Many companies simply prepare a BCM without taking into account whether the attitude in an emergency is one of panic or the other extreme which is complacency. Both should be avoided and instead, for business as usual to prevail, a no-nonsense attitude and a sense of purpose must be the guiding factors. Overall, the human element is crucial as to how a BCM can succeed and hence, priority must be given to prepare the employees to face emergencies without panicking or at the same time without taking things for granted.

While preparing for a disaster, attention must be given to the response time of the organization to continue the BAU or the Business As Usual. This can be done if the organization replicates the exact structure and facilities that it employs in its everyday practice to the backup plan. The key point is that services must not be curtailed in an emergency and even if it is not possible to provide full service, the culling of non-essential services must be planned and accounted for. The critical success factor during emergencies is how well the organization picks up the pieces and resumes its operations. So, care must be taken to minimize disruptions and restore normal business as soon as possible.

Finally, BCM is all about anticipating the kind of emergencies and preparing for them. Risk management specialists can be hired to identify potential risks and quantify the impact of these risks on the business. In this manner, the risk management matrix that lists the risks, as well as the action plan for mitigating each risk, is crucial to ensure the success of the BCM plan. So, adequate effort and time must be given to preparing the risk management plan. In conclusion, when disaster strikes, the organizations and the employees must not be caught like Deer blinded by the lights of an automobile and instead, they must be like the ants who prepare for a rainy day.

How a typical Business Continuity Program Works?

Articles - BCP and IT DR


In the last decade or so, the threats to the working environment of companies have multiplied ranging from 9-11 type attacks, earthquakes and the spread of diseases like SARS. Further, there is the very real threat of natural and manmade disasters like these disrupting the working patterns of organizations. Hence, there is a need to plan for contingencies and ensure that the business of the firm or company does not suffer during the emergency. Towards this end, a business continuity program is designed to insulate the business from the downsides of the calamity and ensure that continuity of business happens within days or even hours of the incident happening. This article looks at how a typical business continuity program works.

The first thing to note in a business continuity program is that a backup site needs to be provided for the employees to report to in case of damage to the existing business location. This backup site can be in the same city or at a safe distance from the existing location in another city. In some cases, backup sites are even located outside the country so that any disaster like a war that impacts the whole country can be mitigated. For instance, Polaris Software and Infosys are two companies that have invested in backup sites in other Asian countries like Sri Lanka and the Philippines.

The next thing that a business continuity program needs to have is a mechanism to reach the employees in case of an emergency and make them move to the backup site. This is done by many companies like Fidelity that have lists of the employees along with their contact details and the easiest way to reach them during an emergency. Further, a management level (mid or senior) person takes care of reaching a group of employees and the percolation goes down to the next levels as well as junior managerial staff take the responsibility of reaching down the hierarchy.

The third component of the business continuity program is to have an arrangement for the employees to get to the backup site within the SLA (Service Level Agreement) for the continuity program. As mentioned above, the continuity of business can happen within hours if the conditions permit and might take days if the calamity is drastic. For this to happen, the employees need to be told how to reach the backup site in case of an emergency and continue working from there. Further, specific employees can be asked to reach the backup site instead of all the employees as continuity of business is usually focused on restarting work rather than reaching full output.

Finally, the most important thing about a business continuity program is the maintenance of the backup site. If the backup site fails to power up or loads when an emergency strikes, the whole purpose of the business continuity program is lost. So, the essential thing to note in a business continuity program is that the backup site must be operationally ready at all times. Companies like Citigroup conduct periodic checks on the site readiness of the backup sites to ensure that they can be ramped up in no time.

In conclusion, business continuity is all about managing the surprise in an emergency. So, the more agile the staff is in responding to uncertainty, the better placed the company would be to respond to emergencies and disruptions of business.

Business Continuity and Disaster Recovery – Important for Every Business and Organisation

Articles - BCP and IT DR


Managing Business operations in current times is a big challenge. Apart from having to keep looking at the bottom lines and market shares, the managements have another major area to be concerned about which is to continually keep assessing the risk to the business from all quarters and build Disaster Recovery plan in place.

It is true that businesses face a lot of threats from several quarters including external threats from terrorists, natural calamities, unforeseen circumstances besides internal systems failures threatening shut down of operations, etc. In the highly competitive world today, every organization has realized the value and the need to have disaster recovery and a business continuity plan in place to avoid disruption to the services and customers. No business today can afford to have disruptions to its operations and deliveries. Realizing the uncertainties and the need to cover the risks, customers today have begun to demand that the Supplier Organizations and vendors demonstrate their capability to execute a viable Disaster Recovery and Business Continuity plans in place. On the whole, we can say that every stakeholder in the business has the interest to see that the business continuity is maintained at all times.

