BBM messages are encrypted end-to-end. However, BBM messages sent through the BlackBerry Internet Services (BIS) network (i.e. via your carrier) are encrypted using a RIM possessed by RIM. That means, that if/when required, they can be subpoenaed and asked for those messages.
The same is not true for BBM messages sent via the BlackBerry Enterprise Server (BES). Those are also encrypted, but using a key possessed only by your company's IT department. That means that if someone wants to read you messages, they have to subpoena your company. RIM can't help them, at all.
I'm not sure what happens when a BlackBerry connected via BES sends a BBM to a person using BIS, or even another BES network. Either decryption and re-encryption occur, or it reverts back to using RIM's private key. But it would be safe to assume that BBM messages sent within your own company's BES network are safe and secure.
The same is not true for BBM messages sent via the BlackBerry Enterprise Server (BES). Those are also encrypted, but using a key possessed only by your company's IT department. That means that if someone wants to read you messages, they have to subpoena your company. RIM can't help them, at all.
I'm not sure what happens when a BlackBerry connected via BES sends a BBM to a person using BIS, or even another BES network. Either decryption and re-encryption occur, or it reverts back to using RIM's private key. But it would be safe to assume that BBM messages sent within your own company's BES network are safe and secure.