Business Continuity & Customers

Take the case of critical IT systems and network installations in Banks and Credit Card companies. Banking, hospitals, telecommunications and such critical operations cannot afford a failure on the part of their IT Systems both in terms of systems failure or hardware failure. They select vendors and partner with only those who are able to demonstrate the capability and provide a workable solution for business continuity and disaster recovery. Providing such a plan has become a part of the total solution proposal and the cost of such a plan may not come cheap. However, both the supplier and customer organizations cannot afford to go without a plan in place.

Brand & Market Share

Retaining brand leadership and market share is a huge challenge for companies. In the face of intense competition, the brands have got to keep up their performance on quality, delivery and all fronts to ensure they maintain their growth rates. When faced with several options and choices, the Customer recall of a brand and loyalty to the brand may be very weak. In such cases, the companies cannot afford to have any disruption to supplies or absence from the market.

During the last year, floods in Thailand & Philippines caused immense damage to the plants especially the automotive and electronic industries. As a result, the production and supplies to the markets were disrupted for quite a few months causing immense damage to the market share as well as to the financial health of the company.

Global companies usually have multiple locations in different regions of the world. Such multiple locations help them cover the risk of plant shut down to a large extent for they can easily set up alternative production lines and get started faster than the other companies who do not have alternatives on hand.

Stake Holder Expectations

Managements today are answerable to a host of stakeholders in their business. They are answerable to the board and shareholders who expect the company to perform under all circumstances. Besides, the regulatory authorities as well as the financial institutions who extend credit and fund the Company expect their returns and performance from the Company irrespective of any disruption. Security and Safety is a major concern that is required to be addressed by Companies from the point of view of human resource angle as well as from an insurance perspective.

With all of the above requirements, it has become imperative for Companies in current times to adapt a disaster management and business continuity plan irrespective of the size of the Company. As business practices, products and technology are evolving, so are the risks and the need to cover the risks and ensure business continuity.

Air Canada reviewing how crew left passenger on a parked plane

Articles - BCP and IT DR


Air Canada continues to investigate how crew members could have disembarked from a plane without noticing a sleeping passenger who was still on board, an incident experts say raises serious security issues.

An Air Canada passenger says she was forced to organize her own escape from an empty plane in Toronto after flight crews left her asleep in her seat.

Tiffani Louise O’Brien said the incident, documented in detail on Air Canada’s Facebook page and currently under review by the airline, took place on a June 9 flight from Quebec City to Toronto’s Pearson International Airport.

After finding herself in an empty row, O’Brien said she laid down to sleep less than halfway into the short 90-minute flight. When she woke up, she said she was completely alone in the pitch-black aircraft.

Read more: Air Canada passenger says she woke up forgotten on an empty plane

Continuing Professional Education Program

Articles - BCP and IT DR


Continuing Professional Education (CPE Points) Program

Certified members are required to submit CPE points annually. The deadline for submitting CPE Points Record Form for any given current year is on March 31st of the following year.

BRCCI ‘s Continuing Professional Education (CPE) Points Program ensures all certified professionals continue to maintain, enhance, and develop their personal knowledge and skills in the business resilience profession once they have achieved certification. All certified professionals are required to comply with the CPE Points Program by actively participating and engaging in development activities and periodically submitting proof of such activities. Activities must be directly relevant to the field of business resilience.

The CPE Points Program is based on a CPE Points system. This system requires professionals to obtain at minimum 10 CPE Points annually. CPE points must be reported annually and must be earned by participating in various activities across multiple categories as defined in the CPE Category and Points Schedule. There are many activities that qualify for CPE Points. CPE Points are awarded for active participation in activities that:

  • Enhance and develop personal knowledge and skills, such as attendance in courses and seminars, and full-time or part-time enrollment in a in a diploma or degree program;
  • Contribute to and promote the business resilience profession, such as preparing articles and papers and conducting research and development of business resilience education; or
  • Validate business resilience related programs and processes, such as conducting audits, tests, and reviews.

As an example, CPE Points may be awarded as follows:

  • Up to 8 points awarded for attendance at a conference, training course, workshop, seminar, or lecture (1 point per hour of attendance to a maximum of 2 points per day);
  • Up to 4 points awarded for preparation and publication of an article or whitepaper (length of paper greater than 1 page and less than or equal to 6 pages);
  • Up to 5 points awarded for participation in BRCCI working group and/or committee.

CPE General Rules

The following general rules will apply when assigning CPE Points:

  • CPE Points must be earned from more than 1 CPE point category. For example, not all 10 points may be earned from attendance at an academic course.
  • When authoring a publication, it must be published in a business resilience related website or publication.
  • If more than two professional designations are earned in any year, only 1 may qualify for CPE Points.
  • CPE points must be submitted during the year following the year in which certification is granted.
  • No points may be carried over to subsequent years.

CPE Activity Reporting Period

To comply with the CPE Points Program requirements, all certified professionals are expected to submit a CPE Points Record Form for each CPE Activity Reporting Period. The CPE Activity Reporting Period is a full calendar year and commences the year following the year in which certification is granted. Supporting documentation of activities is not required unless specifically requested by the Certification Committee. Professionals should keep a copy of the CPE Points Record Form along with supporting documentation for a minimum of 3 years.

The deadline for submitting the CPE points is March 31 st following the CPE Activity Reporting Period.

Validation of CPE Activity Reporting

BRCCI’s certification committee is responsible for verification of CPE activities undertaken by professionals. Although all professionals are required to submit their activities, not all submissions can be verified. The Certification Committee will intermittently conduct audits to verify the validity of CPE activity submissions.

CPE Categories and Points Schedule

CPE CategoryDescriptionCPE Points ValueMaximum Points / Year
1CONFERENCES/INSTRUCTOR-LED COURSES Attendance in a conference, course, workshop, seminar, or lecture directly related to business resilience. Certificate of completion, course outline and description must be kept for reporting purposes. Minimum 6 hours of attendance for a 1 day event. Minimum 3 hours of attendance for a ½ day event.1 points per hour of attendance to a maximum of 2 points per day8
2SELF STUDY COURSES Attendance in a course of online study or self study in a business resilience discipline. Certificate of completion, course outline and description must be kept for reporting purposes.1 points per hour of attendance to a maximum of 2 points per day6

DEGREE/DIPLOMA PROGRAMS Attendance at a business resilience related degree or diploma program at a public or private college or university. Programs related to the following disciplines qualify:

· Business continuity and disaster recovery

· Information systems security and management

· Audit

· Risk management

· Emergency response management

· Project and business management

2 points per day of attendance8
(1 page to 6 pages) Authoring and publication of a business resilience related literary work, minimum 1 page and maximum 6 pages, such as an article, research report, survey, newsletter, or paper. Must be published in a business resilience related website, journal, or other publication where it is formally recognized and/or distributed.
(7 pages or greater) Authoring and publication of a business resilience related literary work 7 pages or greater, such as a book (including specific chapters), journal, or paper. Must be published in a business resilience related website, journal, or other publication where it is formally recognized and/or distributed.
(maximum 1 day) Authoring of a business resilience related literary work such as a presentation or seminar (maximum 1 day) May be part of internal organization training or a formal education program.Outline and description must be kept for reporting purposes.

(1 day or longer) Authoring a business resilience related literary work such as a workshop or course (minimum 1 day) May be part of internal organization training or a formal education program.Outline and description must be kept for reporting purposes.

8PROFESSIONAL CERTIFICATIONS Achieving business resilience related professional designation. Certificate of professional designation must be kept for reporting purposes.48


Professional work conducted in order to establish, maintain, and execute a business continuity and resilience program. A professional may perform activities related to development, implementation, management, execution, and/or support of business continuity and resilience programs. Activities may be from one of the following:

  1. Establishing a business continuity program
  2. Establishing a business continuity steering committee or program sponsor
  3. Setting business continuity policies and guidelines
  4. Creating business continuity and resilience plans
  5. Establishing a training and awareness program
  6. Managing business continuity projects (minimum 2 months duration)
  7. Managing business continuity programs (minimum 2 months duration)
  8. Executing business continuity plans

Signed letter listing the above activity and extent of work conducted from a supervisor, manager, or direct report must be kept as supporting documentation for reporting purposes.



Assessment and investigative activities such as risk assessments, business impact analyses, audits, and tests.

Test exercise lengths must be greater than 1 hour in duration. No partial reports are accepted. An assessment, test result, or audit report validation letter from an immediate supervisor, manager, or direct report must be kept as supporting documentation for reporting purposes.

(minimum 2 hours and maximum 1 day) Business resilience education and training delivery such as presentations (minimum 2 hours and maximum 1 day).
(1 day or longer) Business resilience education and training delivery activities such as course instruction (1 day or longer).
13BRCCI PARTICIPATION Participation in BRCCI promotion, development, and other activities including participation in committees and/or working groups.55
14Non-BRCCI PARTICIPATION Participation in non-BRCCI organization activities including committees and/or working groups or volunteer groups.44

Membership in an organization related to business resilience, such as disaster recovery, business continuity, information systems security, risk management, or audit.

Example organizations are: ACP, DRIE, ISC2, ISACA, IAEM, ISSA, IIA, NFPA, BCI, RMI, PMI


Attendance at a meeting or function of an organization related to business resilience, such as disaster recovery, business continuity, information systems audit/security, risk management, or audit.

Example organizations are: ACP, DRIE, ISC2, ISACA, IAEM, ISSA, IIA, NFPA, BCI, RMI, PMI

1 per meeting4

CPE Frequently Asked Questions

1) What is the deadline for submitting the CPE Points Record Form?

 The deadline for submitting CPE Points Record Form for any given current year is on March 31st of the following year.  

2) What is the CPE Activity Reporting Period? The CPE Activity Reporting Period is a full calendar year and commences the year following the year in which certification is granted.  

3) I just achieved my certification, when should I submit my CPE points?

You must submit your CPE points for the year following the year in which you obtained the certification.

4) Is there an annual certification maintenance fee for the year in which certification is achieved?

No, the annual certification maintenance fee for the year in which certification is achieved is waived.  The annual certification maintenance fee commences the year following certification.

5) I achieved my certification in March of 2007.  Should I submit CPE points for March to December of 2007?

No.  You must submit CPE points for January 1, 2008 to December 31, 2008.

6) I submitted my certification application and/or wrote a certification examination during December 2007, but achieved certification in January 2008.  Do I need to submit my CPE points for 2008?

No.  You must submit CPE points for January 1, 2009 to December 31, 2009.

7) I am a consultant and often times I am busy helping organizations to create and establish business continuity and resilience programs.   Is there a CPE Points category for consulting professionals like myself?

Yes.  The category “Business Continuity and Resilience Program Establishment, Maintenance, and Execution Activities” is available for both consulting and non-consulting professionals who are involved in development, implementation, management, and/or support activities.

8) What is the requirement for maintaining my certification once I have achieved it?

There are two essential requirements to maintain certification:

  • Submit the CPE Points for each CPE Activity Reporting Period
  • Submit the annual certification maintenance fee.

9) When does the annual certification maintenance fee need to be paid? What is the amount if I have single designation? What is the amount if I have multiple designations?

Certification fee is due on the 31st December of each year. You only need to pay one single fee whether you hold a single designation or multiple designations.

The Biggest Hacks and Data Breaches

Articles - BCP and IT DR

Data breach: Timehop

When?: July
How many people: 21 million
What happened?:
Timehop connects to social networks and surfaces nostalgic posts from the past. On Facebook, it shows users their previously popular posts in a bid to help people rekindle previous memories. However, the company detected an ongoing cyber attack in July and found names, email addresses and “keys” allowing access to previous posts had been taken. It delayed the tokens for accessing historic posts, it said.

Data breach: Polar Flow

When?: July
What happened?: The fitness app Polar Flow revealed the locations of military personal inside secret bases around the world. In similarity with the Strava data privacy issue in January, researchers found it has been possible to monitor the movements of soldiers. Changing a URL let anyone see a person’s workouts.

Data breach: MyHeritage

When?: February – June
How many people: 92 million
What happened?: DNA testing firm MyHeritage suffered a huge data breach affecting 92 million people. While DNA data wasn’t made public, emails and some password information were. The data was stored on a private server and whoever obtained it sent it to third-party security researchers.

Data breach: Ticketmaster

When?: February – June
How many people: 40,000
What happened?: Ticketmaster revealed that the login information, payment data, addresses, name and telephone numbers of 40,000 people was at risk. The data breach was first spotted by digital bank Monzo, which told Ticketmaster about the insecurities.

Data breach: Typeform

When?: May – June
How many people: millions
What happened?: Data collected through Typeform surveys was left unsecured and was taken by hackers. As a result, adidas, Monzo, Revolut, England’s Shavington-cum-Gresty Parish Council, Fortnum and Mason’s and more were forced to admit that data had been compromised.

Data breach: Dixons Carphone

When?: July 2017
How many people: 5.9 million payment cards
What happened?: Dixons Carphone revealed 5.9 million payment cards and 1.2 million personal data records were stolen in 2017. The cards haven’t been used maliciously as most of them were protected by chip and PIN. Names, addresses and email addresses of more than one million people were also taken in the breach.

Fined: University of Greenwich

When?: 2004
How much: £120,000
What happened?: The UK’s University of Greenwich exposed 19,500 student details – including names, addresses, phone numbers, signatures, health conditions, and dates of birth – through an insecure training website. The details were first published in 2004 but the Information Commissioner’s Office hit the university with a £120,000 fine.

Fined: Yahoo!

When?: April – June
How much: $35m
What happened?: Following Yahoo!’s colossal data breach in 2014 where billions of usernames, email addresses, phone numbers, birthdates, passwords, security questions were taken, regulators have hit the firm with fines. The US Securities and Exchange Commission slapped the firm, now called Altaba, with a $35 million fine in April. The UK’s data protection watchdog also fined it £250,000.

Data breach: MyFitnessPal

When?: February 2018
How many people: 150 million
What happened?: In March, sports retailer Under Armour revealed its fitness app MyFitnessPal had lost the usernames, email addresses, and passwords of 150 million people were stolen from its systems. Although, the passwords were encrypted.

Data breach: Equifax

When?: 2017
What’s new?: More victims
What happened?: In one of the worst data breaches of all time, Equifax lost the data of 145 million US citizens. It’s since emerged that another 2.4 million Americans also lost their data. Equifax said the data breach cost it $114m and separate investigations are still ongoing.

Data breach: Facebook

When?: 2014
Who’s responsible: Cambridge Analytica
What happened?: The birth of Facebook’s biggest scandal. The Guardian reported more than 50 million people (this later rose to more than 100 million) had data harvested for data profiling company Cambridge Analytica. Facebook found out in 2015 but the details didn’t fully come to light until this year. The data was harvested through a quiz app that collected people’s personal information, it was then shared beyond the original researchers who had created the app.

Data breach: OnePlus

When?: Between mid-November 2017 and January 11, 2018
How many?: 40,000 people
What happened?:  Chinese smartphone manufacturer admitted in January that 40,000 of its customers had data lost after a “malicious script was injected into the payment page code” of its website. The script collected people’s payment data and returned it to unknown attackers. Credit card numbers, expiry dates, and security codes entered at may have been compromised, the company said.

Data breach: Strava

When?: January
What happened?:  The huge public map of workouts from fitness company Strava revealed the locations of military personal and their movements. In rural locations heatmap data could show how people operated around military bases, plus it was possible to discover the names and heart-rates of individuals inside highly secretive bases.

Fined: Carphone Warehouse

When: August 2015
How Much?: £400,000
What happened?:  The UK’s data protection regulator, the Information Commissioner’s Office (ICO), hit Carphone Warehouse with a £400,000 fine after the details of three million customers were access in 2015. The ICO said there were “rudimentary” security flaws that allowed information to be accessed.

Data breach: US Homeland Security

When?: Between 2002-2014
Who’s responsible?: Unknown, but not a “cyber attack by external actors”
What happened?:  On January 3, 2018, the US department of Homeland Security told 247,167 of its employees there had been a “privacy incident” with one of its databases for those that worked there in 2014. During the period of 2002-2014, an undisclosed number of people who were being investigated were also affected by the data loss. The lost information includes names, social security numbers and staff job roles. Officials first discovered the breach in May 2017 but took time to confirm it.

Data breach: Aadhaar

When?: January 3, 2018
Who’s responsible?: Former employees
What happened?:  India’s giant one billion person public database has been compromised. The Tribune newspaper reported former staff members provided access to names, email addresses and phone numbers.

Damage to American Airlines plane from hail strom – emergency landing

Articles - BCP and IT DR


An American Airlines flight en route to Phoenix from San Antonio on Sunday made an emergency landing in El Paso due to “damage sustained by weather” during the flight, Fox 4 News reported.

Flight 1897 left San Antonio International Airport at 6:57 p.m. and landed safely at 8:03 p.m. MT, the airline confirmed. The Airbus A319 had 130 passengers and five crew members.

Jesus Esparza, a passenger on the plane, described a chaotic scene to KENS 5.

Esparaza said passengers observed lighting outside their windows during the flight and said it sounded like the plane was being pelted with hail. He said at one point it dropped “like a rollercoaster.”

He said some passengers gasped and he had to let a passenger behind him use his sickness bag because the person already used their bag.